Training Materials
Last updated: 26-09-2013 © 2013 Peplink / Pepwave All rights reserved. No part of this manual may be reproduced, transcribed, stored in a retrieval system, translated into any language or computer language or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the copyright owner. The copyright owner gives no warranties and makes no representations about the contents of this manual and specifically disclaims any implied warranties or merchantability or fitness for any purpose.
The copyright owner reserves the right to revise this manual and to make changes from time to time in its contents without notifying any person of such revisions or changes.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda Module 1: Understanding Multi-WAN and SpeedFusion Brief description of Peplink/Pepwave’s most important technologies Module 2: Peplink and Pepwave Products Overview Introduction of Peplink and Pepwave products. Module 3: Balance and MAX Routers Exploring different configuration scenarios with Balance and MAX routers. Module 4: Wireless Access Point In-depth configuration guide for Wireless Access Points. Module 5: Surf Series Explanation and setup instructions for the Surf Series.
Peplink
2
Peplink Balance Series
Enterprise-class Multi-WAN Router
In this chapter, we will focus on how SpeedFusion functions, it’s distinguishing features/benefits, and it’s implementation scenarios.
Peplink
3
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda Module 1: Understanding Multi-WAN and SpeedFusion Brief description of Peplink/Pepwave’s most important technologies Module 2: Peplink and Pepwave Products Overview Introduction of Peplink and Pepwave products. Module 3: Balance and MAX Routers Exploring different configuration scenarios with Balance and MAX routers. Module 4: Wireless Access Point In-depth configuration guide for Wireless Access Points. Module 5: Surf Series Explanation and setup instructions for the Surf Series.
Peplink
4
Peplink Balance Series
Enterprise-class Multi-WAN Router
A well-designed VPN provides a business with the following benefits: - Extended connectivity across multiple geographic locations without using a leased line - Improved security for exchanging data - Ability for remote offices and employees to use business intranet over an existing Internet connection as if they were directly connected to the network - Savings in time and expense for employees to commute if they work from virtual workplaces - Improved productivity for remote employees Examples of VPN usage, accessing resources only available in HQ (File or Print sharing), and some restricted internal applications require VPN to be established.
Peplink
5
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink’s Unbreakable VPN uses multiple WAN connections to keep VPNs up and running when a connection fails. Powered by our patent-pending SpeedFusion technology, Unbreakable VPN automatically and seamlessly moves VPN sessions to standby WAN links when active links drop out. All this is transparent to users, making all VoIP calls and video streams run flawlessly. Your business continues, uninterrupted. SpeedFusion VPN is useful for Public Transport, Video Streaming, Mobile Command, Branch-to-HQ, and Rural Areas. It is applicable anywhere you need a reliable VPN connections.
Peplink
6
Peplink Balance Series
Enterprise-class Multi-WAN Router
Introducing the World’s Easiest VPN PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over any WAN link. On top of all the benefits of IPsec and other conventional VPN technologies, the PepVPN engine also offers: Long-distance Ethernet cable − You can easily build a secure and seamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It virtually provides a long-distance Ethernet cable over any WAN link. Seamless transition − PepVPN and SpeedFusion share the same core VPN engine, meaning that all your PepVPN and SpeedFusion-enabled devices will work flawlessly together. It also allows you to easily upgrade a PepVPN endpoint to SpeedFusion, taking advantage of the added benefits without worrying about compatibility. Works in any dynamic IP environment − PepVPN is fully compatible with any dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT gateway or firewall without worrying about static IP addresses. This technology can be applied to SOHO and Mobile Office; any environment that
Peplink
7
requires reliable connectivity, without using multiple low cost Internet links for their business operations via VPN. Even if you have one encrypted peer and another not encrypted, PepVPN will still create an encrypted tunnel. As PepVPN is easy to setup, hence no technical assistance needed on-site.
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion Hot Failover − Unbreakable VoIP and VPN SpeedFusion Hot Failover is a premium add-on that manages multiple redundant connections to keep VPNs and VoIP deployments up and running at all times. Easy setup − Just add connections, you can even mix wired and wireless technologies. Unbreakable VoIP and VPN − With other VPN technologies, WAN failover terminates existing VPN connections, creating costly downtime. SpeedFusion Hot Failover prevents this by maintaining secure tunnels over all available WAN links. In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly switch traffic to another available tunnel. This creates unbreakable VPNs and VoIP sessions. For scenarios that require uninterruptable connections (like Mobile Command, POS, ATM, and VoIP deployments), SpeedFusion Hot Failover provides an always-on VPN link that helps these application run smoothly. The “make-beforebreak” mechanism built-into SpeedFusion Hot Failover VPN. This provides a transparent switch-over: if there is any link failover or link recovery, the user will not notice any interruptions. This cannot be accomplished with any other VPN solution in the market.
Peplink
8
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion Bonding − Packet-Level Bandwidth Bonding. Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding builds a fat tunnel using all your connections, giving you blazing throughput whenever you need it. Multi-WAN bandwidth bonding − SpeedFusion Bonding combines multiple links from multiple providers into a single, superfast tunnel. VPN Bonding – SpeedFusion Bonding can create high speed VPNs by bonding multiple WAN links together. Unbreakable Session Hot Failover − SpeedFusion Bonding monitors connections and automatically turns control over to Hot Failover when links become unstable. Packet Level Bandwidth bonding – The packets of your session are distributed across all your available links. Layer 2 Tunneling – SpeedFusion operates on Layer 2, bonding your available links at the data link layer.
Peplink
9
Easy, on-demand scalability − Need more speed for mission-critical VPNs? How about temporary bandwidth for a specific projects? With SpeedFusion Bonding, you can plug in connections from any provider and get more speed, whenever you need it. Instant Bandwidth Control – And you can unplug connections at any time, keeping your costs under control. HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport (eg. train): all of these applications need high bandwidth and reliable links to push high volumes of data back to their HQ/Media Center/Control Center for processing. SpeedFusion Bonding is able to combine multiple Internet lines into one logical big pipe to carry the information over.
Peplink Balance Series
Enterprise-class Multi-WAN Router
This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover and SpeedFusion Bonding
Peplink
10
Peplink Balance Series
Enterprise-class Multi-WAN Router
We will now explore the application of SpeedFusion, with various case studies. 1) MPLS Replacement 2) Branch Network Connection 3) SpeedFusion 3G/4G Bonding 4) Video Transmission in the Air 5) Data Transmission over Water 6) Replace Expensive Satellite Connection 7) Mission Critical Video Surveillance 8) 100% Uptime for First Responders 9) Money Saving on Branch Network Connections
10) Flawless Connections in Remote Areas
Peplink
11
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
12
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
13
14
15
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
16
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
17
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
18
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
19
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
20
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink is the leader in Internet load balancing and VPN bonding solutions. Peplink Balance Multi-WAN Routers have been deployed around the world, helping thousands of customers increase their bandwidth, enhance their internet reliability, and reduce their costs. Our complete product line accommodates business of all sizes, providing an award winning Internet experience for customers. Pepwave is the proven market leader in delivering specialized wireless solutions for industrial networking services, wireless mobility services, internet service providers, and professional hotspot providers. As an innovator in wireless technology solutions, Pepwave operates in global cooperation with distributors, system integrators, ODM partners, and strategic allies.
Peplink
21
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda • Module 2: Peplink and Pepwave Products Overview Introduce Peplink and Pepwave product suite.
Peplink
22
Peplink Balance Series
Enterprise-class Multi-WAN Router
We offer five major categories of products: 1. Multi WAN Router 2. Cellular Router 3. Enterprise Access Point 4. Carrier Grade Access Point 5. SOHO Router 6. Router Utility
Peplink and Pepwave solutions cover different market segments, ranging from SOHO, Mobile Office, Small Office, Branch Office, Regional Office, and HQ-level Data Centers.
Peplink
23
Peplink Balance Series
Enterprise-class Multi-WAN Router
Target Market Segments for Balance Products 1) Power User and Home User - Balance 20 & 30 - 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle - 25 max users recommended
2) Small Business - Balance 210 & 310 - 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle - 50 max users recommended - Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max
3) Mid-Size Business - Balance 305, 380 & 580 - 19” Rack mount form factor - Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000 users max - Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support 50 SF peers max - Default can act as WLAN Controller, support 10 Access Points default - Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate license purchased
4) Large Enterprise - Balance 710 & 1350
Peplink
24
- 19” Rack mount form factor - 710 can support 2,000 users max while 1350 can support up to 5,000 users max - Model 710 support 300 SF peers max, while 1350 support 800 SF peers max - Default can act as WLAN Controller, support 20 Access Points by default - Can manage up to 250 (Model 710), and 500 (Model 1350) AP with separate license purchased
Peplink Balance Series
Enterprise-class Multi-WAN Router
A. Internet Load Balancing By balancing Internet traffic over active links, Peplink Balance gives you extra reliability. Peplink gives you seven Load Balancing Algorithms to fine-tune your network traffic. The following types of Outbound Traffic Rules are available: • Weighted Balance • Persistence • Enforced • Priority • Overflow • Least Used • Lowest Latency
B. Inbound Load Balancing Inbound Load Balancing distributes inbound data traffic over multiple WAN links to computers behind Peplink Balance. Peplink Balance 210, 310, 380, 390, 580, 710, and 1350 have a built-in DNS server that enables this functionality. Authoritative DNS functionality is not available on Peplink Balance 20 and 30. Inbound Load Balancing is configured via both of the following: • DNS records configured within Peplink Balance • External DNS records at an Authoritative DNS Server
Peplink
25
Peplink Balance Series
Enterprise-class Multi-WAN Router
Site-to-Site VPN Bonding in Mesh Scenario All offices are connected to each other Highly reliable network with bonded links and encrypted traffic Communication between offices has never been faster All offices deployed with Balance 380 model
Peplink
26
Peplink Balance Series
Enterprise-class Multi-WAN Router
Site-to-Site VPN Bonding in Star Scenario Headquarters serve as central site Bonded VPN for reliable and uninterrupted VPN services Fast and convenient way to securely transfer data to transaction server HQ installed with Balance 1350 Supermarket POS deployed Balance 380 ATM in Subway station equipped with Balance 210 Shopping Mall POS will need Balance 310 ATM in branch can installed with MAX Mobile Router
Peplink
27
Peplink Balance Series
Enterprise-class Multi-WAN Router
For existing Balance customers who wish to implement a WLAN solution, Peplink can help save significant money and effort. From the model 305, 580 and onwards, the Balance comes with built-in AP management. This makes deploying Pepwave AP much easier and affordable. In this example, the Balance Multi-WAN router can serves three roles: it is a WAN load balancer, a Wireless LAN Controller, and when needed, a site-to-site VPN termination point as well.
Peplink
28
Peplink Balance Series
Enterprise-class Multi-WAN Router
Product Market Positioning 1) MAX On-The-Go Comes with 3 SKUs: - the lowest SKU connects a single USB modem - the second SKU allows 4 USB modems with Hot Failover - the highest SKU allows SpeedFusion Bonding in addition to the 4 USB modems. - This product is good for mobile offices that reside in rural areas without access to cable internet
2) MAX BR1 - Rugged metal case is suitable for industrial-grade usage - Comes with 2 SKU, 3G WAN and 4G-LTE modems built-in - Supports a redundant SIM with dual SIM slots, providing failover functionality between them.* - Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle - Ideal for mobile command, high speed public transport, and harsh environment deployment - Advanced Car-Fi Roaming + IPsec X.509 Certificate Support (only available for BR1 as add-on feature)
29
3) MAX 700 - Rugged metal case is suitable for industrial-grade usage - Support up to 7 WAN links (2 Wired, 4 USB, 1 WiFi) - Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle - Ideal for on-the-field media streaming and live broadcasting deployment, that require bigger bandwidth
4) MAX HD2 - Rugged metal case is suitable for industrial-grade usage - Come with 2 variants, built-in 3G and built in 4G-LTE modems - Supports up to 6 WAN links (2 Wired, 2 Cellurar, 1 USB, 1 WiFi) - Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle - Ideal for on-the-field media streaming and live broadcasting deployment, that require a bigger bandwidth - If GPS enabled, both (or any one of its) SMA antenna ports can be use to locate GPS signal and position
5) MAX HD2 IP67 - IP67 waterproof enclosure ideal for outdoor applications - 2x embedded cellular modems, each with redundant SIM slots, securely installed inside the unit - Come with 2 variants, 3G and 4G-LTE modems built-in, with options of Verizon and AT&T, AT&T/Telcel/Rogers, and Worldwide carrier - Using 10V-30V DC power supply - Ideal for machine-to-machine communication, surveillance, military and other missioncritical applications outdoor, the MAX HD2 IP67 is as comfortable on a construction site, oil platform, disaster scene, or factory floor as it is on a battlefield
MAX Routers power redundancy For models which come with dual power sources (DC Jack & Terminal Block), it serves as input power redundancy. If any of the power source is interrupted while the other is active, the MAX router will continue to operate without being affected by the power disruption. *Please note that redundant SIM does not equal two cellular modems. That is, only one SIM can be active at any time; you will not be able to get better throughput or load balancing by filling both SIM slots.
Peplink Balance Series
Enterprise-class Multi-WAN Router
MAX Router Deployment Scenarios SpeedFusion Bonding (on MAX HD2) - Deploy multiple low cost 3G connections - Save money, enjoy higher bandwidth, avoid dead spots - Seamless failover ensures reliable video stream from mobile sites to HQ
Hot Failover (MAX BR1 or HD2) - Everywhere LTE - Ensures optimal performance by choosing the carrier with the best signal - Saves money by using only one carrier at a time -Hot failover ensure flawless video stream from mobile sites to HQ
GPS Fleet Tracking (MAX BR1 or HD2) - Homeland security - Monitor and coordinate fleet vehicles wherever they may be - Hot failover ensure flawless video stream from mobile sites to HQ
Peplink
30
Peplink Balance Series
Enterprise-class Multi-WAN Router
Features At A Glance
Network - Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for PPPoE, Static IP, DHCP, Management VLAN (802.1p), Spanning Tree Protocol (802.1d) - Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4 SSIDs concurrently
Client Management Per SSID VLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2 Client Isolation, Limit on Max. Number of Client Per Client VLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP Snooping/Multicast Enhancement
AP Security Open, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Complete VPN Solution PepVPN, Site-to-Site VPN, 256-bit AES Encryption, Pre-shared Key Authentication, Dynamic Routing
Peplink
31
Captive Portal Device Management Web Administrative Interface, InControl Cloud Management, Peplink Balance WLAN Controller, SNMP v1, v2c and v3
Peplink Balance Series
Enterprise-class Multi-WAN Router
Pepwave AP One access points offer fast, affordable, and dependable wireless networking without administration headaches. Ready for anything and built to go anywhere, AP One access points deliver enterprise-grade Wi-Fi that drops in quickly and immediately gets to work -- so you can get back to your work. Minimize Wi-Fi management hassles with the AP One series and the Peplink Balance with WLAN Controller. Fully integrated with the Peplink Balance, our WLAN Controller makes it easy to configure, manage, update, and report on up to 500 AP One devices from a single intuitive interface. Prefer the flexibility of cloud-based administration? Our InControl remote management system gives you complete control over every device on your network and in-depth reporting with just a few clicks, all from a simple, yet powerful, web-based tool that’s available anywhere you have online access and a supported browser.
Peplink
32
Peplink Balance Series
Enterprise-class Multi-WAN Router
Here are four different deployment scenarios for the AP One wireless solution. Professional Hotspots – coupled with Balance WLAN Controller (or InControl cloud management) feature, the AP One and AP One X can be deployed effectively as a professional hotspot solution. No expensive controllers required. Wireless Mobility – Pepwave wireless solutions make wireless application in high speed environments a budget friendly reality. Service Provider Wi-Fi – the AP One can help you deploy a carrier grade wireless solution, install many for citywide Wi-Fi CPEs. The range of these devices leads the industry. Industrial Networking – AP One series allow the IP devices stay connected wirelessly over long distances. It provides reliable wireless for data devices.
Peplink
33
Peplink Balance Series
Enterprise-class Multi-WAN Router
Highlights of Flex AP Features
• World’s First AP with Software Selectable, Embedded Directional and Omni Antennas • Power up to two Devices from a Single Source • Central Management, Anytime, Anywhere • Reliability in Extreme Environments • Connect Worldwide without External Modems
Peplink
34
Peplink Balance Series
Enterprise-class Multi-WAN Router
Flex AP –Operating Mode and Antenna • Flex AP can operate in Routing or Bridge mode
• Flex AP built-in with 2x2 MIMO 802.11n, switchable omni- or uni-directional WiFi antenna • For 3G and Dual 3G, it comes with a cellular antenna, as for LTE models, 2 antennas needed to operate • It can operate up to 4 antennas simultaneously on the Dual 3G model, to allow maximum signal coverage and bandwidth
35
Peplink Balance Series
Enterprise-class Multi-WAN Router
The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for home office, small business, and power users. With its support for 4G LTE/3G, cable, DSL, and other broadband connections, the Surf SOHO makes it possible to deploy fast and secure 802.11abgn Wi-Fi hotspots anywhere. The Surf SOHO also features built-in a long-range antenna, optional external antennas, business-class VPN, cellular usage monitoring, and URL blocking. This makes it an ideal networking solution for a wide range of mobile and office uses.
Peplink
36
Peplink Balance Series
Enterprise-class Multi-WAN Router
Unlimited Wi-Fi. Anytime, Anywhere Connectivity for Every Device. Pepwave Surf combines enterprise-level performance and features with outstanding durability and versatility. The Surf Pro, our carrier-grade outdoor client solution, is ruggedized and features a high-gain, extended-range antenna, making it ideal for video surveillance, traffic signal control, meter reading, and other outdoor applications. For indoor wired/wireless connectivity, there's our Surf On-The-Go, the ultimate travel router. The Surf On-The-Go's Wi-Fi radio lets you connect an unlimited number of wireless devices at once. Built-in Ethernet port ensures that no printer, scanner, or other wired device gets left behind, and multiple connection profiles make device management a snap.
4 Operating Modes • • • •
4G/3G USB Wi-Fi Router Cable / DSL / Ethernet Wi-Fi Router Wi-Fi Repeater Wi-Fi Adapter for Wired Devices
3 WAN Modes • WiFi WAN • USB Cellular WAN • Wired WAN
Peplink
37
Peplink Balance Series
Enterprise-class Multi-WAN Router
True Enterprise AP. Powerful, Affordable, Elegantly Simple. Pepwave AP One access points sets up quickly and deliver fast, affordable, and reliable enterprise networking without administration headaches. TruePower RF Technology eliminates dead spots and provides wider signal coverage with less equipment and maintenance. Secure Captive Portals reinforce your brand and ensure the best possible online experience for employees and visitors alike. Management is easy, too: just add a Peplink Balance router and use the Balance's integrated WLAN Controller to manage up to 500 indoor (AP One/AP One 300M) and outdoor (AP One X) access points from a single intuitive interface. With this powerful combo, you get instant access to all devices across your headquarters, district offices, and branches.
Industrial-Grade Reliability. Unmatched Peace-of-Mind. No matter what your industry, Pepwave offers a durable, rock-solid networking solution to help you get the job done. Ruggedized and certified for harsh environments, the MAX series handles temperatures of -40 to 65°C and resists shock and vibration on factory floors, remote job sites, and anywhere you need tough, ready-for-anything connectivity. Add the compact and capable outdoor Flex AP to stay connected at all times with built-in high-gain Wi-Fi antenna, embedded 3G/4G LTE, and dual Ethernet ports. Stepping up to the AP Pro, will offer enhanced signal coverage, extreme environment tolerance, and lightning/surge protection.
Peplink
38
Complete WAN, VPN and Wireless Integration This deployment scenario illustrates how Peplink MAX routers, AP One and Flex AP work together to enable wired and wireless connectivity in reliable and cost effective way. Adding the Balance will also provide robust and high bandwidth VPN connectivity to the wireless mobility devices. In addition, the AP One access point can be managed centrally either through the WLAN Controller built-into the Balance, or the InControl cloud management tool.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Router Utility - Peplink Mobile Application The RU (Router Utility) helps to monitor and control all your Balance and MAX routers* from any iOS or Android device. It is ready when you are, wherever you are, the Router Utility app gives you instant insight into device status, events, bandwidth usage, and more. With full support for push notifications, you’ll know immediately whenever there’s an important status change or performance issue, helping you to keep small glitches from becoming major problems. Keep Traffic Moving with Anywhere, Anytime Green Light Checks. Check the status of all your Balance and MAX routers with the Router Utility’s dashboard and traffic light indicators. With just a quick glance, you get the peace of mind of knowing that your network’s healthy. And if there is a problem, it’s easy to drill down and inspect SpeedFusion VPN parameters, bandwidth statistics, CPU load, and more from any iOS or Android device. Monitor and Control from the Palm of Your Hand. Check Device Status - Monitor WAN Status, External IP Addresses, and SpeedFusion VPN Links. Inspect Event Logs - Keep an eye on router event logs using any iOS or Android device. View Bandwidth Statistics - Get up-to-the minute insight on bandwidth usage and throughput across your WAN. Maximum Mobile Control at Your Fingertips. Our Router Utility gives you new ways to monitor and control your MAX mobile router anywhere you can use your device. See How You’re Connected - Just check the Router Utility’s dashboard on your device to instantly see which SIM and cellular provider your MAX mobile router is using. Peplink
Adjust Connection Priorities on the Fly - Simply tap and swipe to connect your MAX 39
to a Wi-Fi hotspot or change 4G LTE/3G connection priorities. Automatic Cellular WAN Status and SpeedFusion Alerts - Keep tabs on cellular WAN and SpeedFusion status with push notifications on your iOS or Android device.
Peplink Balance Series
Enterprise-class Multi-WAN Router
This module will examine different real life deployment scenarios, and describe how to configure the routers to achieve the desired result.
Peplink
40
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda Module 3: Peplink Balance and MAX Routers Configurations Study how Balance and MAX routers implement into the various deployment scenario, and explain the steps to configure these routers.
Peplink
41
Peplink Balance Series
Enterprise-class Multi-WAN Router
Physical hardware layout and control panel for Balance high-end model. Below show some of the frequently used functions in Control Panel Navigation (base on Balance 380 model): HA State: Master/Slave > LAN IP > VIP System Status > System -> Firmware ver. (shows firmware version) -> Serial number (shows serial number) -> CPU load (shows current CPU loading, 0-100%) -> LAN ---> Status (shows LAN port physical status) ---> IP address (shows LAN IP address) ---> Subnet mask (shows LAN subnet mask) > Link status (shows Connected/Disconnected, IP address list) -> WAN1 -> WAN2 -> WAN3 > Link usage -> Throughput in (shows transfer rate in Kbps) --->WAN1 --->WAN2 --->WAN3
Peplink
42
-> Throughput out (shows transfer rate in Kbps) ---> WAN1 ---> WAN2 ---> WAN3 Maintenance > Reboot > Reboot? (Yes/No) (to reboot the unit) > Reset Admin Password? (Yes/No) > Factory default > Factory default? (Yes/No) (to restore factory defaults) > Remote Assistance NOTE: For model below 310, there is no feature to reset admin password through the Control Panel, it only available for models from 310 and above.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Out of the box, Peplink Balance come with below default settings: • IP: 192.168.1.1/24 • Username: admin • Password: admin • LAN DHCP: Enabled • DHCP IP Range: 192.168.1.10 – 192.168.1.250
In diagram above, the switch is optional for console into Peplink Balance. You can plug the UTP cable directly from PC/Notebook into Balance LAN port for the same purpose.
Peplink
43
Peplink Balance Series
Enterprise-class Multi-WAN Router
After entering the parameters correctly, you will be able to login to the Wed Admin page. The Dashboard provides an overview of the condition on several key parameters: • WAN interfaces connectivity status • LAN interface connectivity status • System Uptime • System CPU Load, in % • Device Throughput, in Mbps
Peplink
44
Peplink Balance Series
Enterprise-class Multi-WAN Router
In Status page, there are a few items to take note of: • Router Name • Model • Hardware Revision • Serial Number • Firmware Diagnostic Report Download • You can download a copy of the diagnostic report for your reference on the status page Bandwidth Statistic Display In status page, you can view the following information: • Bandwidth usage on who consumed the most traffic • Top user running most number of sessions • Which user is running active Bittorrent traffic • Who is currently consuming most bandwidth on individual WAN.
Peplink
45
Peplink Balance Series
Enterprise-class Multi-WAN Router
Understanding Peplink Site-to-Site VPN The proprietary Site-to-Site VPN of Peplink Balance (a.k.a VPN Bonding), is specifically designed for a multi-WAN environment. The Peplink Balance can aggregate the bandwidth of all WAN connections available for routing VPN traffic. Unless all the WAN connections of one site are down, the Peplink Balance can still keep the VPN up and running. - Peplink Site-to-Site VPN encrypts traffic with the military-grade 256-bit AES algorithm. - Site-to-Site VPN is available with the Peplink Balance 210, 310, 380, 580, 710, and 1350. - The Peplink Balance 380/580/710/1350 supports multiple Site-to-Site VPN connections among twenty or more locations, is designed for Headquarters/Regional Offices. - The Peplink Balance 210/310 supports two Site-to-Site VPN connections; ideal for Branch Offices. - Site-to-Site VPN connections can be established for all Dynamic IP/Static IP scenarios. Please refer to the Requirement section for more information. Being able to establish multiple VPN connections provides variety and flexibility in deploying your network. You may choose to create a network in a Mesh or Star topology, or you may even combine the two setups to create a more complex network.
Peplink
46
Peplink Balance Series
Enterprise-class Multi-WAN Router
System Requirement for Site-to-Site VPN Configuration When configuring a VPN connection, there are two aspects to consider: • Whether the WAN connection has a Dynamic IP or Static IP. • Whether the Peplink Balance unit has Public IP or is behind NAT. This creates four WAN possible types you use to establish the VPN connection. Peplink Balance supports all four types. However, to establish VPN connection using a Dynamic IP WAN connections, you have to configure at least one Dynamic DNS. • WAN has Dynamic IP with Peplink Balance has Public IP. • WAN has Static IP with Peplink Balance has Public IP. • WAN has Dynamic IP with Peplink Balance is behind NAT. • WAN has Static IP with Peplink Balance is behind NAT. The table above illustrates the system requirement for configuring Peplink Site-to-Site VPN connection. For users who have placed a firewall in front of the Balance: In Firmware 5.1.x, Peplink proprietary Site-to-Site VPN used TCP port 32015, IP Protocol 47 and IP Protocol 99 for establishing VPN connections. if you have a firewall in front of the Peplink Balance devices, you will need to add firewall rules for these ports and protocols. This will allow inbound and outbound traffic pass-through the firewall. Another point to note, if both sides of the SpeedFusion VPN having the same LAN subnet, it will prevent the SpeedFusion tunnel to establish, just like any other 3rd party VPN technologies.
Peplink
47
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion Configuration Guidelines When configuring SpeedFusion VPN connection, there are few items to be aware: • LAN Subnet – Avoid having same LAN subnet on either end of the SpeedFusion tunnel, this will prevent the tunnel from establish a successful connection. Try to change either side of the LAN subnet to different IP Addresses. You can also consider putting a NAT device can be considered as well. • WAN Connection Priority - You can specify the priority of the WAN connections to be used in making VPN bonding connections. A Wan connection will never be used when OFF is selected. Only available WAN connections with the highest priority will be utilized. Grouping WAN with similar characteristics like latency, packet loss to same priority can help bonding performance. • SpeedFusion Bonding Efficiency – To establish an reliable SpeedFusion Bonding VPN, there are few parameters need to be considered, eg. good cellular signal strength, low latency WAN, low packet loss, and buffer bloat in ISP will help to build an effective bonding VPN tunnel. • Cellular Bandwidth Availability – It is always good to subscribe to two different ISP/carriers when you want to establish SpeedFusion 3G/4G Bonding with MAX router. Take for example, when all modems connect to same cell (RF tower), total bandwidth is limited by the cell tower backhaul's bandwidth. If the modems connect to different cells (RF tower) from different carriers, theoretically this can provide you the double bandwidth as compare to one ISP.
Peplink
48
Peplink Balance Series
Enterprise-class Multi-WAN Router
With our new three-tier structure, it’s never been easier to migrate to SpeedFusion. Once you use it, you will see why customers around the world have replaced IPsec and other conventional VPN technologies. Note: 1
With other VPN technologies, WAN failover terminates existing VPN connections, creating costly downtime. SpeedFusion Hot Failover is completely automatic and invisible, so you won’t miss a beat when switching between connections.
Peplink
49
Peplink Balance Series
Enterprise-class Multi-WAN Router
Possibly the World’s Easiest VPN. PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over any WAN link. On top of all the benefits of IPsec and other conventional VPN technologies, the PepVPN engine also offers: Long-distance Ethernet cable − With PepVPN, you can build secure and seamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It virtually provides a long-distance Ethernet cable over any WAN link. Seamless transition − PepVPN and SpeedFusion share the same core VPN engine. It means all your PepVPN and SpeedFusion devices will work flawlessly together. It also allows you easily upgrade a PepVPN endpoint to SpeedFusion, taking advantage of the added benefits without having to worry about compatibility. Works in any dynamic IP environment − PepVPN is fully compatible with any dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT gateway or firewall without worrying about static IP addresses. Requirement: The portrayed scenario shows a typical remote-to-HQ VPN connection, where Peplink
50
SpeedFusion PepVPN allows site-to-site VPN connections with auto-failover capability. WiFi WAN is primary link for the VPN, when WiFi WAN down, WAN 5 (Wired WAN) will take-over the VPN connection automatically. Users are transparent to this changes.
Peplink Balance Series
Enterprise-class Multi-WAN Router
To create a SpeedFusion VPN tunnel, follow the steps below: 1) Go To Network > SpeedFusion, a SpeedFusion window appear to ask for Local ID, if this is the first time creating SpeedFusion VPN. 2) Enter a Local ID, the remote VPN peer will use this ID to identify this unit during VPN establishment. 3) Click Save button, then will click on the New Profile button to proceed. Above steps apply to both remote and HQ Balance router configurations.
Peplink
51
Peplink Balance Series
Enterprise-class Multi-WAN Router
Above shown the VPN profiles at both HQ and Remote sites. HQ VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. MY-MOTG. 2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side. 3) At the WAN Connection Priority window, choose the WAN links that should be included in the SpeedFusion VPN tunnel, in this case WAN 1 & 2 are bond together. 4) Save and apply the changes.
Remote Site VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. MY-MOTG. 2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side. 3) For remote site, you need to enter at least one Public IP (or DNS/DDNS) of the HQ router WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the IPs. 4) Choose the WAN links that should be include in the PepVPN tunnel. Since this is PepVPN, so it only support normal failover. WiFi WAN will set to Priority 1, while WAN 5 is Priority 2. 5) Save and apply the changes. Note: It is important to ensure the Remote ID correctly (either by router ID or Serial Number), otherwise the SpeedFusion tunnel will not able established. If you see the error message(s) similar to “"Refused connection made from unknown peer (foobar)" or "Refused connection made from unknown peer (XXXX-1234-ABCD)“, which indicate wrong ID/Serial No. entered at any/both routers. Peplink
52
If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still be encrypted in both directions, as the other router will trigger to turn on the encryption on both end.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once the VPN profile has been created on both sides, and if the WAN links are up, the routers will automatically initiate the VPN connection. If all the parameters are correct, it will take only few minutes. As shown in the screenshots, at the Dashboard page, the status of the VPN connection will change to “Established”, indicating a successful VPN connection.
Peplink
53
Peplink Balance Series
Enterprise-class Multi-WAN Router
To verify which links are participating in the VPN connection, you can click on the Status button in the SpeedFusion or PepVPN section as shown in the screen capture. It also lists the network(s) learned from other sides, via the built-in routing protocol. HQ will see the 192.168.0.0/24 network from Remote router, and Remote will learn 10.0.0.0/8 network from the HQ side. In our screencaps, the HQ side router is using WAN 1 for the VPN connection, while the remote site is using WiFi WAN as VPN link.
Peplink
54
Peplink Balance Series
Enterprise-class Multi-WAN Router
To ensure the end-to-end connectivity is up, a PING test to the other side host (LAN IP) should receive a response as shown above. Ping Test: 1) HQ side ping to Remote LAN IP: 192.168.0.11 • Passed or Failed 2) Remote side ping to HQ LAN IP: 10.0.0.10 • Passed or Failed
Peplink
55
Peplink Balance Series
Enterprise-class Multi-WAN Router
With PepVPN, the failover process is carried out automatically. Failover Test: 1) Unplug WAN 1 at HQ, and/or 2) Disconnect the WiFi WAN at Remote 3) Observe the changes to the routers
Failover Test Result: 1) HQ side WAN 2 will take over, maintaining the VPN connectivity 2) Remote site WAN 5 will resume the VPN link
Ping Test: 1) Remote side ping to HQ LAN IP: 10.0.0.10 • Passed or Failed
Peplink
56
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion Hot Failover − Unbreakable VoIP and VPN. SpeedFusion Hot Failover is a premium add-on that manages multiple redundant connections to keep VPNs and VoIP deployments up and running at all times. Easy setup − Just add connections, you can even mix wired and wireless links of different WAN technologies. Unbreakable VoIP and VPN − With other VPN technologies, WAN failover terminates existing VPN connections, creating costly downtime. SpeedFusion Hot Failover prevents this by maintaining secure tunnels over all available WAN links. In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly switch traffic to another available tunnel. This provides unbreakable VPNs and VoIP sessions. Requirement: A customer with branch-to-HQ connections often run delay sensitive applications like VoIP, so it needs a fast failover VPN connectivity to ensure the VoIP session not interrupted if any of the WAN links break. The following set-up will fulfill this requirement: - A MAX BR1 installed at branch level with Wired and WiFi WAN, - A Balance 380 deployed in HQ with 2 wired WAN (eg. Metro-e) with static Public IP assigned at each WAN link.
Peplink
57
Peplink Balance Series
Enterprise-class Multi-WAN Router
The user interface is same across the MAX router series. Assuming we are taking the same HQ setup in previous example, the VPN profile creation process is the same except the name changed to MY-MaxBR1. Here are the steps to creating a VPN profile on the MAX BR1. At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPN profile. VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. MY-MaxBR1.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side. 3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the HQ router WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the IPs. 4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN will follow the state of the WAN link in order to maintain the VPN link, (eg. if WAN 1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 as primary link to forward VPN traffic, while keep WAN 2 in hot standby mode). 5) Save and apply the changes.
Peplink
58
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once the VPN profile is created on both sides, and if the WAN links are up, the routers will start negotiating the VPN connection. If all the parameters correct, the VPN will come up in minutes. As shown in the screenshots, on the Dashboard page, the status of the VPN connection will change to “Established”, indicating a successful VPN connection. Failover Test: 1) Before starting the test, at the Remote site, launch the command prompt window and conduct a continuous ping to HQ LAN IP (10.0.0.10) 2) Unplug WAN 1 at Remote (MAX BR1) 3) Observe the changes at the routers
Failover Test Result: 1) Remote site WiFi WAN will resume the VPN link 2) Any timeout during failover? Yes or No
Ping Test: 1) Remote side ping to HQ LAN IP: 10.0.0.10 • Passed or Failed
Peplink
59
Peplink Balance Series
Enterprise-class Multi-WAN Router
The SpeedFusion Hot Failover recovery process should have no timeout. Recovery Test: 1) Before starting the test, at the Remote site, launch the command prompt window and conduct a continuous ping to HQ LAN IP (10.0.0.10) 2) Plug back the WAN 1 at Remote (MAX BR1) 3) Observe the changes at the routers
Recovery Test Result: 1) WAN 1 will resume the VPN link 2) Any timeout during failover? Yes or No
Ping Test: 1) Remote side ping to HQ LAN IP: 10.0.0.10 • Passed or Failed
Peplink
60
Peplink Balance Series
Enterprise-class Multi-WAN Router
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the SpeedFusion Status window. 1) Go to DashBoard, click on Status button at SpeedFusion section 2) Click on the blue triangle beside the MY-MaxBR1 to expand the statistic 3) Monitor the changes on the WAN status during the failover and fallback
Peplink
61
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion Bonding − Packet-Level Bandwidth Bonding. Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding teams up all your connections to give you blazing throughput whenever you need it. Multi-provider bandwidth bonding − SpeedFusion Bonding combines multiple links from multiple providers into a single, superfast tunnel. Automatic Hot Failover handoff − SpeedFusion Bonding monitors connections and automatically turns control over to Hot Failover when links become unstable. Easy, on-demand scalability − Need more speed for mission-critical VPNs? How about temporary bandwidth for a specific project? With SpeedFusion Bonding, you can plug in connections from any provider and get more bandwidth instantly. And you can unplug connections at any time, keeping your connectivity costs under control. Requirement SpeedFusion VPN Bonding technology is particularly useful for customers with a higher volume of VPN traffic between sites. It assures that the VPN link is aggregated as bigger pipe, and same time provide the reliability. In this example, we will install a Balance 310 at the branch level, while HQ maintains with Balance 380. We also configure the Balance 310 to Drop-In mode, assuming the branch has existing infrastructure setup.
Peplink
62
Peplink Balance Series
Enterprise-class Multi-WAN Router
We take the same HQ setup in previous example, the VPN profile creation process is the same except the name is changed to MYKL-VPN. Here are the steps to create VPN profile in MAX BR1. At the branch router (Balance 310), go to Network > SpeedFusion to create the VPN profile. VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. MYKL-VPN. 2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side. 3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the HQ router WAN link, if HQ has multiple WAN links with static Public IP, you can key in all that IPs. 4) Balance 310 is capable of VPN Bonding, so choose the active WAN links from the WAN Connection Priority section to be bond by SpeedFusion VPN, this example will use WAN 1 & 2 to forward VPN traffic. 5) Save and apply the changes.
Peplink
63
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once VPN profiles have been created on both sides, and if the WAN links are up, the routers will start negotiating the VPN connection. If all the parameters are correct, the VPN be online in a minutes time. As shown in the screenshots, at the Dashboard page, the status of the VPN connection will change to “Established”, indicating a successful VPN connection. Failover Test: 1) Before starting the test, at the Remote site, launch the command prompt window and conduct a continuous ping to HQ LAN IP (10.0.0.10) 2) Unplug WAN 2 at Remote router (Balance 310) 3) Observe the changes at the routers
Failover Test Result: 1) Any timeout during failover? Yes or No
Ping Test: 1) Remote side ping to HQ LAN IP: 10.0.0.10 • Passed or Failed
Peplink
64
Peplink Balance Series
Enterprise-class Multi-WAN Router
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the SpeedFusion Status window. 1) Go to DashBoard, click on Status tab at the top, and the SpeedFusion tab on the side 2) Click on the blue triangle beside “MYKL-VPN” (or the name of your VPN) to expand the statistic 3) Monitor the changes on the WAN status during the failover and fallback SpeedFusion Hot Failover recovery process should have no timeouts. Recovery Test: 1) Before sttest start, at the Remote site, launch the command prompt window and conduct a continuous ping to HQ LAN IP (10.0.0.10) 2) Plug back the WAN 2 at Remote router (Balance 310) 3) Observe the changes at the routers
Recovery Test Result: 1) WAN 1 resume the VPN link 2) Any timeout during failover? Yes or No
Ping Test: 1) Remote side ping to HQ LAN IP: 10.0.0.10 Peplink
65
• Passed or Failed
Peplink Balance Series
Enterprise-class Multi-WAN Router
Ethernet-easy WAN Unlike traditional WAN technologies, PepVPN works with any IP connection, sets up in minutes, and requires almost no maintenance. It connects sites, regardless of the distance, with a lightning-quick 256-bit AES-encrypted tunnel. It is 100% compatible with all your Peplink/Pepwave devices. PepVPN is so fast and easy to use, it’s like having everyone on the same LAN, connected by Ethernet cables. PepVPN eliminates the 100-meter limitation. In fact, it eliminates any distance limitations, so go ahead and do business anywhere you please – across town, throughout the country, around the globe. Requirement Many companies need to mobilize a team at the project while keeping the team connected to the company network. However, some systems in their company don’t work well in a routed environment or a VPN (eg. NetBIOS, Mainframe base application, and even Vmware SRM). In these situations, the solution is to extend the office network to the project site using SpeedFusion Long Distance Ethernet VPN solution. In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-The-Go (MOTG) at the remote site. The HQ’s LAN IP (192.168.125.0/24) will be extend to remote site, with DHCP enabled to assign IP to remote hosts.
Peplink
66
Peplink Balance Series
Enterprise-class Multi-WAN Router
Extending the HQ LAN to the remote site can be done using the SpeedFusion L2 approach. These screencaps show the VPN profiles at both HQ and Remote sites. HQ VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SF-L2. 2) To enable Layer 2, first click on the “?” at the top-right of the SpeedFusion Profile window and click on the link to unhide the Layer 2 Bridging feature. 3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default setting). 4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve LAN Settings Upon Connected. 5) Save and apply the changes.
Remote VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SF-L2. 2) To enable Layer 2, first click on the “?” at the top-right of the SpeedFusion Profile window and click on the link to unhide the Layer 2 Bridging feature. 3) Tick the checkbox of Layer 2 Bridging, select the Bridge Port to LAN (default setting). 4) As remote site to follow HQ DHCP assignment, leave the checkbox of Preserve LAN Settings Upon Connected unchecked, a warning message will display to remind that this site (Remote) LAN will follow HQ LAN IP assignment.
Peplink
67
5) In order to manage this router (MOTG), you need to manually assign an unused HQ LAN IP to this router. Once SpeedFusion is connected, you will be accessing this router via this new IP (192.168.125.5). 6) Save and apply the changes.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once both sides VPN profile created, and if the WAN links are up, the routers will start negotiating the VPN connection. If all the parameters correct, the VPN will come up in a minutes time. The description on the SpeedFusion will change, with the added wording “Layer 2” beside SpeedFusion. At the remote router, a warning message display at the bottom of the Device Information section.
Peplink
68
Peplink Balance Series
Enterprise-class Multi-WAN Router
To verify the SpeedFusion tunnel, you can view the SpeedFusion Status window. 1) Go to DashBoard, click on Status button at SpeedFusion section 2) Click on the blue triangle beside the SF-L2 to expand the statistic 3) Notice that the Remote router IP is 192.168.125.5, as assigned in the VPN profile Remote Host Verification: 1) Open command prompt of the remote site notebook, check the ip with ipconfig, you will notice the host grabbed 192.168.125.11 from HQ DHCP server.
Ping Test: 1) Remote side ping to HQ LAN IP: 192.168.125.10 • Passed or Failed
Peplink
69
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion 3G/4G Bonding As more business takes place outside the office, telecom providers have responded by boosting the speed and reliability of their 3G networks. In addition, they are rolling out innovations like 4G, LTE, and WiMax in an increasing number of markets. However, no matter how quickly cellular data bandwidth and quality improve, mobile business always to demand more. From live video streaming and conferencing to ever-larger file transfers and real-time collaboration, today’s mobile applications strain even the latest and greatest cellular technology to its limits. The result is fluctuating data quality, unpredictable data rates, and widespread frustration, in addition to costly overage charges Requirement In our previous case, the remote site area doesn’t have any WiFi or Wired Internet facility. So, the project team needs to use Cellular WAN to establish a VPN back to the office. We can combine both 3G cellular lines into SpeedFusion Bonded VPN to allow greater throughput and reliability. The remote site LAN IP is 192.168.0.0/24, and the HQ LAN IP is 192.168.125.0/24.
Peplink
70
Peplink Balance Series
Enterprise-class Multi-WAN Router
Assuming the HQ router has created the SpeedFusion profile named SF-L2, a normal Layer 3 bonded VPN. Here are steps to creating a VPN profile in MAX OTG. At the branch router (Balance 310), go to Advanced > SpeedFusion to create the VPN profile. VPN Profile 1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SF-L2. 2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side. 3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ router WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the IPs. 4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from the WAN Connection Priority section to be bonded by SpeedFusion VPN, this example will use WAN 1 & 2 to forward VPN traffic. 5) Save and apply the changes.
Peplink
71
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once VPN profiles have been created on both sides, and if the WAN links are up, the routers will start negotiating the VPN connection. If all the parameters correct, the VPN will come up in a minutes time. As shown in the screenshots, the Dashboard shows the status of the VPN connection changing to “Established”, indicating that the VPN connection process is successful. Also notice that both WAN 1 & 2 are up and connected to the Internet.
Peplink
72
Peplink Balance Series
Enterprise-class Multi-WAN Router
To further verify the SpeedFusion tunnel, you can view the SpeedFusion Status window. 1) Go to DashBoard, click on the Status button at the SpeedFusion section 2) Click on the blue triangle beside the SF-L2 to expand the statistic 3) Notice that both WAN 1 & 2 are connected to the SpeedFusion VPN, and forwarding the traffic via the VPN tunnel Load Sharing Test via multiple Ping commands: 1) Remote side launch at least 2 ping command to HQ LAN IP: 192.168.125.1 • Passed or Failed • WAN 1 & 2 links Receive (RX) and Transmit (TX) counters increase? Yes or No • Refer to next page for the traffic statistics
Peplink
73
Peplink Balance Series
Enterprise-class Multi-WAN Router
Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN tunnel. In the event if the uplink direction experiencing link interruption, the SpeedFusion graph will indicate packet loss.
Peplink
74
Peplink Balance Series
Enterprise-class Multi-WAN Router
Using SpeedFusion Behind a Firewall If a Peplink Balance is placed behind a firewall, simply define firewall rules and inbound port forwarding policy in order to allow VPN traffic to pass through it. By default, SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing VPN connections and transmitting data. However, you can change the Data Port assignment in your SpeedFusion profile to another value.
Peplink
75
Peplink Balance Series
Enterprise-class Multi-WAN Router
SpeedFusion bonded VPN requires all transmitted data to be encapsulated in a special UDP stream. This stream contains additional packet headers with all the information needed to reconstruct the original data stream in the correct order at the remote location. SpeedFusion adds an additional 80 bytes of data to each packet sent over a SpeedFusion connection, no matter what size the original data packet is. This compares well to the 58 bytes of overhead required by IPsec, especially considering that SpeedFusion provides advanced routing, load balancing, and 256 bit AES encryption within the tunnel. As the chart on the left shows, when a SpeedFusion VPN tunnel is used to transmit IMIX data (4084 bytes), an additional 960 bytes of SpeedFusion overhead is required. The SpeedFusion overhead is 19% of the total transmitted data (IMIX + overhead). Since it uses a fixed number of bytes per packet transmitted (an additional 80 bytes), SpeedFusion is much more efficient when transmitting larger packet sizes.
Peplink
76
Peplink Balance Series
Enterprise-class Multi-WAN Router
Accounting for SpeedFusion bandwidth overhead and assuming that the traffic passing across the links is similar to the previously mentioned IMIX standard, we can calculate available real-world bandwidth at the remote site: Download: 10Mb + 10Mb = 20Mbps - 19% = 16.2Mbps Upload : 2Mb + 2Mb = 4Mbps - 19% = 3.24Mbps It is important to explain SpeedFusion bandwidth overhead to your end users so that they understand why they will not get full 20Mbps/4Mbps bandwidth when using VPN bonding. Remember, while conventional VPN technology such as IPsec has an overhead of 14.6%. SpeedFusion provides bandwidth aggregation & WAN resilience for only an additional 4% overhead. SpeedFusion Isn’t Just about Bandwidth Aggregation The big benefit of SpeedFusion is VPN reliability and the highly availability connection it provides (with packet level fail-over). Customers can take advantage of this reliability and use a pair (or more) of low-cost DSL circuits to achieve higher reliability and throughput than comparable private circuits – often at up to 80% less cost.
Peplink
77
Peplink Balance Series
Enterprise-class Multi-WAN Router
We always recommend the use of WAN links with similar bandwidth profiles from different ISPs to allow for the best possible SpeedFusion throughput. Using at least two different ISPs offers the benefit of provider diversity, which means less chance of a technical (or even accounting/billing) error causing a network outage. Provider diversity also lessens the impact of bandwidth sharing, a common problem when using multiple circuits from a single provider. Download : 20 + 20 = 40 - 19% = 32.4Mbps Upload : 4 + 4 = 8 - 19% = 6.48Mbps The above configuration example uses two DSL circuits from two different ISPs, each circuit having a similar bandwidth profile, as the best use case for fixed line SpeedFusion bonding.
Peplink
78
Peplink Balance Series
Enterprise-class Multi-WAN Router
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections Another important factor to consider is the quality of the WAN links connecting SpeedFusion enabled devices. Let's consider some of the typical drivers for using SpeedFusion in the first place: 1) Internet Connection Bandwidth Availability – SpeedFusion is often deployed by customers who are limited to slow DSL or cellular connections at a given location. Typically, these customers want to combine these slow links to create a faster aggregate connections between locations. 2) Internet Connection Reliability – We often see poor physical line quality at customer locations, particularly DSL using old copper (and sometimes even lead) cable over a long run from the nearest exchange or POP. These connections are inherently unreliable and can sometimes be affected by rain ingress into the physical circuits, as well as temperature changes. We also see customers who have no physical lines and want to use cellular connectivity. Naturally, the quality, bandwidth availability, and reliability of cellular connections vary depending on location. 3) Flexibility – One of the benefits of SpeedFusion is that it is connection agnostic, so we often see customers who want to use it to bond WAN links of different technology types, such as 3G/4G, VSAT, DSL, and leased lines. Obviously, the characteristics of these connections are very different (VSAT has high latency, cellular connections have variable latency/bandwidth depending on their location/signal strength, etc.).
Peplink
79
4) ISP Diversity – This is a big driver for customers who want to make sure that even if an ISP has a service issue, they can still connect using a WAN link from another ISP. The same DSL product from different ISPs can have quite different characteristics, with everything from variable contention, latency, and bandwidth availability being factors.
Peplink Balance Series
Enterprise-class Multi-WAN Router
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections, Continued The two main WAN link characteristics that are important are; Packet Loss When the SpeedFusion engine detects excessive packet loss on a WAN link, the link will fail its health test and will not be used by SpeedFusion as an active link until it passes a subsequent health test. Latency When latency characteristics are the same across connected WAN links, it has very little effect on SpeedFusion bandwidth throughput. However, when the latency of WAN links vary considerably, bandwidth throughput will be affected. Example 1. If WAN1: 100ms, WAN2: 400ms, the resulting latency of SpeedFusion bonded link will be 400ms, which follow the higher WAN. Example 2. Or, if packets travel multiple SpeedFusion hops (site A-> site B-> site C), with 100ms per link between 2 sites, then total latency will be 200ms from site A to site C (via site B). Any variation of these characteristics have an effect on the amount of WAN link bandwidth that is available for use by SpeedFusion. Packet Loss in high latency environments In the example above, there is a 3G connection which is highly susceptible to packet loss. Because the latency across the SpeedFusion link is equalized to the link with the highest latency (800ms), SpeedFusion will take longer to spot the packet loss (800ms+).
Peplink
80
In certain conditions, such as a combination of regular timed packet loss and high latency on the above 3G link, the TCP protocol method of retransmitting lost packets can have a drastic effect on the available bandwidth over the VPN. This is another reason why we recommend that, whenever possible, high latency links be used for failover and not as an active SpeedFusion WAN link. Recommended latency difference = Less than 150ms Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCP which has restrictive flow control.
Peplink Balance Series
Enterprise-class Multi-WAN Router
External Factors that Affect WAN Link Quality Whatever WAN connections you are using, it is always a good idea to test each individually and repeatedly to discover its maximum throughput in both directions. Remember, bandwidth availability can vary throughout the day, especially if using cellular or fixed lines with variable contention.
Cellular and Satellite Bandwidth Availability The amount of bandwidth available on a 3G/4G or satellite data connection is dependent on a number of factors: • Signal Strength – Determined by the distance to the nearest cellular tower (or visibility of the satellite) and the subsequent signal quality received. • Backhaul Bandwidth Availability – From the cellular tower to the ISP's core network or from the satellite ground station to the ISP's core network. • Device Contention – At the tower or satellite you are connected to (determined by the number of active subscribers on a tower or satellite at any given moment).
Fixed Line Contention Most internet connections are provided as a contended service. This means that although your provider has advised you will get up to 24Mbps broadband over DSL for example, depending on how oversubscribed your DSL service is (literally how many people in your area are connected to the ISP’s service), the bandwidth that's actually available at any given moment could be considerably less.
Peplink
81
Peplink Balance Series
Enterprise-class Multi-WAN Router
The Benefits of Using Multiple Verizon LTE Connections on Contended Cell Towers Verizon and other LTE providers use a process called windowing/time-slicing when multiple subscribers connect to their LTE services. In the first example, the third user only gets 1/3 (33Mbps) of the available bandwidth (100Mbps) from the Cell Tower, but in second example, the third user with Pepwave MAX device (installed with 2 LTE data SIM), able to gets half (50Mbps) of the available bandwidth from Cell Tower.
Multiple Cellular Connections Deliver a Larger Share of Available Bandwidth As the above diagrams show, adding an additional cellular connection does not always mean a doubling of available bandwidth, especially if both connections are from the same ISP. However, an additional cellular connection can provide the end user with a larger share of the available bandwidth at a tower. So, if there is multiple LTE carriers available, it is always recommended to connect to two different cellular providers to gain bigger bandwidth share of your LTE connections.
Peplink
82
Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg. Cisco and Juniper, but Peplink always recommend to establish SpeedFusion VPN whenever possible, if both peers are Peplink routers. Notes: • We advise you to only use IPSec Aggressive Mode when one of your device has a dynamic IP address. You should choose Main Mode whenever possible because Aggressive Mode is not as secure as Main Mode, although Aggressive Mode is a little bit faster because of fewer packets exchange. • With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA negotiation, they will generate a new set of Phase 1 keys, so that if the security key was compromised, the attackers will only be able to access the data protected by that key. After the new SA is negotiated, all data will be well protected and not affected by the previously compromised key. • You can only select Force UDP Encapsulation if you have turned on NAT-Traversal. This option is useful when you do not want NAT-T to automatically detect a NAT connection, or if the remote peer failed to detect NAT. If enabled, it will force Balance / MAX to tell the remote peer that UDP encapsulation (Port 4500) is required (even you are connecting to internet directly without NAT). • IPSec Tunnel will not be treat as WAN interface when configuring Outbound Policy
83
Peplink Balance Series
Enterprise-class Multi-WAN Router
In a new setup environment, where customer subscribes 2 Internet links, and they do not need a dedicated firewall, then the Balance model will be a good choice for providing Internet load balancing (outbound) while acting as the security gateway (firewall) Planning Your Network • • • •
A ISP #1 router/default gateway (210.10.10.1) connected to ISP #1. A ISP #2 router/default gateway (20.2.2.1) connected to ISP #2. Trusted LAN IP: 192.168.1.0/24 Peplink Balance WAN #1 IP: 210.10.10.2/24, WAN #2 IP: 22.2.2.2/24, LAN IP: 192.168.1.1/24 • Peplink Balance Router Default Gateway IP: 210.10.10.1 for ISP #1, IP: 22.2.2.1 for ISP #2 • Internal host (PC/Notebook) accessing internet will be load balancing across 2 Internet links.
Peplink
84
Peplink Balance Series
Enterprise-class Multi-WAN Router
Assumptions: 1) Both ISPs are providing static Public IP ranges. 2) All outgoing traffic will be load balance across both Internet links.
Part 1 – Interface Configuration steps: 1) Go to Network > Interfaces > WAN, click on WAN 1. 2) Choose Static IP from the Connection Method drop-down list. 3) If you need to implement QoS, then make sure the Upload Bandwidth and Download Bandwidth value follow the subscribed bandwidth. 4) Fill in the Static IP Settings area, with the ISP given details accordingly. 5) Go through steps 1 – 4 above for WAN 2 interface. 6) For LAN interface, if want to change to different IP range then the default (192.168.1.1/24), then go to Network > Interfaces > LAN.
Peplink
85
7) Fill in the IP address, subnet mask respectively. 8) DHCP service is enabled by default, change it if required, else can leave it as it is.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Part 2 – Configure Outbound Policy for load balance outgoing traffic: 1) Go to Network > Outbound Policy, click on Add Rule button, the Add a New Custom Rule window will appear. 2) Give a name for the Service Name, in this example is All-Traffic. 3) Choose Any for Source, Destination, and Protocol base on the assumption made above. 4) We have WAN 1 and WAN 2 active, so choose Weighted Balance from the Algorithm drop-down list. This will allow 50:50 load balance between WAN 1 and WAN 2. 5) For WAN 3 and Mobile Internet, either to leave it as it is, or drag the pointer to 0, as it will not affect the connectivity. 6) Click Save button to save the configuration. 7) At the Rules window, drag the newly created service All-Traffic to below the HTTPS_Persistence. This is to ensure the HTTPS _Persistence rule being process before All-Traffic, as the policy being processed from top to bottom. 8) Save to apply the changes. Done, now the Balance router is performing outgoing Internet traffic load balancing
Peplink
86
between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to WAN 1 and WAN 2 Public IP. You may proceed to configure the firewall rules if needed, else you can leave it with the default policy.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Understanding Outbound Load Balancing Peplink's load balancing algorithms help you easily fine-tune how traffic is distributed across connections. Each deployment has a unique setup, and Peplink's enterprise grade load balancing features can fulfill all of your special requirements. Create your own rule with the following algorithms and you can sit back and enjoy the high performance routing that Peplink brings to you. A flexible rule-based configuration design enables the fine-tuning of outbound traffic at a per-service level by allowing multiple rules to be configured. The following types of Outbound Traffic Rules are available: • Weighted Balance • Persistence • Enforced • Priority • Overflow • Least Used • Lowest Latency
Outgoing Traffic Control via Firewall Besides Outbound Policy, A firewall is a mechanism that selectively filters data traffic between the WAN side (the Internet) and the LAN side of the network. It can protect the local network from potential hacker attacks, offensive Web sites, and/or other inappropriate uses. The Outbound firewall policy supports the selective filtering of data traffic on LAN-toWAN, from PPTP clients, and from SpeedFusion peers.
Peplink
87
Outbound Firewall Rules can Block the following traffic types - Traffic coming from LAN clients - Traffic coming from PPTP clients - Traffic coming from SpeedFusion peers
Peplink Balance Series
Enterprise-class Multi-WAN Router
There are 3 types of Outbound policies can be defined: 1) High Application Compatibility • With the selection of this policy, outbound traffic from a source LAN device is routed through the same WAN connection regardless of the destination Internet IP address and protocol. • This provides the highest application compatibility. 2) Normal Application Compatibility • With the selection of this policy, outbound traffic from a source LAN device to the same destination Internet IP address will persistently be routed through the same WAN connection regardless of protocol. • This provides high compatibility to most applications, and users still benefit from WAN link load balancing when multiple Internet servers are accessed. 3) Custom policy • With the selection of this policy, outbound traffic behavior can be managed by defining custom rules. • Rules can be defined in a custom rule table. A default rule can be defined for connections that cannot be matched with any one of the rules.
The default policy is Normal Application Compatibility.
Peplink Ltd.
88
"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcp traceroute packets every 10 seconds to measure link latency. Change to any algorithm other lowest latency can stop the latency measurement packet and reduce link usage. Note: HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.
Weighted Balance Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap. Set a weight on the scale for each connection and outgoing traffic will be proportionally distributed according to the specified ratio. The amount of matching traffic that is distributed to a WAN connection is proportional to the weight of WAN connection relative to the total weight. Use the sliders to change each WAN’s weight. Example: With the following weight settings on a Peplink Balance 310: • WAN1: 10 • WAN2: 10 • WAN3: 5 Total weight is 25 = (10 + 10 + 5) Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100% Matching traffic distributed to WAN2 is 40% = (10 / 25) x 100% Matching traffic distributed to WAN3 is 20% = (5 / 25) x 100% Note: If the LAN user is running multiple Internet session like Bittorrent or Download Manager, that user can utilize all available WAN's bandwidth at particular moment.
Persistence Eliminate session termination issue for HTTPS, E-banking, and other secure websites. Specify a traffic type and it will be routed through the same connection persistently based on its source and/or destination IP addresses. Traffic will keep routing on the same connection until the session ends. There are two Persistent Modes. One is by source and the other by destination. The default Mode is By Source.
Enforced Restrict outbound traffic to a particular connection. Select a connection and the specified traffic type will be routed through it at all times, whether the link is up or down. For scenarios like accessing a server that only allows users from a specific IP.
Priority Route traffic to your preferred link as long as it's available. Arrange the connection priority order, and traffic will be routed through the healthy link that has the highest priority in the list. Lower priority links will only be used if the current connection fails.
Overflow Prevent traffic flow from slowing down when the connection runs out of available bandwidth. Drag and drop to arrange the connection overflow order and the highest priority link will route traffic as long as it has not been congested. Once it saturates, the lower priority links will start routing traffic.
Least Used Help you choose the better connection with more free bandwidth. Traffic will be directed to the link with the most available bandwidth among the selected connections. This option is useful for maximizing reliability and bandwidth utilization.
Lowest Latency Give you the fastest response time when using applications like online gaming. Traffic will be assigned to the link with the lowest latency time among the selected connections. Latency checking packets are issued periodically to a nearby router of each WAN connection to determine its latency value. The latency of a WAN is the packet round trip time of the WAN connection. Additional network usage may be incurred as a result. Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it will fallback to use ping Note: The round trip time of a “6M down /640k up ”link can be higher than that of a “2M down /2M up” link. It is because the overall round trip time is lengthened by its slower upload bandwidth despite of its higher downlink speed. Therefore this algorithm is good for two scenarios: • All WAN connections are symmetric; or • A latency sensitive application requires to be routed through the lowest latency WAN
regardless the WAN’s available bandwidth.
Peplink Balance Series
Enterprise-class Multi-WAN Router
In addition to physical WAN interfaces, Peplink Balance allows you to redirect the designated traffic to VPN tunnel, eg. SpeedFusion VPN tunnel. For example, a customer with centralized Internet access can force all branch Internet traffic go thru the VPN tunnel back to HQ (and probably web content filtering/security assessment) before reaching Internet sites. Another example would be customer internal applications (email, CRM, etc) that should be redirect via a secured VPN tunnel to access servers in HQ, rather going through unsecure Internet.
Peplink Ltd.
94
Peplink Balance Series
Enterprise-class Multi-WAN Router
Configuration Example - Restricting IPSec VPN Traffic to the WAN1 Lnk To configure Peplink Balance to restrict IPSec VPN traffic to WAN1, add the following per-service Enforced rules: 1) Rule to specify UDP Port 500 traffic: • Service Name: UDP500_on_WAN1 • Source & Destination IP: Any • Protocol & Port: UDP 500 • Algorithm: Enforced • Enforced Connection: WAN1 2) Rule to specify UDP Port 4500 traffic: • Service: UDP4500_on_WAN1 • Source & Destination IP: Any • Protocol & Port: UDP 4500 • Algorithm: Enforced • Enforced Connection: WAN1 With these rules enabled, Peplink Balance will route IPSec VPN traffic with NAT-T (that require UDP ports 500 and 4500) to WAN1 regardless of its up/down status. In the event the WAN1 is down the specified traffic will simply be dropped rather than routed via the other WAN links.
Peplink
95
Peplink Balance Series
Enterprise-class Multi-WAN Router
Drop-in Mode allows Peplink Balance to be deployed in a network without incurring any configuration changes to existing network devices. It simplifies the installation of a Balance to an existing network by transparently and seamlessly working with routers and firewalls. The process is done in 2 phases. In the 1st phase, you can transparently insert the Balance into existing setup. In the 2nd phase, you will be able to add Internet links without modifying existing network equipment settings. Phase 1 – Insert Peplink Balance into existing environment
Suppose you have a migration plan similar to the following environment. Currently, you have: • A router/default gateway (210.10.10.1) connected to ISP1. • A firewall (210.10.10.10) protecting your users on trusted LAN.
We will be installing the Peplink Balance transparently in between the router and the firewall. Then we will add more ISP connections to the network. In this example, we assume: • • • •
Peplink
Router (Default Gateway) IP: 210.10.10.1 Firewall IP: 210.10.10.10 Peplink Balance IP: 210.10.10.5 (for WAN 1 and LAN, bridge) WAN1 Subnet Mask: 255.255.255.240
96
Peplink Balance Series
Enterprise-class Multi-WAN Router
First, start with setting up Drop-in Mode: 1) Go to Network > Interfaces > LAN. 2) Fill in the IP address, Subnet Mask as 210.10.10.5 and 255.255.255.240 respectively. 3) Enable the Drop-In by click on the Enable box. 4) Key in the Defauly Gateway as 210.10.10.1 (ISP router IP). 5) Save and apply changes. Then configure the DNS Servers for WAN 1: 1) Go to Network > Interface > WAN, click on WAN 1. 2) Fill in the DNS server IP(s). The DNS server information in the screenshot above is used for example only. 3) Save and apply changes.
Done. • You may now install the Peplink Balance to the production network. • Notice that some routers and firewalls may have problems updating their ARP tables. Resetting these devices may be necessary. • You have just completed the Drop-in mode configuration of the Peplink Balance. You should verify the network with single WAN before moving to the next step of connecting additional internet connections.
Peplink
97
Peplink Balance Series
Enterprise-class Multi-WAN Router
Phase 2 - Connecting additional WANs to the Balance To install additional Internet connections: 1) 2) 3) 4)
Go to Network > Interfaces > WAN Select a free WAN interface. For example, WAN 2 in this case. Enter information for this WAN connection. Save changes and activate the changes.
Your Balance should now aggregate and load balance across the two links. Please repeat Step 1 to 4 for more internet connections.
Peplink
98
Peplink Balance Series
Enterprise-class Multi-WAN Router
How to set up Inbound Load Balance under Drop-in Mode Once the Drop-in mode with multi-WAN links is successfully set up, we can proceed with Inbound Load Balancing. This will allow the internal server(s) to be publicly accessible.
Prerequisite This task assumes that you already have a good understanding of Drop-in Mode. If not, please read the guide on Drop-in Mode before proceeding further.
Scenario We will use an example throughout this note. Suppose you currently have a network similar to the following: • Peplink Balance installed and connected to three ISPs, using Drop-in Mode • Static IP address ranges (subnets) from the ISPs • A firewall protecting your trusted LAN • Hosts and servers on the trusted LAN are using private IP addresses Conceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISP A to achieve inbound load balancing.
In this example, we assume: • ISP A • • • ISP B • • • ISP C • • Peplink
Network: 210.10.10.0/24 Router A (Default Gateway) IP: 210.10.10.1 Network: 22.2.2.0/24 Router B (Default Gateway) IP: 22.2.2.1 Network: 33.3.3.0/24 Router C (Default Gateway) IP: 33.3.3.1 99
• Peplink Balance (Interface addresses) • WAN1 and LAN: 210.10.10.5 • WAN2: 22.2.2.5 • WAN3: 33.3.3.5 • Firewall IP: 210.10.10.10 • Trusted LAN Network: 192.168.0.0/24 • NAT Mappings (at Firewall) • 210.10.10.20:SMTP -> 192.168.0.20:SMTP • 210.10.10.30:SMTP -> 192.168.0.30:SMTP • Drop-in Mode already configured and working in previous scenario, so no changes on the existing router and firewall.
Our Target: We want to map IP addresses from ISP B and ISP C to “logically” point to the mail servers.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Define Additional Public IP addresses of ISP B and ISP C 1) Go to Network > Interfaces > WAN > WAN2 > Additional Public IP Settings 2) Add the public IP addresses assigned to you by ISP B 3) You can add a series of IP addresses easily using the tool. (But remember to remove the default gateway and Balance IP addresses from the auto-generated list by the tool.) 4) Repeat the same step for WAN3 (if applicable for you). Purpose: To tell Balance what IP addresses are available for inbound use.
Define Inbound Servers 1) Go to Advanced Network > Inbound Access > Servers 2) Add the two mail servers 3) Notice the use of IP addresses from ISP A here. To Peplink Balance, it only “sees” IP addresses on its LAN interface.
Peplink
100
Peplink Balance Series
Enterprise-class Multi-WAN Router
Define Inbound Services 1) Go to Network > Inbound Access > Services 2) Add a new service rule, tying up IP addresses of ISP B and ISP C to existing server(s). 3) The screenshot essentially describes the following: • Map 22.2.2.20:SMTP -> 210.10.10.20:SMTP • Map 33.3.3.20:SMTP -> 210.10.10.20:SMTP 4) Notice that no mapping is required for ISP A. (Uncheck it) 5) Repeat the same step for other service(s). 6) Save and apply changes.
Peplink
101
Peplink Balance Series
Enterprise-class Multi-WAN Router
How to set up Inbound Load Balance via built-in DNS (Drop-in Mode) Peplink Balance has a built-in DNS server for inbound link load balancing. You can delegate a domain’s NS/SOA records, e.g. “www.mycompany.com”, to the Peplink Balance’s WAN IP address(es). The Peplink Balance will return healthy WAN IP addresses as an “A” record when a DNS query for the host name is received. It can also act as a generic DNS server for hosting “A”, “CNAME”, “MX”, “TXT” and “NS” records. The Peplink Balance can perform this in two methods, either in Non Drop-in or Drop-in Mode. Inbound Load Balancing is configured via: • DNS records configured within Peplink Balance • External DNS records at an Authoritative DNS Server To illustrate this, we will use the previous example, changing the server from mail to web, and only using single server for simplified illustration. The steps to define the server(s) and service(s) are the same as the previous example, so we will start with the DNS settings.
Peplink
102
Peplink Balance Series
Enterprise-class Multi-WAN Router
To define the DNS records to be hosted in Peplink Balance, go to the setup page located at: Network > Inbound Access > DNS Settings, as shown in above.
Peplink
103
Peplink Balance Series
Enterprise-class Multi-WAN Router
Step 1: Configure “DNS Server” Click the Edit button to choose the IP addresses that the DNS server should be listening on. This will result in a pop-up screen. There, select the desired WAN link(s) and respective WAN Interface IP addresses. Multiple addresses in the list can be selected by holding the CTRL key while clicking on the addresses. Click Save to continue.
Peplink
104
Peplink Balance Series
Enterprise-class Multi-WAN Router
Step 2: Define the Default SOA / NS From Network > Inbound Access > DNS Settings, click on the Edit button, create the Default SOA / NS record, and map the WAN 1, 2 & 3 interface IP to the Name Server respectively.
Peplink
105
Peplink Balance Series
Enterprise-class Multi-WAN Router
Step 3: Select Connection Priority From Network > Inbound Access > DNS Settings, click the Edit button to configure Default Connection Priority. In the resulting pop-up, you will see a list of WAN Interfaces with priority, please choose the desired WAN priorities and click Save to continue. In the above example, WAN 1, 2 & 3 are the DNS query answering interface, so it should be selected. And we are assuming all three WAN links are equally healthy.
Peplink
106
Peplink Balance Series
Enterprise-class Multi-WAN Router
Step 4: Creating DNS Records From Network > Inbound Access > DNS Settings, enter a domain name in the Domain Name field and click the Add New button. Click on the New A Record button to create A Record for the web server.
Peplink
107
Peplink Balance Series
Enterprise-class Multi-WAN Router
As the A Record window appears, enter the name of the server (eg. www) which will be auto associated with the previous defined domain name (.mypeplink.com). Check on the IP at the respective WAN interfaces, these will be mapped to www.mypeplink.com.
Only the highlighted IP addresses in the lists receive responses to a DNS query. (Multiple items in a list can be selected by holding CTRL and clicking on the items.) In case a WAN link is down, the corresponding set of IP addresses will not be returned. However, the IP addresses in the Custom IP field will always be returned. Click Save and Apply the changes.
Peplink
108
Peplink Balance Series
Enterprise-class Multi-WAN Router
Domain Delegation This diagram is useful for users who want to delegate a sub-domain to be resolved and managed with the Peplink Balance (Assuming they host their domain at an ISP or domain registrar). In order for Internet users to look up the host name (e.g. “www.mypeplink.com”) using the Peplink Balance, you have to point NS records of it in the domain (e.g. “mypeplink.com”) to the Peplink Balance’s WAN IP addresses. If you are using ISC BIND 8 or 9, add these lines in the zone file of “mypeplink.com”: www IN NS balancewan1 www IN NS balancewan2 www IN NS balancewan3 balancewan1 IN A 210.10.10.5 balancewan2 IN A 22.2.2.5 balancewan3 IN A 33.3.3.5 Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the Peplink Balance in this example. The IP values here are for illustration only and would likely be different for you. In order to host the complete domain on your own DNS server with the Peplink Balance, contact the DNS registrar to have the NS records of the domain (eg. “mypeplink.com”) point to your Balance’s WAN IP addresses.
Peplink
109
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing From a host on the Internet, use an IP address of Peplink Balance and nslookup to lookup the corresponding hostname. Check if the returned IP addresses are the desired addresses for the host name. Above is a sample Windows nslookup. The IP values here are for illustration only and would likely be different for you. In the lab example, it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you query for www.mypeplink.com.
Peplink
110
Peplink Balance Series
Enterprise-class Multi-WAN Router
Continuous Failover Support Using Master and Slave Setup Background 1+1 backup enables failover to happen when the master device goes out of service. This requires a pair of Peplink Balance devices operating in active-standby mode. When the master device is down, the slave device takes over and handles all the LAN traffic. The Peplink Balance series supports failover between two Balance devices based on Virtual Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets are sent out from the master device to VRRP-specific IP multicast addresses. The slave device assumes the master device’s responsibilities when these messages have not been heard from for a pre-defined time interval. In the above example, a VRRP Group 20 is assigned to the HA pair. The virtual IP address (VIP) is 210.10.10.2. However, the default gateway for the firewall should remain unchanged, as Internet router IP: 210.10.10.1, as this is Drop-In Mode. A unique VRRP group identifier is used for each HA pair subsequently set up on the same LAN. Balance devices have to be on the same subnet to support VRRP and the same VRRP group identifier must be used on the HA pair. Additional Ethernet switches are required to separate each ISP connection so that Master and Slave Balance devices can both be connected. More than one Ethernet switch must be used in order to prevent a single point of failure, which would otherwise defeat the purpose of the 1+1 backup concept. In this example, Master Peplink unit will use 210.10.10.3 as its LAN IP, Slave Peplink unit will use 210.10.10.4 as its LAN IP. Both Master and Slave units use the same VIP 210.10.10.2. Peplink
111
The the master unit goes down, the failover will place with a typical recovery time of 10-15 seconds. After the Slave unit changed its role to Master, all WAN connections will be reestablished again.
Peplink Balance Series
Enterprise-class Multi-WAN Router
VRRP for Master Configuration 1) Go to Network> Misc. Settings > High Availability of the Master unit. Select Enable. 2) Enter the following and then click Save: A. Group Number: (use the same number for HA pair, eg. 20) B. Preferred Role: (select master or slave) C. Virtual IP: (210.10.10.2) (Note: VIP and LAN Administration IP have to be from the same network. Devices behind the Balance liked firewall will need to configure their default gateway pointing towards VIP.) 3) Click Apply Changes to activate settings
VRRP for Slave Configuration – configuration sync. 1) 2) 3) 4)
Click and choose Slave as the Preferred Role. Check the box to enable the Configuration Sync. feature. Enter the serial number of the master unit. Before applying the changes, it is required to change the LAN IP address and set it as a different one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP address. 5) Click Save and then Apply Changes to activate settings. 6) Once the Configuration Sync succeeds, you will find the “successful” message in the event log of the slave unit.
NOTE: The failover takes place with a typical recovery time of 10-15 seconds. After the Slave unit changed its role to Master, all WAN connections will be re-established Peplink
112
again. Two Balance units should connect to the Internet in the same mode. For example, they should be both in NAT mode or both in Drop-in mode.
Peplink Balance Series
Enterprise-class Multi-WAN Router
NOTE: Once the slave unit is configured to automatically synchronize configuration from the master unit, the web admin of slave unit will be locked. Changes can only be made after you have disabled the Configuration Sync. Function, sample captured screen above. In HA mode, configuration synchronization only happen from Master unit to Slave unit, configuration will not be obtained from Slave unit to Master unit.
Peplink
113
Peplink Balance Series
Enterprise-class Multi-WAN Router
VRRP for Slave Configuration – manual Alternatively, you may configure the slave unit manually. 1) Go to System > Configuration of the MASTER unit. Click Download under Download Active Configurations and save the configuration file for the Slave unit. 2) Go to System > Configuration of the SLAVE unit. Choose the configuration file exported in step 1 under the Upload Configurations from High Availability Pair and click Upload. 3) Before applying the changes, change the LAN IP address and set it as a different one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP address. Click Save to save changes. 4) Go to Network > High Availability and change the Preferred Role from Master to Slave. 5) Click Save and then Apply Changes to activate settings
Peplink
114
Peplink Balance Series
Enterprise-class Multi-WAN Router
LAN Bypass Feature Available in Peplink Balance 580, 710, 1350, and 2500: • LAN Bypass is a fault-tolerant feature that protects you in the event of a power outage. • When used with Drop-in Mode, such failure would be completely transparent to the network. • In the above example, WAN1 and LAN1 ports are bridged together when the power runs out. Note: • Starting from firmware version 5.0, Drop-in mode can be configured on any WAN ports. Please be noted that still only one WAN port can be configured in Drop-in mode. • If you have selected the LAN Bypass port (which is currently available on WAN1 of Balance 1350 and WAN5 of Balance 580) as the WAN for Drop-in Mode, High Availability feature will be DISABLED automatically. • When the LAN Bypass feature is enabled, the High Availability feature will be automatically DISABLED.
Peplink
115
Peplink Balance Series
Enterprise-class Multi-WAN Router
Balance Router As Wireless LAN Controller In this section, we will cover the Balance router WLC configurations, all other settings of AP will be cover in another module (Wireless Access Point). For model 305 onwards, the Balance comes with built-in WLC. This is useful for deploying a centrally controlled WLAN setup at significantly lower costs. The Balance can serve as a WLAN Controller for Managing Pepwave AP Devices, as well as multiple SSIDs. The Balance and the Pepwave AP can automatically discover each other using DNS and TFTP protocols.
Requirement The customer has a Balance router installed and operating in their network. Recently, they have purchased two units of Pepwave AP One. The customer wants to integrate these APs into their existing LAN for their staff, while creating “Guest” access which would allow visitors to only access the Internet. LAN IP: 192.168.0.0/24 Staff SSID: same access right as wired LAN user Staff Login Method: WPA/WPA2 PSK Guest SSID: only allow to access Internet Guest Login Method: Captive Portal with Open security The Balance router, acting as the WLC will need to configure above settings and push the policy to the AP(s).
Peplink
116
Peplink Balance Series
Enterprise-class Multi-WAN Router
Getting Started – Enable AP Management 1) Select Network from the top menu. Choose AP Management from the left menu, and then select the check box to enable the feature. 2) To manage access points located in a remote network, enable Manage Remote AP. 3) You can set up a list of recognized access points with Access Point to be Managed. Input the serial number of the AP you want to manage in the box. 4) Click Save, and then click Apply Changes.
Peplink
117
Peplink Balance Series
Enterprise-class Multi-WAN Router
Creating Wireless Networks (SSID) – for “Staff” 1) Choose Wireless Networks from the left menu. Click the New Network button displayed on the bottom of the page. 2) In the Wireless Network dialog box, enter the Network Name (SSID) used to identify the Wi-Fi network. Enter “Staff” as the SSID, as this will be used for internal access. 3) Under Wireless Security Settings, select WPA/WPA2 - Personal for home or small business use. Enter an authentication password of at least 8 characters in the Shared Key field. If you are managing the network of a larger company, you may consider using WPA/WPA 2 - Enterprise, which allows you to use a separate RADIUS server to handle the wireless network’s authentication. Assign the WPA/WPA2 PSK as “staffwlan” for this example. 4) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless network. 5) Repeat the above steps to add more wireless networks and/or specify additional name and network permissions for various user groups. Next we will create “Guest” SSID.
Peplink
118
Peplink Balance Series
Enterprise-class Multi-WAN Router
Creating Wireless Networks (SSID) – for “Guest” 1) Choose Wireless Networks from the left menu. Click the New Network button displayed on the bottom of the page. 2) In the Wireless Network dialog box, enter the Network Name (SSID) used to identify the Wi-Fi network. Enter “Guest” as the SSID, as this will be used for visitor Internet access. 3) Under Wireless Security Settings, select Open (No Encryption) 4) To further customize network permissions, you can also change Guest Protect, Bandwidth Management, and Firewall Settings. As this is for visitor usage, click on the Block All Private IP checkbox to protect internal LAN (assuming the LAN IP range is using private IP range). 5) To show a splash screen for your Wi-Fi service, which is useful for Wi-Fi service offered to guests in restaurant, hospitality, and other settings,enable Captive Portal. We will configure the Captive Portal in another page. 6) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless network.
Peplink
119
Peplink Balance Series
Enterprise-class Multi-WAN Router
Creating AP Profiles 1) Choose AP Profiles from the left menu. Click the New AP Profile button displayed on the bottom of the page. 2) In the AP Profile dialog box, enter a name for the device configuration profile, eg. “Office”. 3) Select up to four wireless networks to include in the AP profile, check on the “Guess” and “Staff” SSIDs to be included in this profile. 4) Optimize your device’s radio performance by adjusting the options in AP Advanced Settings. For example, you can select a different 2.4 GHz Wi-Fi radio channel in order to ensure the best signal strength and eliminate potential channel conflicts. 5) Change your AP One’s device security settings, such as passwords, under Web Administration Settings. Set the password to “public, which is default for AP One. 6) Click Save at the bottom of the dialog box, and then click Apply Changes to store the AP profile. Note: You can select up to maximum of 16 “Wireless Networks” in an AP Profile when using Balance router as WLC.
Peplink
120
Peplink Balance Series
Enterprise-class Multi-WAN Router
Managed AP Status in Dashboard 1) AP One devices in the network will be automatically discovered. The number of APs detected will be shown on the Dashboard and Access Point section of Status. 2) To manage access points located in a remote network, enable Manage Remote AP. 3) You can set up a list of recognized access points with Access Point to be Managed. In this case, one unit has been connected.
Peplink
121
Peplink Balance Series
Enterprise-class Multi-WAN Router
Verify From AP Web Console 1) You can verify the AP management by accessing the AP web console page using web browser. The AP login details as follows: • IP Address: 192.168.0.11 • Username: admin (set by WLC) • Password: public (set by WLC) 2) In the System view of the AP, the real time status shows that the AP is connected to WLC (IP: 192.168.0.1).
Peplink
122
Peplink Balance Series
Enterprise-class Multi-WAN Router
Applying AP Profiles 1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel. 2) Select the check box for the AP One device you wish to configure. 3) Select AP Profile from the drop-down menu located in the lower right corner. 4) In the AP Profile dialog box, select a previously created AP profile (eg. “Office” for this case) and Click OK. 5) The selected AP profile will be sent to your AP One devices automatically.
Peplink
123
Peplink Balance Series
Enterprise-class Multi-WAN Router
Creating a Captive Portal
A captive portal is a great opportunity to build your brand while providing Wi-Fi service to hotel guests, coffee shop patrons, students, and other users. You can create a customized portal start page using one of two captive portal modes, in this example we will use the Open Access mode. 1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel. 2) In the Access Point Control Panel dialog box, click Captive Portal Settings, located on the lower left. 3) Click the General tab and choose a Captive Portal Mode: • Open Access Mode -- No user name or password will be required on the portal page. To limit the amount of time a guest can use the network, enter the allowed time in Free Access Quota. Click Save to store your changes. • Guest Account Mode -- The portal page will be displayed with a login box, and a user name and password will be required. After selecting Guest account mode, click Save. Click Guest Accounts to create accounts. 4) Click the Portal Page Customization tab. 5) To upload an image for the portal page, first click Choose File. Select the desired image from your system and click Upload. If no image is select, then the default image of the AP One will be used.
Peplink
124
6) Customize your portal page with a Message and Terms & Conditions. 7) Specify where the customer will be redirected after successful authentication with a Custom Landing Page if desired. 8) Click Preview to review your design, and click Publish to save your portal page and make it available to guests.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Guest Access The “Guest” SSID is meant for visitors, so it only allows access to resources outside of the company network. 1) On your notebook, try to connect to the Guest SSID broadcasted from the AP One. It should have Open security without any WPA/WPA2 key required. 2) Once connected, open the command prompt and use ipconfig to check your notebook IP address.
Ping Test: 1) Ping to Gateway IP: 192.168.0.1 • Passed or Failed 2) Ping to AP One IP: 192.168.0.11 • Passed or Failed 3) Ping to Google DNS IP: 8.8.8.8 • Passed or Failed
Peplink
125
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Guest Access to Internet 1) On your notebook, open your web browser and enter “www.google.com” in the URL. 2) You will be redirected to the Captive Portal page, where you will need to review the T&C and click Agree to proceed. 3) This will depend on how you configure the Custom Landing Page. If you have none configured, then you will be redirected to your designated page, www.google.com.
Peplink
126
Peplink Balance Series
Enterprise-class Multi-WAN Router
Once the wireless client access is granted, you will able to access Internet sites. However the “Guest” SSID access will not be allowed to access to internal LAN hosts. Ping Test: 1) Ping to Gateway IP: 192.168.0.1 • Passed or Failed 2) Ping to AP One IP: 192.168.0.11 • Passed or Failed 3) Ping to Google DNS IP: 8.8.8.8 • Passed or Failed
Peplink
127
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Staff Access The “Staff” SSID is equivalent to internal LAN access, thus it has the same access rights as wired LAN users. 1) At your notebook, try to connect to the Staff SSID broadcasting from the AP One. Key in staffwlan when Windows prompts you for your WPA/WPA2 key. 2) Once connected, open the command prompt, use ipconfig to check your notebook IP address. Ping Test: 1) Ping to Gateway IP: 192.168.0.1 • Passed or Failed 2) Ping to AP One IP: 192.168.0.11 • Passed or Failed 3) Ping to Google DNS IP: 8.8.8.8 • Passed or Failed Web Browsing Test: 1) At your notebook, open your web browser, enter “www.google.com” in the URL. The page can load? Yes or No
Peplink
128
Peplink Balance Series
Enterprise-class Multi-WAN Router
Balance Router – Other Configurations In addition to the key features mentioned in previous sections, the Balance Router offers other useful features: - QoS - Service Passthrough - Service Forwarding - System settings. The following tasks will be based on this diagram.
Peplink
129
Peplink Balance Series
Enterprise-class Multi-WAN Router
Example:
The Balance router has built-in standard firewall functionality, thus it can be used as firewall in the environment that doesn’t has any firewall. Assuming the company wants to prevent their staff from accessing social websites, eg facebook.com, the Balance firewall rule by domain name can be configured. The steps as follow, with “foobar.com” as the example domain name: 1) Go to Network > Firewall > Access Rules, Select Domain Name in the Destination field. 2) Enter “foobar.com” in the empty field. 3) Click Save and apply the changes.
String
Matching
foobar.com
*.foobar.com
Example
After a firewall rule by domain name is created, all traffic from that domain will be allowed or denied according to your settings. foobar.com
www.foobar.com mail.foobar.com TIP: If you are trying to block outgoing HTTP access to a website using a domain name, consider using the Web Blocking feature.
foobar.*
Peplink
foobar.com foobar.co.uk www.foobar.co.uk
*.foobar.*
130
Peplink Balance Series
Enterprise-class Multi-WAN Router
The Balance router has QoS features, allowing you to control the traffic based on its user group (predefined 3 groups), as well as by application. In this scenario, we have implemented an IP Telephony system in the branch office, and we have deployed an IP Telephony server reside in HQ. To optimize the voice quality over the Internet links, QoS is essential for ensure the VoIP traffic can be smoothly delivered across sites. To assign the user group: 1) Go to Network > User Groups under QoS, either click on existing Subnet or Add button to create a new subnet/IP range. 2) From the Group drop down list, select the desired group (Manager, Staff, Guest), click Save.
To enable QoS based on application: 1) Go to Network > Application under QoS, click Add button in the Application section to define the application requiring QoS. 2) At the Add / Edit Application window, choose the appropriate Category and Application from the drop down list, eg. VoIP, click OK to save. 3) Once application defined, it will appear in the Application section, assign the Priority to this application (High, Normal, Low). 4) Click Save and apply the changes.
Peplink
131
Peplink Balance Series
Enterprise-class Multi-WAN Router
Assuming your business partner is running systems that only allow access from IPSec Clients in your office environment. In such a situation, you would need to enable Service Passthrough Support in your Balance router. By default, the router has enabled IPSec NAT-T, if the IPSec is running on custom ports, then you can define the ports accordingly. Step to enable IPSec passthrough: 1) 2) 3)
Go to Network > Service Passthrough under Misc. Settings, check the Enable box under IPSec NAT-T. Check the Define box if it’s running custom ports, and fill in the ports accordingly. Click Save and apply the changes.
Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in this page as well.
Peplink
132
Peplink Balance Series
Enterprise-class Multi-WAN Router
Enable SMTP Forwarding There are situations where the ISP will block SMTP forwarding from different ISPs. Thus, the Balance router allows you to control the right ISP links to forward your SMTP service. When this option is enabled, all outgoing SMTP connections destined for any host at TCP port 25 will be intercepted. These connections will then be redirected to a specified SMTP server and port number. SMTP server settings for each WAN can be specified after selecting Enable.
Step to enable SMTP Service Forwarding: 1) Go to Network > Service Forwarding under Misc. Settings, check the Enable box under SMTP Forwarding. 2) A window appear with listed WAN connection, check to Enable the respective WAN and enter the associated SMTP Server name/IP. 3) Click Save and apply the changes.
Enable DNS Forwarding When this option is enabled, all outgoing DNS lookups will be intercepted and redirected to the built-in DNS name server. If any LAN device is using DNS name servers of a WAN connection, you may want to enable this option to enhance the DNS availability without modifying the DNS server setting of the clients. The built-in DNS name server will distribute DNS lookups to corresponding DNS servers of all available WAN connections. In this case, DNS service
Peplink
133
will not be interrupted even if any WAN connection is down.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Some of the System settings are crucial to the operation, eg. InControl, Remote Assistance, and Email Notification. InControl – Cloud Management When this check box is checked, the device's status information, usage data, and configuration will be sent to Peplink’s InControl system. You can sign up for an InControl account at https://incontrol.peplink.com/. You can register devices under your account, monitor device status and usage reports, as well as download backed up configuration files. Default: Enabled (Post usage data): Disabled Email Notification The feature Email Notification allows email to be sent to the listed recipient email addresses when the following events take place: • Email notification test • A new firmware version is available • Health status changes for any WAN connection • VPN status changes • Bandwidth usage has reached 75% of the allowance
Peplink
134
• Bandwidth usage has reached 95% of the allowance Click the button Test Email Notification and click Send Test Notification to send a testing email. Remote Assistance When you face some serious technical issue with the Balance router, where you need Peplink Technical Support to check on the device, you can turn on this feature, go to Status > Remote Assistance under System Information window. Diagnostic Report Normally when you report problem related to the Balance router to Peplink Technical Support, it is good to attach the Diagnostic Report together so the support team can analyze the report to understand the router condition. To generate the report, go to Status > Diagnostic Report under System Information. Click on the Download button to save the file. The report filename usually carry the format as below: YYYYMMDD_Model No._SSSSSSSSSSSS_diag.report with: YYYY – 4 digits represent year MM – 2 digits represent month DD – 2 digits represent day Model No. – The Balance Model, eg. B380 SSSSSSSSSSSS – 12 digits serial number
Peplink Balance Series
Enterprise-class Multi-WAN Router
Support Information page Another way to turn on the Remote Assistance will be through the Web Admin URL, which shown above, “http://
/cgi-bin/MANGA/support.cgi”. Diagnostics Report also can be obtain in this page, besides from Status page. In this page, the router Ethernet connections negotiated speed and duplex status was shown, in which it aids in troubleshooting tasks, like debugging connectivity issues. Additional Support Resources 1) If you need to access the products user manual or firmware, please visit http://www.peplink.com/support/downloads/. 2) To access our knowledge base, please visit http://www.peplink.com/knowledgebase/ to find out more about our product deployment scenario in various environment and requirement. 3) To log case with Peplink [email protected].
Peplink
support,
you
can
135
send
your
case
to
Peplink Balance Series
Enterprise-class Multi-WAN Router
Out of the box, the Pepwave MAX router comes with the following default settings: • IP: 192.168.50.1/24 • Username: admin • Password: admin • LAN DHCP: Enabled • DHCP IP Range: 192.168.50.10 – 192.168.50.250
In the diagram, the switch is optional as a console into the Pepwave MAX Routers. You can plug the UTP cable directly from PC/Notebook into MAX Router LAN port for the same purpose. Generally, the Web Admin UI is similar to Balance router, making to easier for users who have experience with the Balance router UI.
Peplink
136
Peplink Balance Series
Enterprise-class Multi-WAN Router
After entering the parameters correctly, you will be able to login to the Wed Admin page. The Dashboard provides a status overview of the MAX Router: • WAN interfaces connectivity status • LAN interface connectivity status • System Uptime • System CPU Load, in % • Device Throughput, in Mbps • Depends on the model, BR1 & HD2 provide the GPS map status too A unique feature on the MAX router interface is that you can configure the WAN interfaces on the Wan Connection Status page. You can do so by clicking the Details button of each of the WAN interface bar. Alternately, you can go to Network > WAN to reach to same setting page. In this page, you can also assign different priority levels to the WAN interfaces by dragging the interface bar up or down. If all WAN interfaces are assigned with same priority, then it will perform load balancing for the WAN traffic.
Note:
Peplink
137
Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 & U4-SF) will allow WAN load balancing, the other models will allow WAN failover.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Cellular Interface Settings The settings are similar across different interfaces. However, for cellular interface, there is extra feature you need to take note of. When you click on the Details button of any of the active Cellular WAN interfaces, you will reach the Connection Details setting page shown above. If the mobile broadband provider or the data plan has a quota limit (eg. 2GB/month), then you need to enable Bandwidth Allowance Monitor and set the data limit on this WAN to 2GB. At the same time in the Action section, you can set the MAX router to notify you via email if the usage hits 75% of quota. Lastly, you can further control the WAN condition to either continue or disconnect this particular WAN link if usage hits to 100% of that month. Health Check Method – SmartCheck SmartCheck will trigger DNS lookup health check if there is no return packet after an outbound packet was sent for 10 seconds. Since it is not an active algorithm (send hc packet in constant interval), it saves bandwidth. If the Cellular WAN has limited data usage/quota, and you want to reduce the Cellular WAN utilization, you can: 1) Choose SmartCheck as Health Check Method 2) Set Standby State of Cellular WAN to "Disconnected" instead of "Remain Connected“ 3) Increase the value of Health Check Interval
Peplink
138
Saving Bandwidth with Smart Check Smart check will trigger a DNS lookup health check if there is no return packet after an outbound packet was sent for 10 seconds. Since it is not an active algorithm (it does not send hc packet in constant interval), it saves bandwidth.
Peplink Balance Series
Enterprise-class Multi-WAN Router
MAX routers come with various connectivity options, allowing you to set it up in different ways to suit customer requirements. In the following scenarios, we will exploring three most common MAX routers deployment setups. 1) Branch Network Connections •
3 WAN + 2 LAN
2) Mobile Command •
2 WAN + 2 LAN
3) Public Transport •
1 WAN + 2 LAN
Let’s take a look at each of these scenarios in detail, and what configurations need to be done to achieve the objective.
Peplink
139
Peplink Balance Series
Enterprise-class Multi-WAN Router
Branch Network Connections In this environment, we have a fast food businesses with many outlets throughout the country. Each of these outlets need to connect back HQ in order to update business transactions data. At the same time, the outlet also needs to provide WiFi to their customer. Requirements 1)
2)
Peplink
WAN •
The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and a Cellular WAN.
•
The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal staff as well as their guest.
LAN
140
Peplink Balance Series
Enterprise-class Multi-WAN Router
Configuration for the WAN/LAN interfaces are the same as for the Balance routers, please refer to previous section if you need instructions. This screenshot shows the MAX BR1 router configured with a wired WAN as primary link, followed by a WiFi WAN as first standby, and Cellular as secondary standby WAN link.
Peplink
141
Peplink Balance Series
Enterprise-class Multi-WAN Router
WAN Failover #1 – Wired WAN Failed The MAX router has built-in intelligent and link health checks to enable a fast failover process. All the standby link(s) are in “hot-standby” state. That is, if the primary link fails, the MAX router will redirect the traffic to the standby WAN links. Failover Test: 1) Before starting the test, take a Windows machine, launch a command prompt window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8). 2) Unplug the wired WAN of MAX router (BR1) 3) Observe the changes of WAN Connection Status 4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN 5) Any timeout during failover? Yes or No 6) How many timeout during failover?
Peplink
142
Peplink Balance Series
Enterprise-class Multi-WAN Router
WAN Failover #2 – Wired WAN & WiFi WAN Failed Assuming a worse scenario where the first two WAN links are faulty, the MAX router still can operate with the 3rd WAN Celllular broadband link.
Failover Test: 1) Before starting the test, take a Windows machine, launch a command prompt window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8). 2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN WPA/WPA2 Key to simulate 2 WAN links failed 3) Observe the changes of WAN Connection Status 4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN 5) Any timeout during failover? Yes or No 6) How long was the timeout during failover?
Peplink
143
Peplink Balance Series
Enterprise-class Multi-WAN Router
WAN Link Recovery MAX router has fast and smooth recovery mechanism that no timeout when the primary WAN link(s) service restored. Recovery Test: 1) Before starting the test, at the Remote site, launch the command prompt window and conduct a continuous ping to HQ LAN IP (10.0.0.10) 2) Plug back the Wired WAN & enter the correct WiFi WAN WPA/WPA2 Key for the MAX BR1 router 3) Observe the changes at the routers WAN Connection Status 4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN 5) Any timeout during failover? Yes or No 6) How long was the timeout during failover?
Peplink
144
Peplink Balance Series
Enterprise-class Multi-WAN Router
Mobile Command In this example, we have a police patrol driving in an urban area. The MAX BR1 router can be installed in these vehicles, allowing them stay connected to their control center while they are on the move. This is accomplished with 2 different WAN options.
Requirement 1) WAN •
The police vehicle can use WiFi WANas primary WAN link, backed up by a Cellular WAN.
2) LAN •
Peplink
The wired LAN will be used for fixed machines, while the WiFi AP can serve the policemen any handheld devices.
145
Peplink Balance Series
Enterprise-class Multi-WAN Router
We have gone through the configuration steps of the WAN/LAN interfaces in the Balance router section, so we will skip that step. The screenshot shows the MAX BR1 router configured with WiFi WAN as the primary link, followed by Cellular as the standby WAN link.
Peplink
146
Peplink Balance Series
Enterprise-class Multi-WAN Router
Public Transport Public transport systems often travel long distances, so WiFi WAN may not able to cover the entire path. The only available WAN option would be Cellular broadband. If bus companies want WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem so they can put in second SIM card for Cellular failover purposes.
Requirement 1) WAN •
The bus needs to be equipped with Cellular WAN.
2) LAN •
Peplink
The wired LAN will be used for machine in the bus, and the WiFi AP can serve the passengers handheld devices.
147
Peplink Balance Series
Enterprise-class Multi-WAN Router
We have gone through WAN/LAN configuration in the Balance router section, so we will skip the explanation there. Above screenshot shows the MAX BR1 router configured with Cellular as the primary and the only WAN link.
Peplink
148
Peplink Balance Series
Enterprise-class Multi-WAN Router
As mentioned earlier, the LAN/WAN interface settings are similar to Balance router.
Peplink
149
Peplink Balance Series
Enterprise-class Multi-WAN Router
The difference between Balance and MAX router is that non-interface related settings are placed in the Advanced section. You can configure WiFi Settings, SpeedFusion VPN, Port Forwarding, etc in this panel.
Peplink
150
Peplink Balance Series
Enterprise-class Multi-WAN Router
The System and Status menus are identical to those for the Balance router. For further details on these settings, please refer to the relevant firmware user manual.
Peplink
151
Peplink Balance Series
Enterprise-class Multi-WAN Router
This module will examine different real life deployment scenarios, and how to configure the access points to achieve the desired results.
Peplink
152
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda • Module 4: Wireless Access Point Configurations - To study how Pepwave Access Points can be implemented into various deployment scenarios. - To explain the steps to configure APs to achieve the desired effect.
Peplink
153
Peplink Balance Series
Enterprise-class Multi-WAN Router
Hardware Overview
Peplink
154
Peplink Balance Series
Enterprise-class Multi-WAN Router
Setting up the AP One for the 1st time: 1) Default settings • IP: 192.168.0.3/24 • Username: admin • Password: public • LAN DHCP: Disabled 2) Connect a PC to the backbone network. Configure the IP address of the PC to be between 192.168.0.4 and 192.168.0.254, with a subnet mask of 255.255.255.0. 3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome 2.0 or above, connect to https://192.168.0.3. 4) Enter the default admin login ID and password, admin and public respectively. After logging in, the following information main page will appear. Click System, located under Configure on the left, to begin setting up your access point.
Peplink
155
Peplink Balance Series
Enterprise-class Multi-WAN Router
After enter the parameters correctly, you will be able to login to the Wed Admin page. At the System Information, provide overview of system conditions: • Model • Firmware Version • AP Name • Location (user define for the AP physical location) • Serial Number • MAC Address • Network IP Information (details will be display if default settings changed) • System Time • Up Time
Peplink
156
Peplink Balance Series
Enterprise-class Multi-WAN Router
First, we will be defining some system settings (eg. Name, IP information, etc). Steps to configure system settings: 1) Go to Configure > System 2) Click on Basic tab 3) Enter the necessary information 4) If you want the AP to keep the default Management IP after reboot, click the checkbox to enable Keep Default IP, else uncheck the box. 5) If this AP is manage as standalone and using static IP, select Manual on the IP Address Mode, then enter Static IP Address. 6) To save the changes and activate later, click Save button, to apply the changes immediately click Save to flash and activate button.
Peplink
157
Peplink Balance Series
Enterprise-class Multi-WAN Router
Pepwave AP One series has an unique feature: it can operate in either Layer 2 (Bridge) or Layer 3 (Router) mode. A. Router Mode - When using Router mode, your Pepwave access point can be used as a DHCP server for devices located behind it in the network, and provide routing between the wired and wireless networks - In this example, putting AP One in router mode would be separate the wireless LAN from wired LAN segment, either for security control & enforcement, or broadcast isolation purpose. B. Bridge Mode - This would be typical WLAN deployment, where the AP bridge between the wired and wireless networks in the same broadcast domain.
To select the AP role; 1) Go to Configure > System 2) Click on Advanced tab 3) Select Bridge or Router in AP Mode field 4) Once the selection is made, it will toggle LAN settings page configuration mode.
Peplink
158
Peplink Balance Series
Enterprise-class Multi-WAN Router
LAN Settings Manual Router Settings are available only when AP Mode in Advanced System Settings is set to Router. 1) Go to Configure > LAN to access the LAN settings page. 2) Assign the IP details for the wireless segment, where this segment of IP will be assigned to wireless client. The AP IP will be the default gateway for the wireless clients.
Peplink
159
Peplink Balance Series
Enterprise-class Multi-WAN Router
LAN Settings disabled when AP One set to bridge mode, and all the fields will be grey out. The wireless client will get IP assigned from DHCP server sit in the wired LAN, and the packets will passthrough AP One to reach to the wired LAN.
Peplink
160
Peplink Balance Series
Enterprise-class Multi-WAN Router
In a normal office WLAN deployment scenario, the AP will host at least 2 different sets of users, namely internal and external. Requirement The customer has purchased one unit of Pepwave AP One recently. They want to enable wireless access for their staff and visitors. Staff will have full access to internal networks and the Internet, and visitors only have Internet access. LAN IP: 192.168.0.0/24 Staff SSID: same access right as wired LAN user Staff Login Method: WPA/WPA2 PSK Guest SSID: only allow to access Internet Guest Login Method: Open Authentication with no security
Let’s look at the tasks needed to accomplish the objective.
Peplink
161
Peplink Balance Series
Enterprise-class Multi-WAN Router
To create the SSID: 1) Go to Configure > Wireless Networks, click on the Add button on the Wireless Networks tab. 2) It will open the Wireless Network Details page, click the Yes button to enable the SSID you want to create. 3) In Wireless Network SSID field, define the SSID, eg. Guest. 4) Broadcast SSID checked box enabled by default. 5) Assign the Security Level from choices of “Open”, “Static WEP”, “802.1X”, “WPA”, “WPA2”, and “WPA and WPA2”. For “Guest” SSID, choose “Open”. 6) Click Save to flash and activate to apply the changes.
Next two slides show you the advance settings for the SSID configurations.
Peplink
162
Peplink Balance Series
Enterprise-class Multi-WAN Router
As mentioned earlier, visitors are only allowed to access the Internet, so we need to place measurements to prevent them from reaching internal networks: 1) Click on the Guest Protect tab under Wireless Network Details for “Guest” SSID. 2) Select the Block All Private IPs tab, then tick on the checkbox for Block LAN Access to turn on the feature. 3) If this AP One has established a SpeedFusion VPN tunnel, and you don’t want the “Guest” traffic through it, tick on the checkbox for Block SpeedFusion as well.
You can also block custom subnets using the Custom Subnet tab, or prevent all with exception via Block Exception tab. One more step to complete the “Guest” SSID configuration, as shown in next page.
Peplink
163
Peplink Balance Series
Enterprise-class Multi-WAN Router
It is normal to have different groups of visitors needing to access Internet at the same time, so you may want to prevent them seeing each other for visitor privacy purposes: 1) Click on the Advanced tab under Wireless Network Details for “Guest” SSID. 2) Leave other settings as it is, select the checkbox for Layer 2 Isolation to turn on the feature. 3) Click Save to flash and activate to apply the changes.
Once this feature turned on, each of the wireless client in “Guest” network will not able to access each other. Next, get a machine to test the configuration.
Peplink
164
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Guest Access 1) At your notebook, try to connect to Guest SSID that broadcast from AP One. It should be Open security without any WPA/WPA2 key required. 2) Once connected, open the command prompt, use ipconfig to check your notebook IP address, or you verify via the Windows Wireless Network Connection Status.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) • Passed or Failed
Peplink
165
Peplink Balance Series
Enterprise-class Multi-WAN Router
To create the “Staff” SSID: 1) Go to Configure > Wireless Networks, click on the Add button on the Wireless Networks tab. 2) It will open the Wireless Network Details page, click the Yes button to enable the SSID you want to create. 3) In Wireless Network SSID field, define staff SSID as “Staff”, assign the Security Level to “WPA and WPA2”, the key is “staffwlan”. 4) Click Save to flash and activate to apply the changes.
Next, at the Guest Protect tab, ensure to guest protect features unchecked: 1) Click on the Guest Protect tab under Wireless Network Details for “Staff” SSID. 2) Select the Block All Private IPs tab, then uncheck the checkbox for Block LAN Access to turn off the feature. 3) If this AP One has established SpeedFusion VPN tunnel, and you want to include
Peplink
166
“Staff” traffic forward to the tunnel, uncheck the checkbox for Block SpeedFusion.
One more step to complete the “Staff” SSID configuration, as shown in next page.
Peplink Balance Series
Enterprise-class Multi-WAN Router
For internal staff access, layer 2 security need not be apply, to ensure it is not enable: 1) Click on the Advanced tab under Wireless Network Details for “Staff” SSID. 2) Leave other settings as it is, make sure the checkbox clear for Layer 2 Isolation. 3) Click Save to flash and activate to apply the changes.
Next, get a machine to test the new testing.
Peplink
167
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Staff Access 1) At your notebook, try to connect to Staff SSID that broadcast from AP One. It should be WPA/WPA2 security, the key is “staffwlan”. 2) Once connected, open the command prompt, use ipconfig to check your notebook IP address, or you verify via the Windows Wireless Network Connection Status.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) & internal website (eg. Gateway web console, http://192.168.0.1) • Passed or Failed
Peplink
168
Peplink Balance Series
Enterprise-class Multi-WAN Router
Wireless distribution system (WDS) are useful to for deployment sites where area cables cannot reach, and for temporary deployments. Using WDS, it is possible to wirelessly connect Access Points, and in doing so extend a wired infrastructure to locations where cabling is impossible or inefficient to implement. Note: WDS may also be considered a repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). However, with this method, throughput is halved for all clients connected wirelessly.
Requirement The customer is expanding their head office, and the cabling work can only be completed in a month’s time. Staff need to move in to the new office area immediately. In response, the IT manager will setup a WDS using additional AP One (AP #2), to wirelessly connect back to existing the AP One (AP #1). Information needed to setup WDS • Both AP MAC Address • Encryption type: None or AES • Passphrase • Encryption Key
Let’s look at the tasks needed to accomplish the objective.
Peplink
169
Peplink Balance Series
Enterprise-class Multi-WAN Router
To set up the WDS on both APs: 1) 2) 3) 4)
Go to Configure > WDS, the WDS Details window tab will appear. Select the Yes radio button to enable the function. Key in the MAC Address of the peer AP. Enter any wording for the Passphrase, eg. wdskey, click the Generate Key button to create the Encryption Key 5) Click Save to flash and activate to apply the changes.
Once the settings are saved, it will take a moment for both APs to recognize each other, initiate and negotiate the WDS connection. Go to status page to verify the WDS status.
Peplink
170
Peplink Balance Series
Enterprise-class Multi-WAN Router
To verify the WDS status on both AP: 1) Go to Information > Wireless > WDS Info tab. 2) If WDS established, you will able to see the peer AP details in this window, the information includes:
Peplink
•
Manufacturer
•
Peer MAC Address
•
Encryption
•
Type
•
Signal
•
TX/RX Bytes (Packets)
171
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Access Through WDS 1) At your notebook, try to connect to configured on the AP #2, eg. Pismo Research for this case. 2) Once connected, open the command prompt, use ipconfig to check your notebook IP address, or you verify via the Windows Wireless Network Connection Status.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) & internal website (eg. Gateway web console, http://192.168.0.1) • Passed or Failed
To verify clients connection at AP #2: 1) Go to Information > Wireless > Connected Clients tab. 2) If clients associated, you will able to see the their details in this window in accordance to SSID, the information includes: • MAC Address • Manufacturer • IP Address • Type • Signal • Duration • TX/RX Rate • TX/RX Bytes (Packets) • TX Errs • RX Errs Peplink
172
Peplink Balance Series
Enterprise-class Multi-WAN Router
Requirement A company wishes to install AP in their office, but they aware that other tenants in the same floor have already installed a WLAN infrastructure. They want to know which wireless spectrum (channel) will have the least interference. The AP One series is capable of discovering nearby wireless networks and listing down all the wireless network information. That way, you can choose the least affected channel (if no available channel) for your AP.
Peplink
173
Peplink Balance Series
Enterprise-class Multi-WAN Router
To enable the nearby network discovery: 1) Go to Configure > Advanced Wireless > Advanced Features tab. 2) Click on Discover Nearby Networks checked box to enable the feature. 3) Click Save to flash and activate to apply the changes.
To view the nearby networks discovered: 1) Go to Information > Wireless > Nearby Networks tab. 2) If detected, there will be list of AP shown, with following details: • Manufacturer • SSID • Security • MAC Address • Channel • Signal • Last Seen • Status
Peplink
174
In the event if the AP need to provide higher power output to cover bigger area wirelessly, you can enable the Power Boost feature by: 1) Go to Configure > Advanced Wireless > Radio Settings tab. 2) Click on Power Boost checked box to enable the feature. 3) Click Save to flash and activate to apply the changes.
Note: Enables the power boost feature, will increase the output power from 400mW to 2W, which maximizes your access point’s Wi-Fi capacity. Please enable only if local regulations permit.
175
Peplink Balance Series
Enterprise-class Multi-WAN Router
There are other settings like SpeedFusion, SNMP, Web Administration in Configure menu, Tools and Commands, which will not be discussed. For further details on these settings, please refer to the relevant firmware user manual.
Peplink
176
Peplink Balance Series
Enterprise-class Multi-WAN Router
This module will examine different real life deployment scenarios, and provide detailed instructions on how to utilize the major features of the Surf On-The-go.
Peplink
177
Peplink Balance Series
Enterprise-class Multi-WAN Router
Peplink
178
Peplink Balance Series
Enterprise-class Multi-WAN Router
1st time setup steps on Surf On-The-Go: 1) Default settings • LAN IP: 192.168.20.1/24 • Admin ID: (No ID by default) • Admin PW: (No password by default) • DHCP Enabled • DHCP Range: 192.168.20.10 – 192.168.20.250 • WLAN AP: Enabled • SSID: PEPWAVE_#### (where #### is the suffix of MAC Address of SOTG) 2) Connect a PC to SOTG Ethernet port, it will be assigned with IP address between 192.168.20.1 to 192.168.0.20, with a subnet mask of 255.255.255.0. 3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome 2.0 or above, connect to https://192.168.20.1. 4) As there is no login security enabled by default, you will be redirect to Dashboard page.
Peplink
179
Peplink Balance Series
Enterprise-class Multi-WAN Router
Dashboard Page At the Dashboard page, you will see the device’s current WAN connection status. It also displays a real-time graph displaying Network Data Usage and Signal Timeline (if WiFi or Cellular is active). You can change the WAN connection type by clicking the Switch WAN Mode icons (WiFi, Cellular, Wired)
Status Page You can view the device status in this page, detail information included: • Firmware version • Hardware version • Model • Serial Number • Supported Mode (operating radio frequency, a/b/g/n) • etc If WAN link is active, you will see the relevant information like IP Address, Subnet Mask, Gateway, etc.
Peplink
180
Peplink Balance Series
Enterprise-class Multi-WAN Router
Your Surf On-The-Go supports three WAN connection modes, giving you maximum connectivity on the road, at the office, or at home. Wi-Fi Mode Connect to the Internet via Wi-Fi Hotspot (and backup by Cellular), and provide a Local Access Point and Ethernet Connection. e.g. Wi-Fi Services from ISP, Hotel, RV Park, Marina.
Cellular Mode Connect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem, and provide a Local Access Point and Ethernet Connection. e.g. Traveler, Remote Area.
Wired Mode Connect to the Internet via an Ethernet cable (and backup by Cellular), through a DSL/Cable Modem, or Router, and provide a Local Access Point. e.g. Home, Hotel
Peplink
181
Peplink Balance Series
Enterprise-class Multi-WAN Router
Wi-Fi Mode Wi-Fi Mode makes it easy to share Wi-Fi service provided by hotels, restaurants, marinas, RV parks, and more. Once connected to Wi-Fi, your Surf can serve as a local access point for an unlimited number of devices. You can also connect printers, game consoles, and other wired devices to the Surf using its Ethernet port.
Peplink
182
Peplink Balance Series
Enterprise-class Multi-WAN Router
WiFi Mode Configuration Steps 1) Connect to the Web Admin Interface. Click Wi-Fi, and then Settings. 2) In the Wireless Settings section, change Wireless Network Name (SSID) from the default value of MySSID to the SSID specified by your wireless Internet service provider. Otherwise, you may change this field to a blank value, and then select an SSID from the resulting list, which also includes corresponding encryption types and signal strengths. With the MAC Clone function, you can use the Ethernet client
MAC address as Surf's WAN MAC address. 3) From the Authentication drop-down menu, select the authentication type required by your Wi-Fi Internet service provider. Then, if applicable, enter the Encryption Key value provided by your ISP. 4) In the AP Settings section, select Configure Manually. In the AP SSID field, enter the network name used to identify the home Wi-Fi network. The default AP SSID value is PEPWAVE_####, change to “MY-MOTG”. 5) From the Authentication drop-down menu, select WPA/WPA2-Personal. In the Encryption Key field, enter an authentication password of at least 8 characters, eg. “motgwlan”. To store your settings, click the Save button that appears on the lower right. 6) Navigate to the Dashboard page, which displays connection details and signal strength level.
Peplink
183
7) Upon successful connection, all of the LEDs on the Surf should be lit as follows: • PWR – Solid Green • RDY– Yellow • ENET– Solid Green • Wi-Fi – Displays a varying number of lit signal bars depending on the strength of the received signal If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable the Connect to Any Open Mode AP feature, which it will connect to these Hotspot automatically. When needed, you can use the Ethernet client MAC address as Surf's WAN MAC address by enabling the "MAC Clone" under Wi-Fi WAN Settings.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Client Access 1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It should be WPA/WPA2 security, the key is “motgwlan”. 2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP cable from notebook to switch. 3) Once connected, open the command prompt, use ipconfig to check your notebook IP addresses obtain IP on both Wireless and Ethernet adapters.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.20.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) • Passed or Failed
Peplink
184
Peplink Balance Series
Enterprise-class Multi-WAN Router
Cellular Mode This mode allows you to connect your Surf to a 3G or 4G(WiMAX/LTE) USB modem and share the connection with all your devices wirelessly and/or using the Surf’s Ethernet port. Cellular Mode is an ideal choice for travelers or those living/working in remote areas without broadband service.
Peplink
185
Peplink Balance Series
Enterprise-class Multi-WAN Router
Cellular Mode Configuration Steps 1) Connect to the Web Admin Interface. Click Cellular, and then Settings. 2) Click Cellular Settings on the left. In general, selecting Auto Operator Settings is sufficient to connect to the Internet. If not, select Custom Operator Settings to manually enter settings specified by your cellular service provider (typically APN and Dial Number). When nished, click Save on the lower right. 3) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” and WPA/WPA2 key is “motgwlan”. 4) Navigate to the Dashboard page, which displays connection details and signal strength 5) Upon successful connection, all of the LEDs on the Surf should be lit as follows: • PWR – Solid Green • RDY– Yellow • ENET– Solid Green • Wi-Fi – Displays a varying number of lit signal bars depending on the strength of the received signal
Peplink
186
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Client Access 1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It should be WPA/WPA2 security, the key is “motgwlan”. 2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP cable from notebook to switch. 3) Once connected, open the command prompt, use ipconfig to check your notebook IP addresses obtain IP on both Wireless and Ethernet adapters.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.20.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) • Passed or Failed
Peplink
187
Peplink Balance Series
Enterprise-class Multi-WAN Router
Wired Mode Wired Mode lets you connect the Surf to a DSL/cable modem or router. You can also connect the Surf to a multi-port switch for use with multiple wired and wireless devices.
Peplink
188
Peplink Balance Series
Enterprise-class Multi-WAN Router
Wired Mode Configuration Steps 1) Connect one end of an Ethernet cable to the Surf On-The-Go and the other end to your Internet source. 2) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” and WPA/WPA2 key is “motgwlan”. 3) Connect to the Web Admin Interface. Click Wired, and then Settings. 4) In the WAN IP Settings section, select a method the Surf will use to obtain IP address: • Congure Manually - After selecting this option, manually enter a static IP address. • Obtain an IP Address using DHCP - Obtain an IP address automatically. • Obtain an IP Address using PPPOE – Connect to Internet service using PPPoE. 5) Navigate to the Dashboard page, which displays connection details and signal strength level. 6) Upon successful connection, all of the LEDs on the Surf should be lit as follows: • PWR – Solid Green • RDY– Yellow • ENET– Solid Green • Wi-Fi – Displays a varying number of lit signal bars depending on the strength
Peplink
189
of the received signal
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Client Access 1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It should be WPA/WPA2 security, the key is “motgwlan”. 2) Since the Surf OTG operating in Wired Mode, the Ethernet port has become WAN interface, thus no DHCP Server service available through this interface. 3) Once connected, open the command prompt, use ipconfig to check your notebook IP addresses obtain IP on Wireless adapters.
Ping and Access Tests: 1) Ping to Gateway IP: 192.168.20.1 & Google DNS IP: 8.8.8.8 • Passed or Failed 2) Open web browser and access Internet web sites (eg. www.google.com) • Passed or Failed
Peplink
190
Peplink Balance Series
Enterprise-class Multi-WAN Router
WAN Connection Failover The Surf OTG provides WAN failover if it’s running in WiFi and Wired Mode, with Cellular as the standby WAN link. This feature adds WAN reliability that would normally be available only in enterprise setups.
Peplink
191
Peplink Balance Series
Enterprise-class Multi-WAN Router
WAN Failover Configuration Steps (Wired WAN Mode) 1) Connect to the Web Admin Interface. Click Wired, and then Settings. 2) Ensure the Wired radio button selected in the WAN Mode. 3) At the Fail Over Settings section, click on the Enable radio button to turn the Cellular WAN as backup link for Wired (or WiFi) WAN Mode. 4) Click Save button at the bottom of the page to save and apply the changes.
At the Dashboard, Cellular 1 icon will appear below the Wired WAN, depending on the Cellular settings, if you choose disconnect then it will be remained disconnected (icon dimmed) when primary WAN link active. If you select remained connected in the Cellular settings, the cellular will establish connection and remain in hot-standby mode (icon turned green).
Peplink
192
Peplink Balance Series
Enterprise-class Multi-WAN Router
Wired Failed, Cellular WAN Take-over 1) Unplug the UTP from Surf OTG Ethernet port 2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN failed, it will automatically bring up the Cellular WAN. As shown in the screen capture, Cellular 1 is active (green icon) with signal strength status display.
Peplink
193
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Client Access After Wired WAN Failover 1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It should be WPA/WPA2 security, the key is “motgwlan”. 2) Once connected, open the command prompt, use ipconfig to check your notebook IP addresses obtain IP on Wireless adapters.
Ping & Traceroute Tests: 1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia “www.google.com.my” • Passed or Failed 2) Traceroute Internet web sites (eg. www.google.com.my) • Note down the path taken
Peplink
194
Peplink Balance Series
Enterprise-class Multi-WAN Router
Testing Client Access After Wired WAN Service Restored 1) Plug back the UTP cable to Surf OTG Ethernet Port. 2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN restored, it will forward traffic on the Ethernet port again, at same time put Cellular WAN in standby mode by disconnecting from cellular connection. Ping & Traceroute Tests: 1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia “www.google.com.my” • Passed or Failed 2) Traceroute Internet web sites (eg. www.google.com.my) • Note down the path taken and compare when Wired WAN failed
Peplink
195
Peplink Balance Series
Enterprise-class Multi-WAN Router
Surf OTG Other Settings There is other settings available on the Surf OTG, such as Cellular Settings, WiFi WAN Profile Settings, PepVPN, Web Administration (turn on login ID and password), Port Forwarding, QoS, Firmware upgrade, and System settings. For further details on these settings, please refer to the relevant firmware user manual.
Peplink
196