Remote Access
Intelbras TR-069 Remote Management
Configure TR-069 on Intelbras routers, ONUs, and OLTs to enable remote provisioning, firmware upgrades, and monitoring at scale.
Summary TR-069 (CWMP) is the standard protocol that lets a central ACS remotely configure, upgrade, and monitor Intelbras routers, ONUs, OLTs, and gateways without engineers logging into each device. This guide walks through the local access prerequisites, the TR-069 client configuration, ACS verification, controlled testing, and the hardening checklist that keeps a TR-069 deployment secure at scale.
How does TR-069 enable remote Intelbras management?
TR-069 is the CPE WAN Management Protocol (CWMP) — an international standard that lets an ACS (Auto Configuration Server) reach into CPEs like Intelbras routers, ONUs, OLTs, gateways, and modems to read telemetry, push configuration, and orchestrate firmware updates without needing to log into each device by hand. On an Intelbras device, you enable TR-069 once, point it at your ACS, and from then on the device checks in periodically and accepts commands from the central server.
The protocol solves the operational problem that defines scale: at fifty CPEs you can manage manually, at five hundred you cannot. TR-069 lets you auto-provision new devices as they come online, change settings remotely without chasing the customer’s IP, roll out mass firmware upgrades, and collect performance and error telemetry centrally. It is the building block that makes ISP-scale Intelbras operations practical.
Default Intelbras IPs and credentials
Before touching TR-069, you need local access to the device. Common defaults you’ll see in the field:
| Equipment | Default IP | User | Password |
|---|---|---|---|
| Intelbras IWR 3000N / WRN 300 | 10.0.0.1 or 192.168.0.1 | admin | admin |
| Intelbras ONU G120 / G240 | Provisioned via OLT | admin | admin |
| Intelbras OLT 8820G / 8820L | 192.168.1.1 | admin | admin |
Connect a PC to a LAN port, set a static IP in the same subnet (e.g., 192.168.0.10/24), open http://192.168.0.1 (or the model-specific default), and log in. On ONUs and OLTs the exact default may differ, but the pattern is the same: connect locally first, then move on to TR-069.
Enable and configure the TR-069 client
The menu name varies by model (router, ONU, OLT), but the path is usually Management → TR-069 / CWMP. Inside that section, enable the client and fill the ACS parameters:
| Field | Example | Notes |
|---|---|---|
| ACS URL | http://acs.yourisp.com:7547/ | The address of your ACS server |
| ACS Username | acs-user | ACS-side authentication |
| ACS Password | strongpass123 | ACS-side authentication |
| Connection Request URL | (auto) | Generated by the device |
| Connection Request Username | admin | Used by the ACS to initiate calls |
| Connection Request Password | admin123 | Used by the ACS to initiate calls |
Click Save / Apply and reboot if the model requires it. A typo in the ACS URL on a provisioning template can break communication for hundreds of CPEs at once — verify it before rolling out widely.
Confirm communication with the ACS
Once TR-069 is enabled, the device tries to reach the ACS. On the ACS panel (GenieACS, Splynx, or the TR-069 module inside MKController), confirm the device appears with Status: Online and a recent Last Inform timestamp.
If the CPE doesn’t show up, check three things in order: that port 7547 (or whichever port the ACS uses) is open and reachable on the server, that the ACS URL on the CPE has no typos, and that basic IP connectivity works from the device’s network to the ACS:
curl -v http://acs.yourisp.com:7547If multiple devices fail to connect at once, the cause is almost always DNS, firewall, or the ACS itself — not individual CPE configuration. Don’t start editing CPEs until the centralized cause is ruled out.
Test remote commands
With communication established, test the channel before doing anything operational. Read a harmless parameter first, then do a controlled reboot on a lab device:
Device.DeviceInfo.SerialNumberDevice.WiFi.SSID.1.SSIDDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1.ExternalIPAddress
Only after small reads and a lab reboot succeed should you trigger firmware upgrades, SSID changes, PPPoE credential pushes, or bulk parameter writes against the production fleet. For complementary remote-access patterns when TR-069 alone is not enough, see our Intelbras DDNS guide and the iManager management guide.
Harden the deployment
TR-069 is powerful, which means it deserves operational discipline:
- Rotate the default
admin / admincredentials before enabling TR-069. Change the Connection Request password as well. Use unique or per-customer credentials where your provisioning process allows. - Enable TR-069 only on CPEs that will actually be managed centrally. Don’t leave it pointing at unknown or unused ACS URLs.
- Prefer HTTPS for the ACS endpoint (commonly port 443 or 7548) with valid certificates. Update CPEs to firmware versions with stable TR-069 and TLS support.
- Plan regular firmware maintenance windows. Test new firmware on a small subset before rolling it out widely, and use TR-069’s upgrade features instead of manual one-by-one upgrades.
- Document the policy: which models are managed, which parameters are controlled by the ACS, and how rollback works if a bad config goes out.
Combine TR-069 with MKController and NATCloud
TR-069 alone gives you a strong remote-management channel for compatible CPEs. In real-world ISP operations you also need a unified dashboard across vendors, monitoring and alerts, remote access when the customer has no public IP (NAT, CGNAT), and inventory discovery across switches, routers, OLTs, and ONUs.
MKController talks TR-069 / TR-369 (USP) to compatible CPEs, supports Intelbras alongside other vendors, and provides a single dashboard with uptime, ping, and performance trends. It discovers devices via SNMP, LLDP, CDP, and vendor APIs — so instead of juggling one ACS per brand plus separate monitoring tools, the data lands in one place.
NATCloud complements TR-069 where the CPE sits behind NAT, double NAT, or CGNAT — situations where opening ports stops working. It creates secure outbound tunnels from the customer site to the cloud, enabling remote access without a public IP, even as ISP addressing models change underneath you.