Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This section describes the syntax and usage of each CLI command. The commands are listed in alphabetical order.
scheme://[username[:password]@]host[:port]/[path]
Supported schemes for most commands are http, https, ftp, ftps, sftp, scp, smb, and tftp.
The host parameter may be an IP address or a domain name.
The optional port parameter is not supported on all protocols.
Some commands (e.g., ) require a URL argument to identify a remote file or directory. The format for a URL argument is:
Information on the available options for a CLI command can be obtained by ending a partial command line with a question mark (“?”). This will cause CLI to print out the available options for the remainder of the command line.
For example:
>backup ?
interval <secs> File rotation interval
url <URL> File upload URL
>backup url ?
url <URL> File upload URL
A CLI command line with only a question mark will result in a list of all CLI commands available to the user.
This is the Command Line Interface (CLI) reference guide for Island Router firmware version 2.3.2.
The Command Line Interface (CLI) provides a low-level interface for the configuration and monitoring of the Island router. It is accessed via the SSH protocol on TCP port 22. On some Island models, the CLI can also be accessed through a serial port.
When logging in to the CLI, two different user names are available: “admin” and “user”. The admin account has full privileges and access to all CLI commands. The user account is a read-only account which cannot access any commands that change the system configuration.
CLI command names and most keywords cay be abbreviated using the shortest unique prefix. For example, show interface summary can be abbreviated as sh int sum or even sh in su, but not as s int sum since the leading "s" is ambiguous.
Before the CLI can be accessed, the SSH password must be set via the Island app. This sets the password for the “admin” user. The password for the “user” login can be set by the admin user using the CLI command.
The CLI can also be accessed using SSH public key authentication. Authorized keys can be configured using the CLI command.
Most CLI commands take effect immediately when issued, but are not saved to non-volatile storage until the command is issued. In other words, the command makes the current running configuration permanent by copying it to the startup configuration. Note, however, that any configuration changes made through the app cause the running configuration to be immediately saved to non-volatile storage, including any changes made using the CLI.
The auto-update command controls whether the Island will automatically update its firmware to the latest available version, and when the updates will occur.
In general, clear text passwords such as in a URL argument are stored internally in an encrypted form so that they are unreadable when the system configuration is displayed. In some cases, an entire command parameter may be encrypted when there is special sensitivity involved. Encrypted strings begin with a tilde (“~”) character.
The system supports SSH public key authentication for all commands that use the SSH protocol, including the ssh command and any file transfer commands using the scp and sftp schemes. This eliminates the need to specify passwords inside a URL.
The command can be used to obtain the user’s public key from the local system so that it can be added to the list of authorized keys on the remote system.
Set the time of day to perform automatic updates of the system firmware
hh
The hour of the day (local system time) in the range 0 to 23.
mm
The minute with the hour (local system time) in the range 0 to 59.
Updates will be performed at 3:00 AM local time on any day of the week by default.
This command specifies the time of day at which the Island will automatically update to the latest firmware.
Sets how often an automatic system backup is performed.
no
(Optional) Returns the backup interval to its default value.
seconds
The interval at which the backup file should be written, in seconds.
The interval defaults to 3600 seconds (1 hour).
This command determines how often automatic system backups will be performed.
The system aligns the start time for the backup process relative to midnight on the day the command is issued or the system reloaded. For example, if the interval is set to 8 hours, backups will occur daily at 12 AM, 8 AM, and 4 PM every day. If the interval is set to 18 hours, backups will occur at 12 AM and 6 PM on the first day, and 12 PM and 6 AM on the second day, then repeat.
Refer to the section for more information.
The backup command configures automatic backups of the Island configuration and statistics to a remote file server.
Returns an Island to factory-default condition.
This command has no arguments.
This command returns an Island to a factory-fresh condition. All configuration, logs, statistics, and security keys will be deleted. The current firmware version will be retained, but all rollback checkpoints will be deleted.
The user will be prompted for confirmation before the command is executed.
When this command completes, the system will power off automatically. Power must be removed and re-applied in order to restart the system.
Examples:
4 hours
00:00, 04:00, 08:00, 12:00, 16:00, and 20:00 each day
18 hours
00:00 and 18:00 on the first day and 12:00 on the second day
36 hours
00:00 on the first day and 12:00 on the second day
9 days
Every 9 days starting at 00:00 on Wednesday
Certain commands (e.g., ) cause an action to occur at regular intervals. In most cases, the start time is not specified by the user, but is calculated by the system. In those cases, the actual clock times for command execution are calculated based on midnight (local system time) on the day the command was issued. For intervals of one week or greater, the times are calculated based on midnight (00:00) Wednesday.
Enables the automatic backup function and specifies the destination of the backup file.
no
(Optional) Disables automatic backup.
url
Specifies the backup file destination.
No automatic backup is performed by default.
The backup URL can refer to either a remote file or remote directory. If the URL ends in any character other than a slash (“/”), it is assumed to refer to a file name. The backup is written to that file, overwriting it if it already exists.
If the URL ends in a slash, the system assumes it is pointing to a directory. In this case, the system will create a new file with the following format: hostname-YYYYMMDD-HHMMSS.backup.
If the URL contains a password, it is encrypted so that it is not readable in the configuration file.
Set the day(s) of the week to perform automatic updates of the system firmware
all
Specifies that updates may occur on any day of the week. Mutually exclusive with none and <day>.
none
Disables automatic updates. Mutually exclusuve with all and <day>.
day
Specifies that updates may occur only on the specified day(s) of the week. Must be one of monday, tuesday, wednesday, thursday, friday, saturday, or sunday. Multiple days may be specified separated by spaces. Mutually exclusive with all and none.
Updates will be performed at 3:00 AM local time on any day of the week by default.
The Island periodically checks to see if newer firmware is available. This command sets the day(s) of the week on which new firmware is allowed to be automatically installed.
Firmware updates may or may not interrupt packet routing, depending on the nature and extent of the update. Some updates will not interrupt routing at all, some may cause a short (5-10 second) interuption, and some may require a full reboot of the router.
Refer to the page for more information on the syntax of the url parameter.
If automatic updates are disabled using the command auto-update days none, the Island will still periodically check for firmware updates, and the app will indicate that newer firmware is available, but it will not be installed automatically. In this case, the user can install the update using the command or the Island app.
Regenerates local SSH client keys.
admin
Regenerate keys for the admin user
user
Regenerate keys for the read-only user.
If neither adminnor useris specified, the keys for both users are regenerated.
This command is used to delete and regenerate the local SSH client keys.
SSH client keys can be used for public key authentication with the ssh command as well as commands that use the scp protocol (e.g., write net scp://…).
Delete all existing firewall state table entries.
This command has no arguments.
This command deletes all existing connections (i.e., firewall state table entries). It is primarily for testing, and should be used with care since it will immediately terminate all active Internet connections through the Island.
Regenerates the local ssh host keys.
If no options are specified, all SSH host key types are regenerated.
This command is used to delete and regenerate the local SSH host keys.
The host keys are used by remote clients to authenticate connections to the local system.
ed25519
Regenerate the ED25519 host key.
rsa
Regenerate the RSA host key.
Deletes a crash dump file, or all crash dump files.
file
Deletes the specified dump file
all
Deletes all dump files
None; a file name or all must be specified.
Dump files are created when a software module terminates unexpectedly. They may be analyzed by Island support to determine the cause of a failure. This command is used to delete dump files that are no longer needed.
Delete the SSH host key for a remote host or for all remote hosts.
host
The host for which the SSH key is to be deleted.
all
Deletes the SSH host key for all known hosts.
None; either a host or all must be specified.
This command allows the user to delete the remote SSH host key for a single host, or for all known hosts.
Deletes a system log file.
directory
(Optional)The log directory containing the log file.
file
The name of the file to be deleted.
If is not specified, the top-level log directory is assumed.
This command deletes a system log file.
To see a list of system log files, use the show syslog ? command.
This command deletes all configuration information, both learned and manually-configured, from all network interfaces and sets the to full.
The user will be prompted before the command is executed unless command confirmation has been disabled with .
Compacts the internal database to reclaim unusable space.
This command has no arguments.
The space used by deleted records within the internal database is not always immediately reuseable due to the nature of the database. Over time, the database can accumulate a significant amount of unuseable space, resulting in decreased performance and additional disk space usage.
This command reclaims the unuseable space within the database by rebuilding it.
Removes an installable package from the system.
name
The name of the package to be deleted
None; a package name must be specified.
Island supports installable software packages to implement optional features. The clear package command deletes an installed package from the system.
Regenerates the public/private key pair used for VPNs.
This command has no arguments.
This command is used to delete and regenerate the local Island’s public/private key pair used to establish secure connections with VPN peers.
Note that this will stop all communications with existing VPN peers until the new public key is provided to them. It will also prevent the mobile app from establishing a remote connection to the Island until it obtains the new public key, either by connecting via a LAN or by pasting the new public key in Tours. It will not affect the mobile app’s ability to connect directly via a local LAN.
Stop and clean up from an incomplete update.
Edits the list of known SSH keys for remote hosts.
Editing is done using the .
Sets the duplex mode of an Ethernet interface.
no
(Optional) Returns the interface duplex to its default value.
auto
The interface duplex mode is set via auto-negotiation.
half
The interface is placed into half-duplex mode.
full
The interface is placed into full-duplex mode.
Interface duplex is set via auto-negotiation by default.
This command can be used to force the duplex setting on an interface if autonegotiation is unavailable or undesirable.
If duplex is explicitly configured for an interface, the interface speed should also be explicitly configured. In other words, auto-negotiation should be enabled or disabled identically for both speed and duplex.
This command is valid only in interface context.
Enters configuration mode
Restores the system from a backup file.
This commands reloads the entire system configuration from a backup file previously created with the or commands.
Refer to the section of this document for more information on the syntax of the url parameter.
Edits the list of authorized public keys for authentication of incoming SSH connections.
admin
Edit authorized keys for the administrative user.
user
Edit authorized keys for the read-only user.
If neither user is specified, the keys for the administrative user are edited.
This command edits the list of authorized public keys for SSH authentication on inbound connections. The list contains one key per line in the OpenSSH authorized_keys file format.
Editing is done using the .
This command is used to return the CLI to global context after being placed into interface context with the command.
Sets optional description text for an interface.
no
Removes the description from the interface.
string
An arbitrary text string describing the interface. If the string contains whitespace, it must be enclosed in quotes.
Interfaces have no description by default.
This command allows the user to set an optional description for an interface.
This command is valid only in interface context.
Exit interface context or disconnect the CLI session.
Specify the number of CPU cores dedicated to Ethernet polling.
no
(Optional) Returns the number cores for polling to its default value.
auto
The number of cores is selected automatically.
n
Use the specified number of cores for Ethernet polling. The allowed range is from 1 to the total number of CPU cores minus 1.
The number of cores is selected automatically by default.
Normally, the system automatically determines the number of CPU cores to dedicate to Ethernet polling. This command is provided for diagnostic purposes, and should be used only as directed by Island support.
Displays a summary of available commands, or help for a specific command.
For more detailed help on command syntax, use the question mark (“?”) for .
Manage a history file instance.
no
(Optional) Deletes the specified history instance.
instance
The history instance to be created or modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
command
One of “empty”, “filter”, “interval”, “output-format”, “rename”, “url”, or “utc”. The command is required unless the no parameter is specified.
This command is used to create, modify, or delete a history file instance.
Island maintans a record of all device-related activity such as Internet access and session data counters, online and offline events, etc. These “history” events are stored internally in a compact binary format, and can be displayed with the show history command.
History data can formatted and saved in files to be transferred to a remote file server on a periodic basis. A history “instance” refers to a set of named history configuration commands that control the creation, format, transfer, and other characteristics of the associated history files.
An entire history instance can be deleted by entering this command with the no prefix. This will delete all unsent history files and all configuration commands associated with the instance.
The creation of history files is enabled with the command. Therefore when creating a new history instance, it is usually preferrable to issue all other desired history commands such as and before issuing the history interval command, otherwise the system may create one or more initial history files with improper characteristics.
History files are automatically deleted upon successful transfer to the remote system. To see the list of history files waiting to be transferred, use the command.
Restricts the types of activities logged to history files.
no
(Optional) Removes the history filter.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
string
The filter string.
All history events are logged by default.
Using the history filter command, you can restrict the types of activties that are logged to the history files. The filter syntax is:
<field><op><value>[<cong>…]
The field paramater specifies the field with the history records to test. Valid fields are listed below.
Note that the contextual help for this command may list additional field names that are reserved for diagnostic purposes or for future use.
Field names are case-insensitive.
time
The timestamp on the record. The timestamp format for string comparisons is "YYYY-MM-DDTHH:MM:SS.mmm" (e.g., "2024-06-01T19:23:47.316").
type
The record type; one of "associate", "disassociate", "access", "session", or "comment".
count
For "associate" and "disassociate" records, this is a reference count. For session records with the "fin" flag set, it is the session duration in nanoseconds.
flags
A bit field of flags associated with the record. Valid values for Island include "nonrender" (4), "secure" (16), "blocked" (32), "allowed" (64), and "fin" (128).
mac
The source MAC address of the packet or device associated with the record.
ip
The source IP address of the packet or device associated with the record.
port
The source TCP/UDP port number of the packet or device associated with the record.
destIP
The destination IP address of the packet associated with the record.
destPort
The destination TCP/UDP port number of the packet associated with the record.
sourceName
The name of the interface (e.g., "en0") associated with the device on an "associate" or "disassociate" record.
cat
The numerical value of the website category associated with the record. The cat field is a bit mask, and is therefore usually best tested using the "&" operator.
comment
A text string containing miscellaneous information associate with some records.
country
A two-letter code (e.g., "US") representing the country in which the remote IP address is registered.
The comparison operator.
=
Matches if the field value is exactly the same as the comparison value. This can be either a string or a numeric comparson depending on the field and the value.
!=
Matches if the field value is not exactly the same as the comparison value. This can be either a string or a numeric comparson depending on the field and the value.
<
Matches if the field value is numerically less than the comparison value.
<=
Matches if the field value is numerically less than or equal to the comparison value.
>
Matches if the field value is numerically greater than the comparison value.
>=
Matches if the field value is numerically greater than or equal to the comparison value.
&
Performs a bitwise test.
The value to compare against. This can be a string, a regular expression, or a numeric value. Strings must be enclosed in quotes if they contain special characters.
Regular expressions are delineated with a slash (e.g., mac=/^B4:AE:2B/). Regular expressions are valid only with the "=" and "!=" operators.
Joins multiple comparison expressions together.
| (vertical bar)
Logical "or"
& (ampersand)
Logical "and"
, (comma)
Logical "and"
Once a history instance has been defined, history files will be created peridically based on the setting of the command. By default, no history file is created for an interval if there were no history records generated during that interval. This command specifies that history files should always be created for an interval, even if the file contains no records.
no
(Optional) Empty history files will not be created.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
Enables the generation of history files, and sets how often a new history file is created.
no
(Optional) Removes the interval for the specified instance.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
seconds
The interval at which a new history file should be created, in seconds. The interval must be specified in order to enable history logging. The minimum interval is 60 seconds.
History files are not written by default.
This command enables the generation of history files for the specified instance, and specifies how often, in seconds, the current history file will be closed and a new file started.
The actual interval between files may be longer than specified if there are no events to log immediately after closing the previous history file. This does not apply if the history empty command has been given.
If the no keyword is specified, the current history file will be closed and no new history files will be created for this instance. Existing unsent history files will be retained until they are successfully transferred.
Rename an existing history instance.
instance
The history instance to be renamed.
newname
The new name for the history instance.
None; all parameters must be specified.
This command allows an existing history instance to be given a new instance name. Once renamed, all references to the history instance must be done using the new instance name.
Renameing a history instance will cause the current history file (if any) to be closed and a new one started.
Causes history file names and the timestamps contained within to be in UTC.
no
(Optional) Use the local time zone instead of UTC.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
The default is to use the local time zone for history file names and timestamps.
This command causes UTC time to be used for history file names and for any dates and times in the history records.
Sets the output format for history log records.
no
(Optional) Reverts to the default output format.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
template
The history output format template, described below.
The default output format is: "%d? %12t?? sub=%s?? mac=%m?? ip=%21ys?? dest=%21yd?? proto=%L?? policy=%P(%p)?? category=%C(%c)?? group=%G(%g)?? rule=%U(%u)?? button=%b?? count=%n?? stage=%S?? waited=%w?? rxbytes=%xr?? txbytes=%xt?? desc=%E?? ident=%I?? comment=%O?? host=%ah?? country=%N?? cat=%Mh?? flags=%f?? method=%am?? path=%ap?? version=%av?? timeOffset=%J?"
Note that the default format includes fields which are not used in the current product.
The output format template consists of arbitrary text containing field substitutions. These substitutions begin with a percent sign ("%"). The list of valid substitutions is shown in the table below.
The percent sign may optionally be followed by a decimal minimum field width. The field value will be left-justified within the specified width.
A substitution, along with any surrounding text, may optionally be enclosed in question mark characters. This will cause all text between the question marks to be suppressed if no substitution is made.
The contextual help for this command may include subsitutions for fields that are not used in the current product. Only the currently supported subsitutions are included in this table.
%d[(format)]
%D
Date and time formatted as "yyyy-mm-ddThh:mm:ss.xxx(Z|+/-HH:MM)".
%f
Event flags
%h
Destination host name
%H
Island host name
%i
Source IP addres
%m
Source MAC address
%Mh
Destination host category list
%N
Country code
%O
Comment
%rn
Interface name
%R
Constant random number
%t
Event type
%xr
Bytes received
%xt
Bytes transmitted
%%
Percent sign
all
All attributes in "tag=value" format
csv
All attributes in CSV format
syslog
Structured syslog
usyslog
Unstructured syslog
json
JSON
raw
Raw binary
Date and time formatted using . The default format is "%Y/%m/%d %T".
An Island may be given a unique and descriptive name to distinguish it from other Islands. The hostname will be used as the CLI prompt. It is also used to when auto-generating file names for some commands (e.g., ).
no
(Optional) Deletes the existing hostname.
string
An alphanumeric string of up to 63 characters, beginning with a letter.
Specifies a remote directory to which history files will be written.
no
Removes the specified history URL.
instance
The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.
url
This URL to which history files are to be written. Required unless the no parameter is specified.
The default is to not write history files to a remote system
This command specifies the destination for files produced for this history instance.
The URL must point to a remote directory. Each history file will be writton to a unique file in that directory. The file name format is:
history.YYYYMMDDHHMMSSmmm‐nnnnnnnnnn
where “YYYYMMDDHHMMSSmmm” is the date and time including milliseconds and “nnnnnnnnnn” is the number of records in the file.
The path portion of the URL is ignored for the "tcp://" or "udp://" real-time streaming schemes.
Refer to the section of this document for more information on the syntax of the url parameter.
The following "ip" commands are used to configure network parameters on an interface. They are valid only in interface context as set with the command.
Assigns an IP address to an interface.
no
(Optional) Removes the IP address from the interface.
address
The IP address to be assigned to the interface.
bits
The number of bits in the network portion of the address.
By default, Island will either obtain an IP address for an interface using DHCP (if the DHCP client is enabled on the interface) or will assign an arbitrary /24 private network (RFC1918) network address.
This command assigns an IPv4 or IPv6 address to an interface. Only one IPv4 and one IPv6 address may be assigned to a given interface.
This command is valid only in interface context.
This command does not automatically set the to manual or disable the on the interface. However, if the DHCP client is enabled, the specified IP address will be overwritten if an address is later obtained from a DHCP server. To ensure a manually-configured IP address is not changed, set the to lan, or set it to manual and disable the .
Selects an interface and places the CLI into interface context, or deconfigures an interface.
no
(Optional) Causes the specified interface to be deconfigured.
string
The name of the interface to be configured.
The CLI is in global context by default.
The “no” form of this command deletes all configuration information, both learned and manually-configured, from the specified interface. For physical interfaces (e.g., Ethernet), the interface is placed into automatic configuration mode. For virtual interfaces, the interface is deleted from the system.
Sets the configuration mode for an interface.
The default is full automatic configuration.
When autoconfig is set to full on an interface (the default), the Island will determine if the interface is connected to a local area network (LAN) or to the Internet (WAN), and will set all other interface parameters as appropriate for the type of connection detected. This mode works well in most cases, and is useful for initial installation. Once installation is complete, it is generally recommended to select one of the other modes as appropriate for each interface.
When using manualmode, users may find it convenient to first set the interface mode to one of the modes listed below first, before switching to manual mode, to provide a convenient starting point for all interface settings. Note that the interface must be active (up) in order for the current interface settings to be retained when the mode is switched to manual.
The remainder of the modes are used to set the interface configuration appropriate for the most common network scenarios. The available modes are as follows:
lan: This mode is for a typical LAN where Island should be the DHCP server. Island's DHCP server is enabled, the DHCP client is disabled, and the DHCP monitor is enabled.
lan-no-dhcp: This mode is the same as lan except Island's DHCP server and DHCP monitor is disabled, and the DHCP client is enabled. This mode is used when another DHCP server is used for the network.
wan: This mode is for a typical WAN connection where Island obtains its IP address from the provider using DHCP.
static-wan: This mode is for a WAN connection where Island is assigned a static IP address.
This command is valid only in interface context.
This command must be given before issuing any commands that modify an interface. The specified interface remains the “selected” interface until another command or the command is issued.
When set to manual, automatic configuration is disabled, and the current interface configuration is written to the running configuration. Individual may then be modified as needed. This configuration is the most flexible but requires that each interface configuration option be set appropriately. It can be used for unusual situations where the predefined interface modes (described below) are not sufficient.
Note that issuing most will cause the interface mode to be set to manual. When this happens, the remaining interface configuration options with their current values will be written to the running configuration, and can be modified as needed. Refer to the documentation for a specific command to determine if that command will force the interface mode to manual.
disabled
Disable the interface.
full
Automatically set the interface configuration.
lan
Configure the interface for a typical LAN where Island is the DHCP server.
lan-no-dhcp
Configure the interface for a LAN where the Island is not the DHCP server.
manual
static-wan
Configure the interface for a WAN with a static address.
wan
Configure the interface for a WAN with a dynamic (i.e., DHCP) address.
Disable automatic configuration on the interface. This mode will be enabled automatically if certain interface commands are issued.
Enables or disables periodic ARP scanning an interface.
no
(Optional) This is the same as ip arp-scan off.
off
Disables ARP scanning.
on
Enables ARP scanning.
ARP scanning is enabled on LAN interfaces but disabled on WAN interfaces by default.
When ARP scanning is enabled on an Interface, Island will periodically send ARP requests to every valid IP address on the interface network. This allows Island to discover all devices on the network, even those that are not otherwise sending any traffic through the Island.
Enables or disables ARP spoofing on an interface.
ARP spoofing is disabled by default.
When ARP spoofing is enabled, Island will send “spoofed” ARP responses to all clients presenting itself as the owner of the default gateway’s IP address.
ARP spoofing allows Island to insert itself into a network with an existing default gateway using a single interface. It forces all Internet-bound traffic from LAN clients to be sent to itself. Island will apply all configured security filters and other features before forwarding the packet to the actual default gateway.
This mode essentially provides all features of the Island without replacing an exiting gateway. However, it can cause problems with some hosts and security devices, and should therefore be used with caution.
This command is valid only in interface context. Entering it will set the to manual.
This command is valid only in interface context. Entering it will set the to manual.
no
(Optional) This is the same as ip arp-spoof off.
off
Disables ARP spoofing.
on
Enables ARP spoofing.
Defines the priority of a WAN connection relative to other WAN connections.
n
The priority of the interface. Must be an integer between 1 and 4, with 1 being the highest priority and 4 being the lowest.
The default interface priority is 1.
Island supports multiple WAN connections. The interface priority determines which WAN connection(s) outgoing traffic will use when multiple WAN connections are present and active.
Outbound connections will normally use the highest priority active WAN interface. If multiple active WAN interfaces have the same priority, outbound connections will be distributed between them.
This command is valid only in interface context. Entering it does not change the of the interface.
Enables or disables automatic VLAN provisioning for an interface.
no
(Optional) This is the same as ip autovlan off.
off
Disables automatic VLAN provisioning.
on
Enables automatic VLAN provisioning.
Automatic VLAN provisioning is enabled by default.
When automatic VLAN provisioning is enabled, Island will create a new VLAN interface whenever a packet is received with an 802.1Q VLAN Identifier that does not match an existing VLAN interface.
This command is valid only in interface context. Entering it will set the to manual.
Sets the DHCP lease time on an interface.
no
(Optional) Resets the DHCP lease time to the default value.
seconds
The DHCP lease time in seconds.
The default lease time is 1800 seconds (30 minutes).
The default lease time for addresses assigned by Island's DHCP server is 10 minutes. This allows devices to respond reasonably quickly to network address changes.
Although rare, some devices cannot handle such a short lease time. This command can be used to change the DHCP lease time to a different value.
This command is valid only in interface context. Entering it does not change the of the interface.
Enables or disables the DHCP monitor service on an interface.
no
(Optional) This is the same as ip dhcp-client off.
off
Disables the DHCP monitor on the interface.
on
Enables the DHCP monitor on the interface.
The DHCP monitor is enabled on LAN interfaces and disabled on WAN interfaces by default.
The DHCP monitor service watches for rogue DHCP servers on an interface and issues a warning if one is found.
If both DHCP monitor and are enabled on the same interface, DHCP client has precedence and DHCP monitor will be not run.
This command is valid only in interface context. Entering it will set the to manual.
Enables or disables the DHCP server on an interface.
no
(Optional) This is the same as ip dhcp-server off.
off
Disables the DHCP server on the interface.
on
Enables the DHCP server on the interface.
The DHCP server is enabled on LAN interfaces and disabled on WAN interfaces by default.
The DHCP server is responsible for assigning IPv4 address and related options to clients on a connected network.
Enables or disables the DHCPv6 client on an interface.
no
(Optional) This is the same as ip dhcp6-client off.
off
Disables the DHCPv6 client on the interface.
on
Enables the DHCPv6 client on the interface.
The DHCPv6 client is enabled by default on WAN interfaces and disabled on LAN interfaces.
The DHCPv6 client is responsible for obtaining an IPv6 address and related options from a DHCPv6 server and assigning it to an interface.
If the DHCPv6 client is not enabled, or if a DHCPv6 server is not available, the IPv6 address is assigned based on the type of interface. On WAN interfaces, it will be assigned using Stateless Address Auto-Configuration (SLAAC). On LAN interfaces, Island will us either a delegated prefix selected from one of the WAN providers (if available) or will assign a Unique Local Address (ULA).
Enables or disables the DHCP client on an interface.
The DHCP client is enabled on WAN interfaces and disabled on LAN interfaces by default.
This command enables the DHCP client on an interface, allowing Island to obtain the IPv4 address and other options from an external DHCP server.
This command is valid only in interface context. Entering it will set the to manual.
This command is valid only in interface context. Entering it will set the to manual.
This command is valid only in interface context. Entering it will set the to manual.
no
(Optional) This is the same as ip dhcp-client off.
off
Disables the DHCP client on the interface.
on
Enables the DHCP client on the interface.
Enables or disables fingerprinting of IPv6 devices on an interface.
no
(Optional) This is the same as ip ident6 off.
off
Disables fingerprinting of IPv6 devices on the interface.
on
Enables fingerprinting of IPv6 devices on the interface.
Devices fingerprinting is enabled on LAN interfaces and disabled on WAN interfaces by default.
This command enables or disables "fingerprinting" of IPv6 devices on an interface. Fingerprinting uses protocols such as SSDP and mDNS to gather information about devices on the network to aid in the identification of new and unknown devices.
This command is valid only in interface context. Entering it will set the to manual.
Defines the range of IPv4 addresses available to DHCP clients.
low
The decimal value of the host portion of the first IP address in the scope.
high
The decimal value of the host portion of the last IP address in the scope.
In the abscence of this command, the default DHCP scope is "50-". Otherwise, the defaul low value is 1 and the default high value is the last available host address on the network.
This command defines the range of IPv4 addresses assignable to DHCP clients. The low value is the host portion of the first assigneable address in the scope. If omitted, the default low value is 1.
The high value is the host portion of the last assignable address in the scope. If omitted, the default high value is the host portion of the last assignable address in the interface's network range. Note that the highest address in a network is reserved for broadcasts, and will never be assigned by the DHCP server.
Since these values are the decimal value of the host portion (only) of the IP address, the high value may exceed 254 for networks larger than /24. For example, the highest assignable value for a /22 IPv4 network (i.e., 10 bits of host address) would be 1022.
This command is valid only in interface context. Entering it does not change the of the interface.
Enables or disables the DHCPv6 server on an interface.
no
(Optional) This is the same as ip dhcp6-server off.
off
Disables the DHCPv6 serveron the interface.
on
Enables the DHCPv6 serve on the interface.
The DHCPv6 server is enabled on LAN interfaces and disabled on WAN interfaces by default.
Sets the maximum transmission unit (MTU) on an interface.
This command enables the DHCPv6 server on the interface. Island does not assign IPv6 addresses via DHCP; instead, hosts will use (SLAAC) to obtain their IPv6 address. Island's DHCPv6 server provides DNS and other requested information to IPv6 clients.
This command is valid only in interface context. Entering it will set the to manual.
This command is valid only in interface context. Entering it does not change the of the interface.
n
The MTU size in bytes.
Enables or disables IPv6 Network Address Translation (NAT) on an interface.
no
(Optional) This is the same as ip nat6 off.
off
Disables IPv6 NAT on the interface.
on
Enables IPv6 NAT on the interface.
IPv6 Network Address Transnation is disabled on all interfaces by default.
When Network Address Translation (NAT) is enabled on an interface, the source IP address of transmitted packets is changed to the Island's IP address assigned to the interface. Depending on the protocol involved, the source port number, as well as address information embeded in the payload, may be modified as well.
Island maintains a list of active NAT translations so that received packets can be routed back to the proper internal client.
NAT is typically used to map private IP addresses on a LAN to a public IP address on the WAN.
This command is valid only in interface context. Entering it will set the to manual.
Enables or disables fingerprinting of IPv4 devices on an interface.
no
(Optional) This is the same as ip ident4 off.
off
Disables fingerprinting of IPv4 devices on the interface.
on
Enables fingerprinting of IPv4 devices on the interface.
Devices fingerprinting is enabled on LAN interfaces and disabled on WAN interfaces by default.
This command enables or disables "fingerprinting" of IPv4 devices on an interface. Fingerprinting uses protocols such as SSDP and mDNS to gather information about devices on the network to aid in the identification of new and unknown devices.
This command is valid only in interface context. Entering it will set the to manual.
The following "ip" commands are used to configure network parameters that are not specific to a single interface.
Enables or disables the sending of IPv6 Router Solicitation (RS) packets on an interface.
no
(Optional) This is the same as ip router-solicit off.
off
Disables the sending of IPv6 RS packets.
on
Enables the sending of IPv6 RS packets.
When autoconfiguration is enabled on an interface, the Island will determine the proper setting based on whether the the interface is determined to be a WAN or a LAN connection. Otherwise, the initial setting for newly-created interfaces is off.
This command determines whether IPv6 Router Solicitation (RS) packets are sent on an interface.
Establishes a dynamic DDNS host name for the Island.
no
(Optional) Deletes an existing DDNS name.
string
The desired DDNS host name. This must be a simple host name, not a domain name. It may consist of between 1 and 63 alphanumeric characters or a minus sign ("-"). The first character must be a letter or number.
No DDNS name is assigned by default.
Island provides a DDNS service that assigns names with the "myisland.info" domain. The user may assign a simple host name using this command. For example, if "bobs-island" is specified, the resulting fully-qualified domain name (FQDN) will be "bobs-island.myisland.info".
There is no registration or authentication required for this service. Names are available on a first-come, first-served basis. Once a name is assigned to a specific Island, that name may not be assigned to another Island until a grace period has expired or the name is manually deleted using the "no" form of this command from the original Island with an active Internet connection.
The A and AAAA records for the FQDN will be updated automatically by the Island based on the public IPv4 and IPv6 addresses on the WAN port. If multiple WAN primary ports are in use (or multiple secondary WAN ports if no primary port is available), the A and AAAA records will be assigned arbitrarily to the IP address on one of the active ports.
This command is valid only in interface context. Entering it will disable on the interface.
Enables or disables the sending of IPv6 Router Advertisement (RA) packets on an interface.
no
(Optional) This is the same as ip advertise off.
off
Disables the sending of IPv6 RA packets.
on
Enables the sending of IPv6 RA packets.
When autoconfiguration is enabled on an interface, the Island will determine the proper setting based on whether the the interface is determined to be a WAN or a LAN connection. Otherwise, the initial setting for newly-created interfaces is off.
This command determines whether IPv6 Router Advertisement (RA) packets are sent on an interface.
This command is valid only in interface context. Entering it will disable on the interface.
Assigns a dedicated IP address to a device.
no
(Optional) Removes an existing DHCP reservation
ip
The IP address to be assigned to the device.
mac
The MAC address of the device.
There are no DHCP reservations by default.
This command reserves an IP address for a client. The DHCP server will not assign a reserved IP address to any other client. When the client makes a DHCP request to the Island, the DHCP server will assign the specified address to the client, if able.
If the server is unable to assign the address (perhaps because the address is already in use by another client), it will assign another address from the DHCP scope. When the client renews its DHCP lease, the DHCP server will again try to assign the reserved address.
The reserved IP address must be a valid address on one of the interfaces on the Island. However, it does not need to be within the DHCP scope assigned to the interface.
Only one DHCP reservation is allowed for a given device.
Determines whether the DNS server intercepts all recursive DNS requests or only those directed at the Island.
no
(Optional) Reset the command to its default value.
off
Intercept all recursive DNS requests passing through the Island.
on
Respond only to DNS requests addressed to the Island.
All recursive DNS requests passing through the Island are intercepted by default.
By default, Island intercepts all recursive DNS requests it sees and resolves them locally, even if the request was sent to a different DNS server. This improves DNS lookup speed and allows Island to perform filtering at the DNS level.
In some circumstances, it may not be desirable to intercept DNS requests directed at another DNS server. Enabling the local-only option causes Island to pass these requests on to the targeted server.
Note that Island will never intercept and respond to DNS over HTTPS (DoH) requests targeted to another server. Users wishing to force all DNS reqeusts to be handled by Island may wish to block access to external DoH servers using Island's filtering capabilities. Refer to the Island Router app documentation for more information.
Enables or disables IPv4 Network Address Translation (NAT) on an interface.
no
(Optional) This is the same as ip nat4 off.
off
Disables IPv4 NAT on the interface.
on
Enables IPv4 NAT on the interface.
IPv4 Network Address Transnation is enabled on WAN interfaces and disabled on LAN interfaces by default.
When Network Address Translation (NAT) is enabled on an interface, the source IP address of transmitted packets is changed to the Island's IP address assigned to the interface. Depending on the protocol involved, the source port number, as well as address information embeded in the payload, may be modified as well.
Island maintains a list of active NAT translations so that received packets can be routed back to the proper internal client.
NAT is typically used to map private IP addresses on a LAN to a public IP address on the WAN.
This command is valid only in interface context. Entering it will set the to manual.
Enable or disable Island's inbound Internet firewall.
no
(Optional) Returns the Internet firewall to its default state.
off
Disables the Internet firewall
on
Enables the Internet firewall
The inbound Internet firewall is on by default.
This command disables the firewall function that blocks incoming traffic on a WAN interface. It takes effect only when there is a single physical port active on the Island.
This command should be used with extreme care and is intended only for very specific use cases such as using Island as a dedicated VPN concentrator, where firewall functionality is undesirable or handled by an external firewall. Note that all other Island functionality, including content filtering, is still active even when the firewall is disabled.
Determines whether IPv6 AAAA records are generated for DDNS.
no
(Optional) Reset the command to its default value.
off
An AAAA record will not be created in DDNS.
on
An AAAA record will be created in DDNS.
An AAAA record is created in DDNS by default.
The Island DDNS service creates both A (IPv4) and AAAA (IPv6) DNS records by default. This can cause delayed or broken connectivity when using a port-forward to direct incoming traffic to a device that does not support IPv6.
This command can be used to disable the generation of AAAA DNS records so that clients will attempt to connect using IPv4 only.
Sets the method Island uses to resolve DNS requests.
Island uses Cloudflare's DNS over HTTPS service by default.
This command specifies how DNS lookups are performed by Island.
By default, Island uses DNS over HTTPS (DoH) services provided by Cloudflare to resolve DNS requests. The https option can be used to change the DoH provider to Google or to an arbitrary DoH server.
Island can also be configured to use standard recusive DNS resolution. Both the recursive and the dnssec options enable recursive DNS mode, the difference is that dnssec also enables DNSSEC validation.
If Island is unable to access the specified DoH provider, it will revert to recursive DNS.
This command has no effect unless a DDNS name is defined in the app or using the command.
dnssec
Use recursive DNS with DNSSEC verification.
https
Use DNS over HTTPS (DoH).
cloudflare
Use Cloudflare for DoH resolution.
google
Use Google for DoH resolution.
url
Specify the URL of an arbitrary DoH server to use for DoH resolution.
resursive
Use recursive DNS.
Sets the maximum number of IP addresses Island will recognize.
n
The number of IP addresses.
The default maximum IP addresses is specific to each Island model.
This command specifies the maximum number of IP addresses (IPv4 and IPv6 combined) Island will support. Once this limit is reached, additional IP addresses will be ignored until older IP addresses go offline.
Caution: Changing this value causes a restart of the packet processing engine. This will cause a disruptime in routing for several seconds, and all active sessions through the Island will be deleted.
Create a permanent Destination Network Address Translation (DNAT) entry.
tcp
Creates a TCP DNAT entry.
udp
Creates a UDP DNAT entry.
public-ip
(Optional) Specifies the IP address on which to accept incoming connections to be port-forwarded. If omitted, connections will be accepted on any of the Island's interface addresses.
public-port
The TCP or UDP port number on which to accept incoming connections.
mac
The MAC address of the device to which incoming connections are to be forwarded.
island
Specifies that incoming connections are to be forwarded to the Island itself.
dest-port
(Optional) The TCP or UDP port number on the target system. If omittied, the original destination port number is unmodified.
By default, port-forwarded connections will be accepted on any of the Island's interface IP addreses, and the destination port number will not be modified.
Island normally blocks all inbound connection attempts from the Internet (i.e., on WAN ports) or on other internal networks (LANs) to internal devices. This command provides a method to allow inbound connections to specific internal devices (or to the Island itself) on specific TCP and UCP ports. In essence, it opens a "hole" in the internal stateful firewall for specific internal services.
If the public IP address is specified, connections will be accepted only on that address.
The maximum number of port-forward commands is 1024.
If the public IP address is not specified, connections will be accepted an any of Island's interface addresses on the specified TCP or UDP port. Use care when doing this on ports used for internal management (e.g., TCP ports 22, 443, and 4443) or incoming VPN connections (UDP port 51820 or as defined by the command, and UDP port 3006) as the port-forward will make those services unavailable on those ports.
Select the algorithm used to balance traffic between equal-priority WAN interfaces.
no
(Optional) Returns the load sharing algorithm to its default value
dst-ip
Consider the destination IP address when choosing an outbound WAN interface
random
Randomly select the outbound WAN interface for every connection
src-dst-ip
Consider the source and destination IP addresses when choosing an outbound WAN interface
The outbound WAN interface is selected randomly for each connection by default.
dst-ip
All connections to a given destination IP address will use the same interface.
random
The outbound interface is selected at random for each connection. This is the default.
src-dst-ip
All connections from a given source IP address to a given destination IP address will use the same interface.
Island supports multiple WAN interfaces. Outbound connections are routed to the highest priority active WAN interface as set by the command. When more than one active WAN interface is at the highest priority, Island will balance the outbound connections between them. This command selects the algorithm Island uses to determine which WAN interface is selected for each outbound connection in that case. The availble algorithms are as follows:
Set the brightness of the Island's LED.
n
An integer representing the LED brightness in percent (0-100).
The default LED level is 100.
The command sets the brightness of the Island's LED display. The value must be an integer from 0 (off) to 100 (full brightness).
Enables or disables remote access by Island Support personnel.
To prevent the loss of important data, certain CLI commands (e.g., , , etc.) normally prompt the user for confirmation before executing. This can be inconvenient when executing batch CLI commands. The no login confirm command disables these confirmation prompts. The prompts can be re-enabled using the login confirm command.
no
(Optional) Disables support access.
Enables or disables remote access.
no
(Optional) Disables remote access.
Remote access is disabled by default.
Island implements secure remote access from the Island app on Apple and Android devices. Remote access is disabled by default, but can be enabled with this command.
Create a static route within the Island.
address
The target IP network or host address.
bits
The number of network bits in the target IP address.
gateway
The IP address to which packets for the target address are to be sent.
default
Can be used in place of "0.0.0.0/0" or "::/0" to represent the default route.
No static routes exist by default.
The command allows manually-configured (i.e., "static") routes to be inserted into Island's routing table.
Both IPv4 and IPv6 routes are supported. The target address and the gateway must both be the same protocol (IPv4 or IPv6).
The word "default" may be used to represent the default route (0.0.0.0/0 or ::0/0). The protocol of the default route (IPv4 or IPv6) will be determined by the the protocol of the specified gateway.
Some Island models have a serial port which provides direct access to the CLI. By default, no credentials are required to access the CLI through the serial port, and full access is granted. When the command is specified, the user will be prompted for a username ("admin" or "user") and password before access is granted.
no
(Optional) Don't require a username and password on the serial port.
Define a configuration parameter for an installed package.
There are no defaults for this command. All parameters must be specified.
Some packages require user-specified configuration information, or "parameters". These parameters are set using this command.
Parameter names and values are specific to each package. Refer to the associated package documentation for supported parameters and values.
Specify the format for displaying MAC addresses.
The default MAC address output format is "XX:XX:XX:XX:XX:XX".
This command is used to specify the output format for MAC addresses as used in the CLI and in system logs.
The format must contain 12 upper or lower case X’s as placeholders for each of the 12 hexadecimal digits in a MAC address. The case of a placeholder indicates the case of the corresponding output MAC character. All other characters in the format string are printed literally.
Island supports installable software package to add features not included in the base firmware. Installable packages are installed with the command.
no
(Optional) Removes the specified parameter
name
The name of the installed package.
parameter
The name of the parameter to be set.
value
The value of the parameter to be set.
no
(Optional) Use the default MAC address output format.
template
A string defining the MAC address output format.
Set the minimum severity level of messages logged by the low-level packet handler.
no
(Optional) Sets the severity level to the default value.
n
The minimum severity level to be logged.
The default minimum severity level is 5.
This command sets the minimum severity level of messages logged by the low-level packet handling subsystem in Island. Logging less severe messages can be useful when diagnosing network issues, but will also increase the amount of information logged.
The highest severity level is 0 and the lowest is 7, as follows:
0
Critical system failure
1
Critical or unexpected unrecoverable error
2
Unexpected recoverable error
3
Less severe error
4
Warning
5
Informational message
6
Debugging message
7
Verbose debugging message
Globally enable or disable IPv6.
no
(Optional) Reset the command to its default value.
off
Disable IPv6 on the Island.
on
Enable IPv6 the Island.
IPv6 is enabled by default.
IPv6 is fully supported by Island, and is enabled on all interfaces by default. Island will attempt to obtain an IPv6 address and a delegated prefix on each WAN port, and will assigne IPv6 addresses to each LAN port.
While IPv6 can be disabled on individual interfaces using , this command can be used to disable IPv6 on all interfaces.
Send an ICMP Echo Request to a host and waits for a reply.
ip
(Optional) Use IPv4.
ipv6
(Optional) Use IPv6.
host
The domain name or IP address of the host to be pinged.
If neither ip no ipv6 is specified, the protocol is chosen automatically.
The ping command is used to test the reachability of another system and measure the round-trip time (RTT) to the system using ICMP Echo Request packets. Once the command is issued, it will continue until stopped by pressing Control-C.
Specify the parent interface for a VLAN interface.
interface
The name of the parent interface.
This command has no default. The parent interface must be specified.
This command is required for VLAN interfaces. It defines the physical interface on which the VLAN is carried. It is valid only in interface context, and only for VLAN interfaces.
Restore the system firmware and configuration to a previously stored checkpoint.
This command has no arguments.
Each checkpoint includes all changes made to the operating code on the system. In some cases, the checkpoint may include additional items. For example, if an update will use a new, incompatible version of a database or configuration, then the affected items are also included in the checkpoint.
This command provides a way to return the system firmware and configuration to a previous state created with the command.
The command automatically saves a copy of the current firmware and system configuration as a checkpoint. The five most recent checkpoints are retained.
When the command is issued, the user may choose from a list of these checkpoints, and the system will be restored to the saved state.
Specify NTP servers.
no
(Optional) Removes the specified NTP server. If no server is given, reverts to the default NTP server.
server
The name or IP address of an NTP server.
Island uses the pool at ntp.islandrouter.com by default.
This command specifies one or more NTP servers to be used to synchronize Island's internal clock. The command will accept multiple servers on one line, and the command may be specified multiple times.
Reboot the system.
This command has no parameters.
The ping command is used to reboot the Island router.
A warning will be issued if the running configuration does not match the startup configuration. The user will be given the opportunity to save or discard the pending configuration changes. The reload command may be aborted using Control-C at this prompt.
Display the authorized SSH public keys for a user.
admin
Shows the authorized keys for the administrative user.
user
Shows the authorized SSH keys the read-only user
The keys for the administrative user are shown by default.
This commands displays the contents of the authorized SSH public keys file for the specified user.
Set, change, or remove a password.
no
(Optional) Deletes an existing password.
admin
Sets or changes the administrator password.
user
Sets or changes the read-only user password.
password
(Optional) The password to be set.
There is no password on the admin or user accounts by default.
This command sets the password for the specified user for access to the CLI. Users without a password may not log in to the CLI via ssh.
If the new password is not specified on the command line, the system will prompt for it.
Display a list of system crash dump files.
Display a summary of the system hardware configuration.
Display the list of known SSH hosts and their public keys.