How to configure a private APN on a 5G router

In the world of industrial IoT, there's a constant need to access remote machinery for monitoring and maintenance. A common, yet dangerous, shortcut is to equip a device with a standard SIM card for a quick connection over the public internet. In my experience, this is a critical oversight that punches a massive hole in an operational technology (OT) network, exposing valuable assets to the entire world.

Let's be clear: connecting industrial assets over the public internet is playing with fire. Every unsecured device becomes a potential backdoor for attackers and a soldier in a botnet army. To get the necessary remote access without the sleepless nights, the solution is to create a private highway on the cellular network using professional-grade hardware. An industrial 5G VPN router, like the  Robustel R5020 Lite, is engineered specifically for mission-critical industrial IoT applications, providing the enterprise-grade security needed to act as a secure gatekeeper. This is precisely where the private APN comes in. It is the foundational technology that, when configured on a capable router, delivers truly secure cellular connectivity.

Using a public APN for an industrial device is like leaving the front door of your factory wide open. Here’s what you're up against:

• Direct Exposure: Your device is assigned a public IP address, making it visible and scannable by anyone on the internet.
• Uncontrolled Traffic: You have no control over the data traffic flowing to and from your device, making it vulnerable to DDoS attacks and other malicious intrusions.
• Shared Infrastructure: Your critical operational data travels alongside consumer traffic, with no performance guarantees.

In contrast, implementing a private APN transforms your security posture.

• Total Isolation: Your devices are completely invisible to the public internet. They exist in a walled garden, accessible only from within your corporate network.
• Enhanced Security: By creating a private data path, you eliminate the primary attack vector for most remote IoT threats. It's the first and most important step in securing your corporate private network access.
• Simplified Management: You can often assign static private IP addresses to your devices, making them easier to manage, monitor, and access for remote maintenance.
• Reliable Performance: Your data traffic isn't competing with public internet congestion, leading to more predictable and stable connectivity.

Before we start, let's get our gear in order. It's a pretty simple list:

• 1 x  Robustel R5020 Lite  Router: The heart of our setup.
• 2 x Active SIM Cards: These can be from the same or different carriers. Ensure they have active data plans.
• 1 x Computer: A laptop or desktop to access the router's configuration interface.
• 1 x Ethernet Cable: To connect your computer to the router.
• Antennas Connected: Ensure cellular antennas is already securely attached to the router. 
• APN Details: The carrier will provide you with the essential information: the APN name itself, and potentially a username and password for authentication.

First things first, let's get the physical setup right.

• With the router powered off, carefully insert your provisioned M2M/IoT SIM card into the SIM 1 slot until you hear a small click.
• Power on the router and give it a solid two minutes to fully boot up its system.
• Connect an Ethernet cable from a LAN port on the router to the Ethernet port on your computer. Make sure your computer's network card is set to obtain an IP address automatically (via DHCP), which is the default for most PCs.

Now we need to log in to the router's brain.

• Open a web browser on your computer and type the router’s default IP address, 192.168.0.1, into the address bar and hit Enter.
• You'll see a login page. The default username and password are both admin. If you are prompted to change the admin account password, simply follow the instructions to set a compliant password and be sure to remember it.
• Insider Tip: If the router isn't brand new and you can't connect, check your computer's network settings to see what "gateway" IP address it was assigned. That address is your router's current IP.

This is where we tell the router how to find its private network.

• Once logged in, navigate to Interface -> Link Manager.
• You'll see link configurations, often wwan1 (for SIM 1) and wwan2 (for SIM 2). Since you inserted the card into slot 1, find the row for  wwan1 and click its  Edit button.
• In the " WWAN Settings" section, Disable " Automatic APN Selection". This allows you to manually enter your settings.
• In the  "APN" field, carefully type the private APN name your carrier provided. It might look something like yourcompany.mnc012.mcc345.gprs. A single typo is the most common point of failure, so double-check it!
• If your carrier requires authentication, enter the  "Username" and  "Password" in their respective fields.
• When you're done, click the  "Submit" button. Then—and this is a crucial step everyone misses—click the  "Save & Apply" button that appears to make the changes live.

Let's confirm it's all working.

• The router will now restart its cellular connection. Give it a minute.
• To test the connection, navigate to System -> Tools.
• On the Ping page, in the "Host" field, enter the IP address of a server or computer that exists only on your internal corporate network.
• Click "Ping." If you see successful replies, you've done it! Your router now has a secure, direct tunnel into your private network, completely invisible to the public internet.

A private APN is your foundational security layer, but it shouldn't be your only one. True industrial cybersecurity follows a "defense-in-depth" model. What does that mean? It means adding more layers of protection.

• VPN Tunnels: For an extra layer of encryption and security, run a VPN (like IPsec or OpenVPN) over your private APN connection. Robustel routers have robust VPN capabilities built right into RobustOS.
• Device Firewall: Use the router's built-in firewall to strictly control which traffic is allowed to and from the connected end device (like the PLC). If the PLC only needs to talk to one server on one port, block everything else.
• Secure Remote Management: How do you manage the router itself? A secure cloud platform like Robustel's RCMS allows you to monitor, configure, and update your entire fleet of devices without ever exposing their management interfaces to the internet. This is critical for managing devices at scale.

Isn't it fascinating how a simple setting can completely change your security posture? By using a private APN, you're not just configuring a device; you're adopting a security-first mindset that is essential in today's connected industrial landscape.