Beruflich Dokumente
Kultur Dokumente
The copyright owner reserves the right to revise this manual and to make changes from time to time in its
contents without notifying any person of such revisions or changes.
Course Agenda
Module 1: Understanding Multi-WAN and SpeedFusion
Brief description of Peplink/Pepwaves most important technologies
Module 2: Peplink and Pepwave Products Overview
Introduction of Peplink and Pepwave products.
Module 3: Balance and MAX Routers
Exploring different configuration scenarios with Balance and MAX
routers.
Module 4: Wireless Access Point
In-depth configuration guide for Wireless Access Points.
Module 5: Surf Series
Explanation and setup instructions for the Surf Series.
Peplink
Peplink
Course Agenda
Module 1: Understanding Multi-WAN and SpeedFusion
Brief description of Peplink/Pepwaves most important technologies
Module 2: Peplink and Pepwave Products Overview
Introduction of Peplink and Pepwave products.
Module 3: Balance and MAX Routers
Exploring different configuration scenarios with Balance and MAX
routers.
Module 4: Wireless Access Point
In-depth configuration guide for Wireless Access Points.
Module 5: Surf Series
Explanation and setup instructions for the Surf Series.
Peplink
Peplink
Peplink
Peplink
requires reliable connectivity, without using multiple low cost Internet links for their
business operations via VPN. Even if you have one encrypted peer and another
not encrypted, PepVPN will still create an encrypted tunnel. As PepVPN is easy to
setup, hence no technical assistance needed on-site.
Peplink
Peplink
Easy, on-demand scalability Need more speed for mission-critical VPNs? How
about temporary bandwidth for a specific projects? With SpeedFusion Bonding,
you can plug in connections from any provider and get more speed, whenever
you need it.
Instant Bandwidth Control And you can unplug connections at any time,
keeping your costs under control.
HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport
(eg. train): all of these applications need high bandwidth and reliable links to push
high volumes of data back to their HQ/Media Center/Control Center for
processing. SpeedFusion Bonding is able to combine multiple Internet lines into
one logical big pipe to carry the information over.
This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover
and SpeedFusion Bonding
Peplink
10
We will now explore the application of SpeedFusion, with various case studies.
1) MPLS Replacement
2) Branch Network Connection
3) SpeedFusion 3G/4G Bonding
4) Video Transmission in the Air
5) Data Transmission over Water
6) Replace Expensive Satellite Connection
7) Mission Critical Video Surveillance
8) 100% Uptime for First Responders
9) Money Saving on Branch Network Connections
Peplink
11
Peplink
12
Peplink
13
14
15
Peplink
16
Peplink
17
Peplink
18
Peplink
19
Peplink
20
Peplink
21
Course Agenda
Module 2: Peplink and Pepwave Products Overview
Introduce Peplink and Pepwave product suite.
Peplink
22
Peplink
23
2) Small Business
- Balance 210 & 310
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 50 max users recommended
- Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max
3) Mid-Size Business
- Balance 305, 380 & 580
- 19 Rack mount form factor
- Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000
users max
- Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support
50 SF peers max
- Default can act as WLAN Controller, support 10 Access Points default
- Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate
license purchased
4) Large Enterprise
- Balance 710 & 1350
Peplink
24
Peplink
25
Peplink
26
Peplink
27
For existing Balance customers who wish to implement a WLAN solution, Peplink
can help save significant money and effort. From the model 305, 580 and
onwards, the Balance comes with built-in AP management. This makes deploying
Pepwave AP much easier and affordable.
In this example, the Balance Multi-WAN router can serves three roles: it is a WAN
load balancer, a Wireless LAN Controller, and when needed, a site-to-site VPN
termination point as well.
Peplink
28
2) MAX BR1
- Rugged metal case is suitable for industrial-grade usage
- Comes with 2 SKU, 3G WAN and 4G-LTE modems built-in
- Supports a redundant SIM with dual SIM slots, providing failover functionality between
them.*
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power
supply to be deploy in mobile vehicle
- Ideal for mobile command, high speed public transport, and harsh environment
deployment
- Advanced Car-Fi Roaming + IPsec X.509 Certificate Support (only available for BR1 as
add-on feature)
29
3) MAX 700
- Rugged metal case is suitable for industrial-grade usage
- Support up to 7 WAN links (2 Wired, 4 USB, 1 WiFi)
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power
supply to be deploy in mobile vehicle
- Ideal for on-the-field media streaming and live broadcasting deployment, that require
bigger bandwidth
4) MAX HD2
- Rugged metal case is suitable for industrial-grade usage
- Come with 2 variants, built-in 3G and built in 4G-LTE modems
- Supports up to 6 WAN links (2 Wired, 2 Cellurar, 1 USB, 1 WiFi)
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power
supply to be deploy in mobile vehicle
- Ideal for on-the-field media streaming and live broadcasting deployment, that require a
bigger bandwidth
- If GPS enabled, both (or any one of its) SMA antenna ports can be use to locate GPS
signal and position
Peplink
30
Features At A Glance
Network
- Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for
PPPoE, Static IP, DHCP, Management VLAN (802.1p), Spanning Tree Protocol (802.1d)
- Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4
SSIDs concurrently
Client Management
Per SSID
VLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2
Client Isolation, Limit on Max. Number of Client
Per Client
VLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP
Snooping/Multicast Enhancement
AP Security
Open, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Peplink
31
Captive Portal
Device Management
Web Administrative Interface, InControl Cloud Management, Peplink Balance WLAN
Controller, SNMP v1, v2c and v3
Pepwave AP One access points offer fast, affordable, and dependable wireless
networking without administration headaches. Ready for anything and built to go
anywhere, AP One access points deliver enterprise-grade Wi-Fi that drops in
quickly and immediately gets to work -- so you can get back to your work.
Minimize Wi-Fi management hassles with the AP One series and the Peplink
Balance with WLAN Controller. Fully integrated with the Peplink Balance, our
WLAN Controller makes it easy to configure, manage, update, and report on up
to 500 AP One devices from a single intuitive interface. Prefer the flexibility of
cloud-based administration? Our InControl remote management system gives
you complete control over every device on your network and in-depth reporting
with just a few clicks, all from a simple, yet powerful, web-based tool thats
available anywhere you have online access and a supported browser.
Peplink
32
Here are four different deployment scenarios for the AP One wireless solution.
Professional Hotspots coupled with Balance WLAN Controller (or InControl
cloud management) feature, the AP One and AP One X can be deployed
effectively as a professional hotspot solution. No expensive controllers required.
Wireless Mobility Pepwave wireless solutions make wireless application in
high speed environments a budget friendly reality.
Service Provider Wi-Fi the AP One can help you deploy a carrier grade
wireless solution, install many for citywide Wi-Fi CPEs. The range of these
devices leads the industry.
Industrial Networking AP One series allow the IP devices stay connected
wirelessly over long distances. It provides reliable wireless for data devices.
Peplink
33
Peplink
34
35
The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for home
office, small business, and power users. With its support for 4G LTE/3G, cable,
DSL, and other broadband connections, the Surf SOHO makes it possible to
deploy fast and secure 802.11abgn Wi-Fi hotspots anywhere.
The Surf SOHO also features built-in a long-range antenna, optional external
antennas, business-class VPN, cellular usage monitoring, and URL blocking. This
makes it an ideal networking solution for a wide range of mobile and office uses.
Peplink
36
4 Operating Modes
3 WAN Modes
WiFi WAN
USB Cellular WAN
Wired WAN
Peplink
37
Peplink
38
Adjust Connection Priorities on the Fly - Simply tap and swipe to connect your MAX
39
This module will examine different real life deployment scenarios, and
describe how to configure the routers to achieve the desired result.
Peplink
40
Course Agenda
Module 3: Peplink Balance and MAX Routers Configurations
Study how Balance and MAX routers implement into the various deployment scenario,
and explain the steps to configure these routers.
Peplink
41
Physical hardware layout and control panel for Balance high-end model.
Below show some of the frequently used functions in Control Panel Navigation
(base on Balance 380 model):
HA State: Master/Slave
> LAN IP
> VIP
System Status
> System
-> Firmware ver. (shows firmware version)
-> Serial number (shows serial number)
-> CPU load (shows current CPU loading, 0-100%)
-> LAN
---> Status (shows LAN port physical status)
---> IP address (shows LAN IP address)
---> Subnet mask (shows LAN subnet mask)
> Link status (shows Connected/Disconnected, IP address list)
-> WAN1
-> WAN2
-> WAN3
> Link usage
-> Throughput in (shows transfer rate in Kbps)
--->WAN1
--->WAN2
--->WAN3
Peplink
42
Out of the box, Peplink Balance come with below default settings:
IP: 192.168.1.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.1.10 192.168.1.250
In diagram above, the switch is optional for console into Peplink Balance.
You can plug the UTP cable directly from PC/Notebook into Balance LAN
port for the same purpose.
Peplink
43
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard provides an overview of the condition on several key
parameters:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Peplink
44
Peplink
45
Peplink
46
Peplink
47
Peplink
48
With our new three-tier structure, its never been easier to migrate to
SpeedFusion. Once you use it, you will see why customers around the
world have replaced IPsec and other conventional VPN technologies.
Note:
1
Peplink
49
50
Peplink
51
52
If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still be
encrypted in both directions, as the other router will trigger to turn on the encryption on
both end.
Once the VPN profile has been created on both sides, and if the WAN links are
up, the routers will automatically initiate the VPN connection. If all the parameters
are correct, it will take only few minutes.
As shown in the screenshots, at the Dashboard page, the status of the VPN
connection will change to Established, indicating a successful VPN connection.
Peplink
53
To verify which links are participating in the VPN connection, you can click on the
Status button in the SpeedFusion or PepVPN section as shown in the screen
capture.
It also lists the network(s) learned from other sides, via the built-in routing
protocol. HQ will see the 192.168.0.0/24 network from Remote router, and
Remote will learn 10.0.0.0/8 network from the HQ side.
In our screencaps, the HQ side router is using WAN 1 for the VPN connection,
while the remote site is using WiFi WAN as VPN link.
Peplink
54
To ensure the end-to-end connectivity is up, a PING test to the other side host
(LAN IP) should receive a response as shown above.
Ping Test:
1) HQ side ping to Remote LAN IP: 192.168.0.11
Passed or Failed
2) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
55
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
56
Peplink
57
The user interface is same across the MAX router series. Assuming we are taking
the same HQ setup in previous example, the VPN profile creation process is the
same except the name changed to MY-MaxBR1. Here are the steps to creating a
VPN profile on the MAX BR1.
At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. MY-MaxBR1.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the
opposite side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all the IPs.
4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN will
follow the state of the WAN link in order to maintain the VPN link, (eg. if WAN
1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 as
primary link to forward VPN traffic, while keep WAN 2 in hot standby mode).
5) Save and apply the changes.
Peplink
58
Once the VPN profile is created on both sides, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters correct, the
VPN will come up in minutes.
As shown in the screenshots, on the Dashboard page, the status of the VPN
connection will change to Established, indicating a successful VPN connection.
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt window and
conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 1 at Remote (MAX BR1)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
59
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
60
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the
SpeedFusion Status window.
1) Go to DashBoard, click on Status button at SpeedFusion section
2) Click on the blue triangle beside the MY-MaxBR1 to expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
Peplink
61
Peplink
62
We take the same HQ setup in previous example, the VPN profile creation process is the
same except the name is changed to MYKL-VPN. Here are the steps to create VPN
profile in MAX BR1.
At the branch router (Balance 310), go to Network > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should
be same for both sides, eg. MYKL-VPN.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the HQ router
WAN link, if HQ has multiple WAN links with static Public IP, you can key in all that
IPs.
4) Balance 310 is capable of VPN Bonding, so choose the active WAN links from the
WAN Connection Priority section to be bond by SpeedFusion VPN, this example
will use WAN 1 & 2 to forward VPN traffic.
5) Save and apply the changes.
Peplink
63
Once VPN profiles have been created on both sides, and if the WAN links
are up, the routers will start negotiating the VPN connection. If all the
parameters are correct, the VPN be online in a minutes time.
As shown in the screenshots, at the Dashboard page, the status of the
VPN connection will change to Established, indicating a successful VPN
connection.
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt window and
conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 2 at Remote router (Balance 310)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
64
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Peplink
65
Passed or Failed
Ethernet-easy WAN
Unlike traditional WAN technologies, PepVPN works with any IP
connection, sets up in minutes, and requires almost no maintenance. It
connects sites, regardless of the distance, with a lightning-quick 256-bit
AES-encrypted tunnel. It is 100% compatible with all your
Peplink/Pepwave devices.
PepVPN is so fast and easy to use, its like having everyone on the same
LAN, connected by Ethernet cables. PepVPN eliminates the 100-meter
limitation. In fact, it eliminates any distance limitations, so go ahead and do
business anywhere you please across town, throughout the country,
around the globe.
Requirement
Many companies need to mobilize a team at the project while keeping the team
connected to the company network. However, some systems in their company dont
work well in a routed environment or a VPN (eg. NetBIOS, Mainframe base application,
and even Vmware SRM). In these situations, the solution is to extend the office network
to the project site using SpeedFusion Long Distance Ethernet VPN solution.
In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-The-Go
(MOTG) at the remote site. The HQs LAN IP (192.168.125.0/24) will be extend to
remote site, with DHCP enabled to assign IP to remote hosts.
Peplink
66
Extending the HQ LAN to the remote site can be done using the
SpeedFusion L2 approach. These screencaps show the VPN profiles at
both HQ and Remote sites.
HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should
be same for both sides, eg. SF-L2.
2) To enable Layer 2, first click on the ? at the top-right of the SpeedFusion Profile
window and click on the link to unhide the Layer 2 Bridging feature.
3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default
setting).
4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve
LAN Settings Upon Connected.
5) Save and apply the changes.
Peplink
67
5) In order to manage this router (MOTG), you need to manually assign an unused HQ
LAN IP to this router. Once SpeedFusion is connected, you will be accessing this
router via this new IP (192.168.125.5).
6) Save and apply the changes.
Once both sides VPN profile created, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters
correct, the VPN will come up in a minutes time. The description on the
SpeedFusion will change, with the added wording Layer 2 beside
SpeedFusion. At the remote router, a warning message display at the
bottom of the Device Information section.
Peplink
68
To verify the SpeedFusion tunnel, you can view the SpeedFusion Status
window.
1) Go to DashBoard, click on Status button at SpeedFusion section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that the Remote router IP is 192.168.125.5, as assigned in the
VPN profile
Remote Host Verification:
1) Open command prompt of the remote site notebook, check the ip with ipconfig, you
will notice the host grabbed 192.168.125.11 from HQ DHCP server.
Ping Test:
1) Remote side ping to HQ LAN IP: 192.168.125.10
Passed or Failed
Peplink
69
Peplink
70
Assuming the HQ router has created the SpeedFusion profile named SF-L2, a normal
Layer 3 bonded VPN. Here are steps to creating a VPN profile in MAX OTG.
At the branch router (Balance 310), go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should
be same for both sides, eg. SF-L2.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ router
WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the
IPs.
4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from the
WAN Connection Priority section to be bonded by SpeedFusion VPN, this
example will use WAN 1 & 2 to forward VPN traffic.
5) Save and apply the changes.
Peplink
71
Once VPN profiles have been created on both sides, and if the WAN links
are up, the routers will start negotiating the VPN connection. If all the
parameters correct, the VPN will come up in a minutes time.
As shown in the screenshots, the Dashboard shows the status of the VPN
connection changing to Established, indicating that the VPN connection
process is successful. Also notice that both WAN 1 & 2 are up and
connected to the Internet.
Peplink
72
To further verify the SpeedFusion tunnel, you can view the SpeedFusion
Status window.
1) Go to DashBoard, click on the Status button at the SpeedFusion
section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that both WAN 1 & 2 are connected to the SpeedFusion VPN,
and forwarding the traffic via the VPN tunnel
Load Sharing Test via multiple Ping commands:
1) Remote side launch at least 2 ping command to HQ LAN IP: 192.168.125.1
Passed or Failed
WAN 1 & 2 links Receive (RX) and Transmit (TX) counters increase? Yes or
No
Refer to next page for the traffic statistics
Peplink
73
Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN tunnel. In
the event if the uplink direction experiencing link interruption, the SpeedFusion graph will
indicate packet loss.
Peplink
74
Peplink
75
Peplink
76
Peplink
77
Peplink
78
Peplink
79
4) ISP Diversity This is a big driver for customers who want to make sure that even if
an ISP has a service issue, they can still connect using a WAN link from another ISP.
The same DSL product from different ISPs can have quite different characteristics,
with everything from variable contention, latency, and bandwidth availability being
factors.
Peplink
80
In certain conditions, such as a combination of regular timed packet loss and high latency
on the above 3G link, the TCP protocol method of retransmitting lost packets can have a
drastic effect on the available bandwidth over the VPN. This is another reason why we
recommend that, whenever possible, high latency links be used for failover and not as an
active SpeedFusion WAN link.
Recommended latency difference = Less than 150ms
Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCP
which has restrictive flow control.
Peplink
81
Peplink
82
Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg. Cisco and
Juniper, but Peplink always recommend to establish SpeedFusion VPN whenever
possible, if both peers are Peplink routers.
Notes:
We advise you to only use IPSec Aggressive Mode when one of your device has a
dynamic IP address. You should choose Main Mode whenever possible because
Aggressive Mode is not as secure as Main Mode, although Aggressive Mode is a little
bit faster because of fewer packets exchange.
With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA negotiation,
they will generate a new set of Phase 1 keys, so that if the security key was
compromised, the attackers will only be able to access the data protected by that key.
After the new SA is negotiated, all data will be well protected and not affected by the
previously compromised key.
You can only select Force UDP Encapsulation if you have turned on NAT-Traversal.
This option is useful when you do not want NAT-T to automatically detect a NAT
connection, or if the remote peer failed to detect NAT. If enabled, it will force Balance /
MAX to tell the remote peer that UDP encapsulation (Port 4500) is required (even you
are connecting to internet directly without NAT).
IPSec Tunnel will not be treat as WAN interface when configuring Outbound Policy
83
Peplink
84
Assumptions:
1) Both ISPs are providing static Public IP ranges.
2) All outgoing traffic will be load balance across both Internet links.
Peplink
85
Peplink
86
between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to WAN 1 and WAN 2
Public IP. You may proceed to configure the firewall rules if needed, else you can leave it
with the default policy.
Peplink
87
Peplink Ltd.
88
"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcp
traceroute packets every 10 seconds to measure link latency. Change to any algorithm
other lowest latency can stop the latency measurement packet and reduce link usage.
Note:
HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.
Weighted Balance
Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap.
Set a weight on the scale for each connection and outgoing traffic will be proportionally
distributed according to the specified ratio.
The amount of matching traffic that is distributed to a WAN connection is proportional to
the weight of WAN connection relative to the total weight. Use the sliders to change each
WANs weight.
Example: With the following weight settings on a Peplink Balance 310:
WAN1: 10
WAN2: 10
WAN3: 5
Total weight is 25 = (10 + 10 + 5)
Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100%
Matching traffic distributed to WAN2 is 40% = (10 / 25) x 100%
Matching traffic distributed to WAN3 is 20% = (5 / 25) x 100%
Note:
If the LAN user is running multiple Internet session like Bittorrent or Download Manager,
that user can utilize all available WAN's bandwidth at particular moment.
Persistence
Eliminate session termination issue for HTTPS, E-banking, and other secure websites.
Specify a traffic type and it will be routed through the same connection persistently
based on its source and/or destination IP addresses. Traffic will keep routing on the
same connection until the session ends.
There are two Persistent Modes. One is by source and the other by destination. The
default Mode is By Source.
Enforced
Restrict outbound traffic to a particular connection. Select a connection and the specified
traffic type will be routed through it at all times, whether the link is up or down. For
scenarios like accessing a server that only allows users from a specific IP.
Priority
Route traffic to your preferred link as long as it's available. Arrange the connection
priority order, and traffic will be routed through the healthy link that has the highest
priority in the list. Lower priority links will only be used if the current connection fails.
Overflow
Prevent traffic flow from slowing down when the connection runs out of available
bandwidth. Drag and drop to arrange the connection overflow order and the highest
priority link will route traffic as long as it has not been congested. Once it saturates, the
lower priority links will start routing traffic.
Least Used
Help you choose the better connection with more free bandwidth. Traffic will be directed
to the link with the most available bandwidth among the selected connections. This
option is useful for maximizing reliability and bandwidth utilization.
Lowest Latency
Give you the fastest response time when using applications like online gaming. Traffic
will be assigned to the link with the lowest latency time among the selected connections.
Latency checking packets are issued periodically to a nearby router of each WAN
connection to determine its latency value. The latency of a WAN is the packet round trip
time of the WAN connection. Additional network usage may be incurred as a result.
Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it will
fallback to use ping
Note: The round trip time of a 6M down /640k up link can be higher than that of a 2M
down /2M up link. It is because the overall round trip time is lengthened by its slower
upload bandwidth despite of its higher downlink speed.
Therefore this algorithm is good for two scenarios:
All WAN connections are symmetric; or
A latency sensitive application requires to be routed through the lowest latency WAN
In addition to physical WAN interfaces, Peplink Balance allows you to redirect the
designated traffic to VPN tunnel, eg. SpeedFusion VPN tunnel. For example, a
customer with centralized Internet access can force all branch Internet traffic go
thru the VPN tunnel back to HQ (and probably web content filtering/security
assessment) before reaching Internet sites. Another example would be customer
internal applications (email, CRM, etc) that should be redirect via a secured VPN
tunnel to access servers in HQ, rather going through unsecure Internet.
Peplink Ltd.
94
Peplink
95
Peplink
96
Done.
You may now install the Peplink Balance to the production network.
Notice that some routers and firewalls may have problems updating their ARP tables.
Resetting these devices may be necessary.
You have just completed the Drop-in mode configuration of the Peplink Balance. You
should verify the network with single WAN before moving to the next step of
connecting additional internet connections.
Peplink
97
Your Balance should now aggregate and load balance across the two
links. Please repeat Step 1 to 4 for more internet connections.
Peplink
98
Prerequisite
This task assumes that you already have a good understanding of Drop-in Mode. If not,
please read the guide on Drop-in Mode before proceeding further.
Scenario
We will use an example throughout this note. Suppose you currently have a network
similar to the following:
Peplink Balance installed and connected to three ISPs, using Drop-in Mode
Static IP address ranges (subnets) from the ISPs
A firewall protecting your trusted LAN
Hosts and servers on the trusted LAN are using private IP addresses
Conceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISP
A to achieve inbound load balancing.
ISP B
ISP C
Peplink
Network: 210.10.10.0/24
Router A (Default Gateway) IP: 210.10.10.1
Network: 22.2.2.0/24
Router B (Default Gateway) IP: 22.2.2.1
Network: 33.3.3.0/24
Router C (Default Gateway) IP: 33.3.3.1
99
Our Target:
We want to map IP addresses from ISP B and ISP C to logically point to the mail
servers.
Peplink
100
Peplink
101
How to set up Inbound Load Balance via built-in DNS (Drop-in Mode)
Peplink Balance has a built-in DNS server for inbound link load balancing. You can
delegate a domains NS/SOA records, e.g. www.mycompany.com, to the Peplink
Balances WAN IP address(es). The Peplink Balance will return healthy WAN IP
addresses as an A record when a DNS query for the host name is received.
It can also act as a generic DNS server for hosting A, CNAME, MX, TXT and NS
records. The Peplink Balance can perform this in two methods, either in Non Drop-in or
Drop-in Mode.
Inbound Load Balancing is configured via:
DNS records configured within Peplink Balance
External DNS records at an Authoritative DNS Server
To illustrate this, we will use the previous example, changing the server from mail to
web, and only using single server for simplified illustration. The steps to define the
server(s) and service(s) are the same as the previous example, so we will start with the
DNS settings.
Peplink
102
To define the DNS records to be hosted in Peplink Balance, go to the setup page located
at: Network > Inbound Access > DNS Settings, as shown in above.
Peplink
103
Peplink
104
Peplink
105
Peplink
106
Peplink
107
As the A Record window appears, enter the name of the server (eg. www) which will be
auto associated with the previous defined domain name (.mypeplink.com).
Check on the IP at the respective WAN interfaces, these will be mapped to
www.mypeplink.com.
Peplink
108
Domain Delegation
This diagram is useful for users who want to delegate a sub-domain to be resolved and
managed with the Peplink Balance (Assuming they host their domain at an ISP or
domain registrar).
In order for Internet users to look up the host name (e.g. www.mypeplink.com) using
the Peplink Balance, you have to point NS records of it in the domain (e.g.
mypeplink.com) to the Peplink Balances WAN IP addresses. If you are using ISC
BIND 8 or 9, add these lines in the zone file of mypeplink.com:
www
IN NS balancewan1
www
IN NS balancewan2
www
IN NS balancewan3
balancewan1 IN A 210.10.10.5
balancewan2 IN A 22.2.2.5
balancewan3 IN A 33.3.3.5
Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the Peplink
Balance in this example. The IP values here are for illustration only and would likely be
different for you. In order to host the complete domain on your own DNS server with the
Peplink Balance, contact the DNS registrar to have the NS records of the domain (eg.
mypeplink.com) point to your Balances WAN IP addresses.
Peplink
109
Testing
From a host on the Internet, use an IP address of Peplink Balance and nslookup to
lookup the corresponding hostname. Check if the returned IP addresses are the desired
addresses for the host name. Above is a sample Windows nslookup.
The IP values here are for illustration only and would likely be different for you. In the lab
example, it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you query
for www.mypeplink.com.
Peplink
110
111
The the master unit goes down, the failover will place with a typical recovery time of 10-15
seconds. After the Slave unit changed its role to Master, all WAN connections will be reestablished again.
NOTE:
The failover takes place with a typical recovery time of 10-15 seconds. After the
Slave unit changed its role to Master, all WAN connections will be re-established
Peplink
112
again.
Two Balance units should connect to the Internet in the same mode. For example,
they should be both in NAT mode or both in Drop-in mode.
NOTE:
Once the slave unit is configured to automatically synchronize configuration from the
master unit, the web admin of slave unit will be locked. Changes can only be made after
you have disabled the Configuration Sync. Function, sample captured screen above.
In HA mode, configuration synchronization only happen from Master unit to Slave unit,
configuration will not be obtained from Slave unit to Master unit.
Peplink
113
Peplink
114
Peplink
115
Requirement
The customer has a Balance router installed and operating in their network. Recently,
they have purchased two units of Pepwave AP One. The customer wants to integrate
these APs into their existing LAN for their staff, while creating Guest access which
would allow visitors to only access the Internet.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Captive Portal with Open security
The Balance router, acting as the WLC will need to configure above settings and push
the policy to the AP(s).
Peplink
116
Peplink
117
Peplink
118
Peplink
119
Creating AP Profiles
1) Choose AP Profiles from the left menu. Click the New AP Profile button displayed
on the bottom of the page.
2) In the AP Profile dialog box, enter a name for the device configuration profile, eg.
Office.
3) Select up to four wireless networks to include in the AP profile, check on the Guess
and Staff SSIDs to be included in this profile.
4) Optimize your devices radio performance by adjusting the options in AP Advanced
Settings. For example, you can select a different 2.4 GHz Wi-Fi radio channel in
order to ensure the best signal strength and eliminate potential channel conflicts.
5) Change your AP Ones device security settings, such as passwords, under Web
Administration Settings. Set the password to public, which is default for AP One.
6) Click Save at the bottom of the dialog box, and then click Apply Changes to store
the AP profile.
Note:
You can select up to maximum of 16 Wireless Networks in an AP Profile when using
Balance router as WLC.
Peplink
120
Peplink
121
Peplink
122
Applying AP Profiles
1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel.
2) Select the check box for the AP One device you wish to configure.
3) Select AP Profile from the drop-down menu located in the lower right corner.
4) In the AP Profile dialog box, select a previously created AP profile (eg. Office for
this case) and Click OK.
5) The selected AP profile will be sent to your AP One devices automatically.
Peplink
123
Peplink
124
6) Customize your portal page with a Message and Terms & Conditions.
7) Specify where the customer will be redirected after successful authentication with a
Custom Landing Page if desired.
8) Click Preview to review your design, and click Publish to save your portal page and
make it available to guests.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
Passed or Failed
Peplink
125
Peplink
126
Once the wireless client access is granted, you will able to access Internet sites.
However the Guest SSID access will not be allowed to access to internal LAN hosts.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
Passed or Failed
Peplink
127
Peplink
128
Peplink
129
Example:
The Balance router has built-in standard firewall functionality, thus it can be
used as firewall in the environment that doesnt has any firewall. Assuming the
company wants to prevent their staff from accessing social websites, eg
facebook.com, the Balance firewall rule by domain name can be
configured.
The steps as follow, with foobar.com as the example domain name:
1) Go to Network > Firewall > Access Rules, Select Domain Name in the
Destination field.
2) Enter foobar.com in the empty field.
3) Click Save and apply the changes.
String
Matching
foobar.com
*.foobar.com
Example
After a firewall rule by domain name is created, all traffic from that domain will be allowed
or denied according to your settings.
foobar.com
www.foobar.com
mail.foobar.com
TIP: If you are trying to block outgoing HTTP access to a website
using a domain name,
consider using the Web Blocking feature.
foobar.*
Peplink
foobar.com
foobar.co.uk
www.foobar.co.uk
*.foobar.*
130
The Balance router has QoS features, allowing you to control the traffic
based on its user group (predefined 3 groups), as well as by application. In
this scenario, we have implemented an IP Telephony system in the branch
office, and we have deployed an IP Telephony server reside in HQ. To
optimize the voice quality over the Internet links, QoS is essential for
ensure the VoIP traffic can be smoothly delivered across sites.
To assign the user group:
1) Go to Network > User Groups under QoS, either click on existing Subnet or Add
button to create a new subnet/IP range.
2) From the Group drop down list, select the desired group (Manager, Staff, Guest),
click Save.
Peplink
131
Assuming your business partner is running systems that only allow access from IPSec
Clients in your office environment. In such a situation, you would need to enable Service
Passthrough Support in your Balance router. By default, the router has enabled IPSec
NAT-T, if the IPSec is running on custom ports, then you can define the ports
accordingly.
Step to enable IPSec passthrough:
1)
2)
3)
Go to Network > Service Passthrough under Misc. Settings, check the Enable box under IPSec
NAT-T.
Check the Define box if its running custom ports, and fill in the ports accordingly.
Click Save and apply the changes.
Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in this
page as well.
Peplink
132
Peplink
133
Some of the System settings are crucial to the operation, eg. InControl,
Remote Assistance, and Email Notification.
InControl Cloud Management
When this check box is checked, the device's status information, usage data, and
configuration will be sent to Peplinks InControl system. You can sign up for an InControl
account at https://incontrol.peplink.com/. You can register devices under your account,
monitor device status and usage reports, as well as download backed up configuration
files.
Default: Enabled
(Post usage data): Disabled
Email Notification
The feature Email Notification allows email to be sent to the listed recipient email
addresses when the following events take place:
Email notification test
A new firmware version is available
Health status changes for any WAN connection
VPN status changes
Bandwidth usage has reached 75% of the allowance
Peplink
134
Peplink
support,
you
can
135
send
your
case
to
Out of the box, the Pepwave MAX router comes with the following default
settings:
IP: 192.168.50.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.50.10 192.168.50.250
In the diagram, the switch is optional as a console into the Pepwave MAX
Routers. You can plug the UTP cable directly from PC/Notebook into MAX
Router LAN port for the same purpose.
Generally, the Web Admin UI is similar to Balance router, making to easier
for users who have experience with the Balance router UI.
Peplink
136
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard provides a status overview of the MAX Router:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Depends on the model, BR1 & HD2 provide the GPS map status too
A unique feature on the MAX router interface is that you can configure the WAN
interfaces on the Wan Connection Status page. You can do so by clicking the Details
button of each of the WAN interface bar. Alternately, you can go to Network > WAN to
reach to same setting page.
In this page, you can also assign different priority levels to the WAN interfaces by
dragging the interface bar up or down. If all WAN interfaces are assigned with same
priority, then it will perform load balancing for the WAN traffic.
Note:
Peplink
137
Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 &
U4-SF) will allow WAN load balancing, the other models will allow WAN failover.
Peplink
138
MAX routers come with various connectivity options, allowing you to set it
up in different ways to suit customer requirements. In the following
scenarios, we will exploring three most common MAX routers deployment
setups.
1) Branch Network Connections
3 WAN + 2 LAN
2) Mobile Command
2 WAN + 2 LAN
3) Public Transport
1 WAN + 2 LAN
Peplink
139
2)
Peplink
WAN
The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and a
Cellular WAN.
The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal
staff as well as their guest.
LAN
140
Configuration for the WAN/LAN interfaces are the same as for the Balance
routers, please refer to previous section if you need instructions.
This screenshot shows the MAX BR1 router configured with a wired WAN
as primary link, followed by a WiFi WAN as first standby, and Cellular as
secondary standby WAN link.
Peplink
141
Peplink
142
Failover Test:
1) Before starting the test, take a Windows machine, launch a command
prompt window and conduct a continuous ping to Internet host IP (eg.
8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN
WPA/WPA2 Key to simulate 2 WAN links failed
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular
WAN
5) Any timeout during failover? Yes or No
6) How long was the timeout during failover?
Peplink
143
Peplink
144
Mobile Command
In this example, we have a police patrol driving in an urban area. The MAX BR1 router
can be installed in these vehicles, allowing them stay connected to their control center
while they are on the move. This is accomplished with 2 different WAN options.
Requirement
1) WAN
The police vehicle can use WiFi WANas primary WAN link, backed up by a
Cellular WAN.
2) LAN
Peplink
The wired LAN will be used for fixed machines, while the WiFi AP can serve
the policemen any handheld devices.
145
Peplink
146
Public Transport
Public transport systems often travel long distances, so WiFi WAN may not able to cover
the entire path. The only available WAN option would be Cellular broadband. If bus
companies want WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem so
they can put in second SIM card for Cellular failover purposes.
Requirement
1) WAN
2) LAN
Peplink
The wired LAN will be used for machine in the bus, and the WiFi AP can
serve the passengers handheld devices.
147
Peplink
148
Peplink
149
Peplink
150
The System and Status menus are identical to those for the Balance
router.
For further details on these settings, please refer to the relevant firmware
user manual.
Peplink
151
This module will examine different real life deployment scenarios, and how
to configure the access points to achieve the desired results.
Peplink
152
Course Agenda
Module 4: Wireless Access Point Configurations
- To study how Pepwave Access Points can be implemented into various
deployment scenarios.
- To explain the steps to configure APs to achieve the desired effect.
Peplink
153
Hardware Overview
Peplink
154
Peplink
155
After enter the parameters correctly, you will be able to login to the Wed
Admin page.
At the System Information, provide overview of system conditions:
Model
Firmware Version
AP Name
Location (user define for the AP physical location)
Serial Number
MAC Address
Network IP Information (details will be display if default settings changed)
System Time
Up Time
Peplink
156
Peplink
157
Peplink
158
LAN Settings
Manual Router Settings are available only when AP Mode in Advanced
System Settings is set to Router.
1) Go to Configure > LAN to access the LAN settings page.
2) Assign the IP details for the wireless segment, where this segment of IP will be
assigned to wireless client. The AP IP will be the default gateway for the wireless
clients.
Peplink
159
LAN Settings disabled when AP One set to bridge mode, and all the fields
will be grey out. The wireless client will get IP assigned from DHCP server
sit in the wired LAN, and the packets will passthrough AP One to reach to
the wired LAN.
Peplink
160
Peplink
161
Next two slides show you the advance settings for the SSID configurations.
Peplink
162
You can also block custom subnets using the Custom Subnet tab, or
prevent all with exception via Block Exception tab.
One more step to complete the Guest SSID configuration, as shown in
next page.
Peplink
163
Once this feature turned on, each of the wireless client in Guest network
will not able to access each other.
Next, get a machine to test the configuration.
Peplink
164
Peplink
165
Peplink
166
Staff traffic forward to the tunnel, uncheck the checkbox for Block SpeedFusion.
One more step to complete the Staff SSID configuration, as shown in next
page.
For internal staff access, layer 2 security need not be apply, to ensure it is
not enable:
1) Click on the Advanced tab under Wireless Network Details for Staff SSID.
2) Leave other settings as it is, make sure the checkbox clear for Layer 2 Isolation.
3) Click Save to flash and activate to apply the changes.
Peplink
167
Peplink
168
Requirement
The customer is expanding their head office, and the cabling work can only be
completed in a months time. Staff need to move in to the new office area immediately. In
response, the IT manager will setup a WDS using additional AP One (AP #2), to
wirelessly connect back to existing the AP One (AP #1).
Information needed to setup WDS
Both AP MAC Address
Encryption type: None or AES
Passphrase
Encryption Key
Peplink
169
Go to Configure > WDS, the WDS Details window tab will appear.
Select the Yes radio button to enable the function.
Key in the MAC Address of the peer AP.
Enter any wording for the Passphrase, eg. wdskey, click the Generate Key button
to create the Encryption Key
5) Click Save to flash and activate to apply the changes.
Once the settings are saved, it will take a moment for both APs to
recognize each other, initiate and negotiate the WDS connection. Go to
status page to verify the WDS status.
Peplink
170
Peplink
Manufacturer
Encryption
Type
Signal
171
172
Requirement
A company wishes to install AP in their office, but they aware that other tenants in the
same floor have already installed a WLAN infrastructure. They want to know which
wireless spectrum (channel) will have the least interference.
The AP One series is capable of discovering nearby wireless networks and listing down
all the wireless network information. That way, you can choose the least affected
channel (if no available channel) for your AP.
Peplink
173
Peplink
174
In the event if the AP need to provide higher power output to cover bigger
area wirelessly, you can enable the Power Boost feature by:
1) Go to Configure > Advanced Wireless > Radio Settings tab.
2) Click on Power Boost checked box to enable the feature.
3) Click Save to flash and activate to apply the changes.
Note:
Enables the power boost feature, will increase the output power from 400mW to 2W,
which maximizes your access points Wi-Fi capacity. Please enable only if local
regulations permit.
175
Peplink
176
This module will examine different real life deployment scenarios, and
provide detailed instructions on how to utilize the major features of the Surf
On-The-go.
Peplink
177
Peplink
178
Peplink
179
Dashboard Page
At the Dashboard page, you will see the devices current WAN connection status. It also
displays a real-time graph displaying Network Data Usage and Signal Timeline (if WiFi
or Cellular is active).
You can change the WAN connection type by clicking the Switch WAN Mode icons
(WiFi, Cellular, Wired)
Status Page
You can view the device status in this page, detail information included:
Firmware version
Hardware version
Model
Serial Number
Supported Mode (operating radio frequency, a/b/g/n)
etc
If WAN link is active, you will see the relevant information like IP Address, Subnet Mask,
Gateway, etc.
Peplink
180
Your Surf On-The-Go supports three WAN connection modes, giving you
maximum connectivity on the road, at the office, or at home.
Wi-Fi Mode
Connect to the Internet via Wi-Fi Hotspot (and backup by Cellular), and provide a Local
Access Point and Ethernet Connection. e.g. Wi-Fi Services from ISP, Hotel, RV Park,
Marina.
Cellular Mode
Connect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem, and provide a Local
Access Point and Ethernet Connection. e.g. Traveler, Remote Area.
Wired Mode
Connect to the Internet via an Ethernet cable (and backup by Cellular), through a
DSL/Cable Modem, or Router, and provide a Local Access Point. e.g. Home, Hotel
Peplink
181
Wi-Fi Mode
Wi-Fi Mode makes it easy to share Wi-Fi service provided by hotels,
restaurants, marinas, RV parks, and more. Once connected to Wi-Fi, your
Surf can serve as a local access point for an unlimited number of devices.
You can also connect printers, game consoles, and other wired devices to
the Surf using its Ethernet port.
Peplink
182
Peplink
183
7) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
PWR Solid Green
RDY Yellow
ENET Solid Green
Wi-Fi Displays a varying number of lit signal bars depending on the strength
of the received signal
If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable the
Connect to Any Open Mode AP feature, which it will connect to these Hotspot
automatically.
When needed, you can use the Ethernet client MAC address as Surf's WAN MAC
address by enabling the "MAC Clone" under Wi-Fi WAN Settings.
Peplink
184
Cellular Mode
This mode allows you to connect your Surf to a 3G or 4G(WiMAX/LTE)
USB modem and share the connection with all your devices wirelessly
and/or using the Surfs Ethernet port. Cellular Mode is an ideal choice for
travelers
or those living/working in remote areas without broadband service.
Peplink
185
Peplink
186
Peplink
187
Wired Mode
Wired Mode lets you connect the Surf to a DSL/cable modem or router.
You can also connect the Surf to a multi-port switch for use with multiple
wired and wireless devices.
Peplink
188
Peplink
189
Peplink
190
Peplink
191
At the Dashboard, Cellular 1 icon will appear below the Wired WAN,
depending on the Cellular settings, if you choose disconnect then it will
be remained disconnected (icon dimmed) when primary WAN link active. If
you select remained connected in the Cellular settings, the cellular will
establish connection and remain in hot-standby mode (icon turned green).
Peplink
192
Surf OTG detected Wired WAN failed, it will automatically bring up the
Cellular WAN. As shown in the screen capture, Cellular 1 is active (green
icon) with signal strength status display.
Peplink
193
Peplink
194
Surf OTG detected Wired WAN restored, it will forward traffic on the
Ethernet port again, at same time put Cellular WAN in standby mode by
disconnecting from cellular connection.
Ping & Traceroute Tests:
1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia www.google.com.my
Passed or Failed
2) Traceroute Internet web sites (eg. www.google.com.my)
Note down the path taken and compare when Wired WAN failed
Peplink
195
Peplink
196