Professional Documents
Culture Documents
Course Agenda
Slide 4
Private and Confidential – Not for Distribution
- Ability for remote offices and employees to use business intranet over an
existing Internet connection as if they were directly connected to the network
- Savings in time and expense for employees to commute if they work from virtual
workplaces
Slide 5
Private and Confidential – Not for Distribution
Slide 6
Private and Confidential – Not for Distribution
PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over
any WAN link. On top of all the benefits of IPsec and other conventional VPN
technologies, the PepVPN engine also offers:
Long-distance Ethernet cable − You can easily build a secure and seamless
Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It virtually
provides a long-distance Ethernet cable over any WAN link.
Seamless transition − PepVPN and SpeedFusion share the same core VPN
engine, meaning that all your PepVPN and SpeedFusion-enabled devices will
work flawlessly together. It also allows you to easily upgrade a PepVPN endpoint
to SpeedFusion, taking advantage of the added benefits without worrying about
compatibility.
This technology can be applied to SOHO and Mobile Office; any environment that
requires reliable connectivity, without using multiple low cost Internet links for
their business operations via VPN. Even if you have one encrypted peer and
another not encrypted, PepVPN will still create an encrypted tunnel. As PepVPN
is easy to setup, hence no technical assistance needed on-site.
Slide 7
Private and Confidential – Not for Distribution
Easy setup − Just add connections, you can even mix wired and wireless
technologies.
Unbreakable VoIP and VPN − With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion Hot
Failover prevents this by maintaining secure tunnels over all available WAN links.
In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly
switch traffic to another available tunnel. This creates unbreakable VPNs and
VoIP sessions.
Slide 8
Private and Confidential – Not for Distribution
Using intelligent algorithms, the sending Peplink device builds and delivers
special packets. Armed with these special packets, the receiving Peplink device
can then reconstruct the lost packets to ensure that communications remains
consistent. At the same time, WAN Smoothing will attempt to assign traffic to the
WAN connection with the lowest latency. Thus, the latency of the SpeedFusion
tunnel becomes the latency of the most responsive WAN connection.
VPN Bonding – SpeedFusion Bonding can create high speed VPNs by bonding
multiple WAN links together.
Packet Level Bandwidth bonding – The packets of your session are distributed
across all your available links.
Instant Bandwidth Control – And you can unplug connections at any time,
keeping your costs under control.
HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport
(eg. train): all of these applications need high bandwidth and reliable links to push
high volumes of data back to their HQ/Media Center/Control Center for
processing. SpeedFusion Bonding is able to combine multiple Internet lines into
one logical big pipe to carry the information over.
Slide 10
Private and Confidential – Not for Distribution
This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover,
WAN Smoothing, and Bandwidth Bonding.
Three level of SpeedFusion VPN solution. With this three-tier structure, it’s never
been easier to migrate to SpeedFusion and see why customers around the world
have replaced IPsec and other conventional VPN technologies.
Slide 11
Private and Confidential – Not for Distribution
We will now explore the application of SpeedFusion, with various case studies.
1) MPLS Replacement
2) Branch Network Connection
3) SpeedFusion 3G/4G Bonding
4) Video Transmission in the Air
5) Data Transmission over Water
6) Replace Expensive Satellite Connection
7) Mission Critical Video Surveillance
8) 100% Uptime for First Responders
9) Money Saving on Branch Network Connections
10)Flawless Connections in Remote Areas
Slide 12
Private and Confidential – Not for Distribution
MPLS Alternative
● Load balance between 50 Mbps MPLS
FiOS and wireless PTP link
● 9 sites connected to central HQ
● Replaced with Peplink SpeedFusion
bonded VPN
● Winning Factors
○ 92% savings
○ 15x more bandwidth
“To date, my devices have been up and
running continuously with no intervention for
114 days with zero issues.” - Andrew W.
Pudlak, IT Manager
Slide 13
Private and Confidential – Not for Distribution
Fast-Deploy Temporary
Bandwidth
● Temporary network required for
construction crew rebuilding severely
storm-damaged railway line.
● SpeedFusion VPN using MAX HD products
back to a Balance 710 at HQ.
● Winning Factors
○ 8x 3G lines, Unbreakable Cellular
Bonding creates 25Mbps down
and 12Mbps up bandwidth.
○ Resilient to ISP outages.
○ Secure transmission of sensitive
data for the Prime Minister and
Cabinet officials.
“The challenges of providing robust and reliable
connectivity in an environment like Dawlish cannot
be underestimated.” - Jim Kernahan, co-founder
of Peplink partner Trellisworks.
Slide 14
Private and Confidential – Not for Distribution
Slide 15
Private and Confidential – Not for Distribution
MPLS Alternative
● 43x Balance 380s at branches, 2x
Balance 1350s in High Availability
mode at HQ.
● Replaced site-to-site MPLS links with
SpeedFusion VPN.
● Winning Factors
○ Huge savings: USD 100,000
Annually.
○ Bandwidth: 4x increase from
previous configuration.
○ Rapid rollout: 43-branch
solution designed and
deployed in less than a year.
“Yesterday I discontinued our last 3 MPLS
circuits.” - Charles Miller, Systems Engineer
Slide 16
Private and Confidential – Not for Distribution
● Winning Factors
○ Each AP 300M 5GHz handles 50+
users without issues
○ MediaFast aching ensures
lightning fast access to media-rich
content
“The MediaFast and AP overcomes all our network
problems. The speed difference in content
retrieval is extremely impressive!” - Alberto
Pamos, IT Director. Colégio Next.
Slide 17
Private and Confidential – Not for Distribution
Life-Saving Mammograms in
Rural Louisiana
● 4x bonded cellular from multiple carriers,
MAX HD2, HD4, BR1 and Balance 580
● Winning Factors
○ Unbreakable cellular connection in
rural area, transfer speed doubled
○ Large three dimensional X-ray
images take just minutes to
upload over an established
bandwidth of 22Mbps
“This solution allows us to send images from
remote locations that typically have poor cellular
coverage” - Dr. Jerry McLarty, LSU Health.
Slide 18
Private and Confidential – Not for Distribution
Slide 19
Module 2: Peplink and
Pepwave Products Overview
Slide 21
Private and Confidential – Not for Distribution
Peplink and Pepwave solutions cover different market segments, ranging from
SOHO, Mobile Office, Small Office, Branch Office, Regional Office, and HQ-level
Data Centers.
Slide 22
Private and Confidential – Not for Distribution
2) Small Business
- Balance 210 & 310
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 50 max users recommended
- Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max
3) Mid-Size Business
- Balance 305, 380 & 580
- 19” Rack mount form factor
- Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000 users max
- Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support 50 SF
peers max
- Default can act as WLAN Controller, support 10 Access Points default
- Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate license
purchased
4) Large Enterprise
- Balance 710 & 1350
- 19” Rack mount form factor
- 710 can support 2,000 users max while 1350 can support up to 5,000 users max
- Model 710 support 300 SF peers max, while 1350 support 800 SF peers max
- Default can act as WLAN Controller, support 20 Access Points by default
- Can manage up to 250 (Model 710), and 500 (Model 1350) AP with separate license purchased
Slide 23
Private and Confidential – Not for Distribution
NOTE:
- Specifications shown are based on firmware version 6.2.2
- When the Peplink Balance is configured as a PPTP Remote VPN server, it can support local
user authentication in addition to using RADIUS and LDAP servers.
Slide 24
Private and Confidential – Not for Distribution
Slide 25
Private and Confidential – Not for Distribution
Slide 26
Private and Confidential – Not for Distribution
Slide 27
Private and Confidential – Not for Distribution
For existing Balance customers who wish to implement a WLAN solution, Peplink
can help save significant money and effort. From the model 305, 580 and
onwards, the Balance comes with built-in AP management. This makes deploying
Pepwave AP much easier and affordable.
In this example, the Balance Multi-WAN router can serves three roles: it is a WAN
load balancer, a Wireless LAN Controller, and when needed, a site-to-site VPN
termination point as well.
Slide 28
Private and Confidential – Not for Distribution
1) MAX Transit
- Has cellular connectivity and 11ac Wi-Fi.
- Specially built for Transportation Hotspot deployments.
- Multi-cellular router with optional SpeedFusion.
- Can be mounted on DIN Rail Mount
2) MAX 700
- 802.11 ac/a/b/g/n Wi-Fi Hotspot
- Rugged metal case is suitable for industrial-grade usage
- Supports up to 7 WAN links (2 Wired, 4 USB, 1 WiFi)
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply deployable in mobile
vehicle
- Ideal for on-the-field media streaming and live broadcasting deployment, that require bigger bandwidth
3) MAX On-The-Go
- Supports 4x USB modems
- 802.11 a/b/g/n Wi-Fi Hotspot
- This product is suitable for mobile offices that reside in rural areas without access to cable internet
- Upgradable to SpeedFusion WAN Smoothing
4) MAX Adaptor
- Houses 1x USB modem within an enclosure, dongle is hidden for a cleaner appearance.
*Please note that redundant SIM does not equal two cellular modems. That is, only one SIM can be active at any time;
you will not be able to get better throughput or load balancing by filling both SIM slots.
Slide 29
Private and Confidential – Not for Distribution
Slide 30
Private and Confidential – Not for Distribution
Slide 31
Private and Confidential – Not for Distribution
SpeedFusion Bonding
- Deploy multiple low cost 3G connections
- Save money, enjoy higher bandwidth, avoid dead spots
- Seamless failover ensures reliable video stream from mobile sites to HQ
Hot Failover
- Everywhere LTE
- Ensures optimal performance by choosing the carrier with the best signal
- Saves money by using only one carrier at a time
-Hot failover ensure flawless video stream from mobile sites to HQ
Slide 32
Private and Confidential – Not for Distribution
MediaFast caching downloads content just once, and delivers it as many times as
needed without incurring additional bandwidth.
This is particularly useful for eLearning where you have large amount of tablets
pulling the same content. This is also useful for events and conferences where
attendees will often draw from similar content.
1) MediaFast 200
- 2x GbE WAN Ports, 8x Gbe LAN Ports
- Capable of delivering 802.3af PoE Output
- Simultaneous Dual-Band 802.11a/b/g/n AP
- 120GB SSD
2) MediaFast 500
- 5x Gbe WAN ports, 3x Gbe LAN ports
- 240GB SSD
With MediaFast, you can download content just once and deliver on-demand,
uninterrupted content anywhere at blazing speed. Cache iTunes/iTunes U and
other content manually or automatically by domain and file type. Keep content as
long as you like or purge it automatically by file type and age.
Private and Confidential – Not for Distribution
Features At A Glance
Slide 35
Private and Confidential – Not for Distribution
Pepwave AP One access points offer fast, affordable, and dependable wireless
networking without administration headaches. Ready for anything and built to go
anywhere, AP One access points deliver enterprise-grade Wi-Fi that drops in
quickly and immediately gets to work -- so you can get back to your work.
Minimize Wi-Fi management hassles with the AP One series and the Peplink
Balance with AP Controller. Fully integrated with the Peplink Balance, our AP
Controller makes it easy to configure, manage, update, and report on up to 500
AP One devices from a single intuitive interface. Prefer the flexibility of cloud-
based administration? Our InControl remote management system gives you
complete control over every device on your network and in-depth reporting with
just a few clicks, all from a simple, yet powerful, web-based tool that’s available
anywhere you have online access and a supported browser.
Service Provider Wi-Fi – the AP One can help you deploy a carrier grade
wireless solution, install many for citywide Wi-Fi CPEs.
The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for home
office, small business, and power users. With its support for 4G LTE/3G, cable,
DSL, and other broadband connections, the Surf SOHO makes it possible to
deploy fast and secure 802.11abgn Wi-Fi hotspots anywhere.
The Surf SOHO also features built-in a long-range antenna, optional external
antennas, business-class VPN, cellular usage monitoring, and URL blocking. This
makes it an ideal networking solution for a wide range of mobile and office uses.
Slide 37
Private and Confidential – Not for Distribution
For indoor wired/wireless connectivity, there's our Surf On-The-Go, the ultimate
travel router. The Surf On-The-Go's Wi-Fi radio lets you connect an unlimited
number of wireless devices at once. Built-in Ethernet port ensures that no printer,
scanner, or other wired device gets left behind, and multiple connection profiles
make device management a snap.
4 Operating Modes
• 4G/3G USB Wi-Fi Router
• Cable / DSL / Ethernet Wi-Fi Router
• Wi-Fi Repeater
• Wi-Fi Adapter for Wired Devices
3 WAN Modes
• WiFi WAN
• USB Cellular WAN
• Wired WAN
Slide 38
Private and Confidential – Not for Distribution
The above diagram represents a classic use of FusionHub. The Balance 310s
and MAX HD2s at the remote site connect using Bandwidth-bonded VPN to
headquarters. At headquarters, you can install a Balance device to receive the
SpeedFusion traffic. Alternatively, if you want to use your existing infrastructure,
you can install FusionHub instead. One key advantage of FusionHub is that there
is no need to install additional physical devices, potentially bypassing lengthy
approval processes that could plague physical device installations.
Private and Confidential – Not for Distribution
InControl 2 is our cloud based device management, monitoring, and reporting tool
designed specifically for Peplink and Pepwave devices. It is accessible from any
Web-based browser. Any of our devices can now be registered for InControl 2.
With InControl 2, you get advanced administration tools, unprecedented device
visibility, and comprehensive reporting.
Private and Confidential – Not for Distribution
3) SpeedFusion Management
- Fully Automated SpeedFusion VPN Configuration and Deployment
- Manage SpeedFusion settings from a central location
- Get live SpeedFusion status information
- Monitor bandwidth across site-to-site VPN links
- Push SpeedFusion changes to devices immediately
Private and Confidential – Not for Distribution
Slide 43
Module 3: Balance and MAX
Routers
This module will examine different real life deployment scenarios, and describe
how to configure the routers to achieve the desired result.
Slide 45
Private and Confidential – Not for Distribution
Physical hardware layout and control panel for Balance high-end model.
Below show some of the frequently used functions in Control Panel Navigation (base on Balance 380 model):
HA State: Master/Slave
> LAN IP
> VIP
System Status
> System
-> Firmware ver. (shows firmware version)
-> Serial number (shows serial number)
-> CPU load (shows current CPU loading, 0-100%)
-> LAN
---> Status (shows LAN port physical status)
---> IP address (shows LAN IP address)
---> Subnet mask (shows LAN subnet mask)
> Link status (shows Connected/Disconnected, IP address list)
-> WAN1
-> WAN2
-> WAN3
> Link usage
-> Throughput in (shows transfer rate in Kbps)
--->WAN1
--->WAN2
--->WAN3
-> Throughput out (shows transfer rate in Kbps)
---> WAN1
---> WAN2
---> WAN3
Maintenance
> Reboot > Reboot? (Yes/No) (to reboot the unit)
> Reset Admin Password? (Yes/No)
> Factory default > Factory default? (Yes/No) (to restore factory defaults)
> Remote Assistance
NOTE:
For model below 310, there is no feature to reset admin password through the Control Panel, it only available for models
from 310 and above.
Please refer to user manual, Chapter 6 – Peplink Balance Overview for details of each model physical layout, LED
indicators, LCD Panel and Control (applicable to 310 and above), and Unit Label Appearance.
Slide 46
Private and Confidential – Not for Distribution
Out of the box, Peplink Balance come with below default settings:
• IP: 192.168.1.1/24
• Username: admin
• Password: admin
• LAN DHCP: Enabled
• DHCP IP Range: 192.168.1.10 – 192.168.1.250
In diagram above, the switch is optional for console into Peplink Balance. You
can plug the UTP cable directly from PC/Notebook into Balance LAN port for the
same purpose.
Slide 47
Private and Confidential – Not for Distribution
After entering the parameters correctly, you will be able to login to the Web
Admin page.
Slide 48
Private and Confidential – Not for Distribution
Slide 49
Private and Confidential – Not for Distribution
- Peplink Site-to-Site VPN encrypts traffic with the military-grade 256-bit AES
algorithm.
- Site-to-Site VPN is available with the Peplink Balance 210, 310, 380, 580, 710,
and 1350.
- The Peplink Balance 380/580/710/1350 supports multiple Site-to-Site VPN
connections among twenty or more locations, is designed for
Headquarters/Regional Offices.
- The Peplink Balance 210/310 supports two Site-to-Site VPN connections; ideal
for Branch Offices.
- Site-to-Site VPN connections can be established for all Dynamic IP/Static IP
scenarios. Please refer to the Requirement section for more information.
Being able to establish multiple VPN connections provides variety and flexibility
in deploying your network. You may choose to create a network in
a Mesh or Star topology, or you may even combine the two setups to create a
more complex network.
Slide 50
Private and Confidential – Not for Distribution
This creates four WAN possible types you use to establish the VPN connection. Peplink Balance
supports all four types. However, to establish VPN connection using a Dynamic IP WAN
connections, you have to configure at least one Dynamic DNS.
• WAN has Dynamic IP with Peplink Balance has Public IP.
• WAN has Static IP with Peplink Balance has Public IP.
• WAN has Dynamic IP with Peplink Balance is behind NAT.
• WAN has Static IP with Peplink Balance is behind NAT.
The table above illustrates the system requirement for configuring Peplink Site-to-Site VPN
connection.
Another point to note, if both sides of the SpeedFusion VPN having the same LAN subnet, it will
prevent the SpeedFusion tunnel to establish, just like any other 3rd party VPN technologies.
Slide 51
Private and Confidential – Not for Distribution
• WAN Connection Priority - You can specify the priority of the WAN connections to be used
in making VPN bonding connections. A Wan connection will never be used when OFF is
selected. Only available WAN connections with the highest priority will be utilized. Grouping
WAN with similar characteristics like latency, packet loss to same priority can help bonding
performance.
Slide 52
Private and Confidential – Not for Distribution
With our new three-tier structure, it’s never been easier to migrate to
SpeedFusion. Once you use it, you will see why customers around the world
have replaced IPsec and other conventional VPN technologies.
Note:
1With other VPN technologies, WAN failover terminates existing VPN
connections, creating costly downtime. SpeedFusion Hot Failover is completely
automatic and invisible, so you won’t miss a beat when switching between
connections.
Slide 53
Private and Confidential – Not for Distribution
Long-distance Ethernet cable − With PepVPN, you can build secure and
seamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It
virtually provides a long-distance Ethernet cable over any WAN link.
Seamless transition − PepVPN and SpeedFusion share the same core VPN
engine. It means all your PepVPN and SpeedFusion devices will work flawlessly
together. It also allows you easily upgrade a PepVPN endpoint to SpeedFusion,
taking advantage of the added benefits without having to worry about
compatibility.
Requirement:
The portrayed scenario shows a typical remote-to-HQ VPN connection, where SpeedFusion
PepVPN allows site-to-site VPN connections with auto-failover capability. WiFi WAN is primary
link for the VPN, when WiFi WAN down, WAN 5 (Wired WAN) will take-over the VPN connection
automatically. Users are transparent to this changes.
Slide 54
Private and Confidential – Not for Distribution
1) Go To Network > SpeedFusion, a SpeedFusion window appear to ask for Local ID, if this is
the first time creating SpeedFusion VPN.
2) Enter a Local ID, the remote VPN peer will use this ID to identify this unit during VPN
establishment.
3) Click Save button, then will click on the New Profile button to proceed.
Pre-configuration Note:
If both sides running on Dynamic Public IP, then at least one WAN port of one of the two Balance
routers must subscribe to Dynamic DNS services and use the domain name assigned as the
Remote IP Addresses / Host Name in the VPN Profile section.
Slide 55
Private and Confidential – Not for Distribution
HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should be
same for both sides, eg. MY-MOTG.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) At the WAN Connection Priority window, choose the WAN links that should be included in
the SpeedFusion VPN tunnel, in this case WAN 1 & 2 are bond together.
4) Save and apply the changes.
Note:
It is important to ensure the Remote ID correctly (either by router ID or Serial Number),
otherwise the SpeedFusion tunnel will not able established. If you see the error message(s)
similar to “"Refused connection made from unknown peer (foobar)" or "Refused connection
made from unknown peer (XXXX-1234-ABCD)“, which indicate wrong ID/Serial No. entered at
any/both routers.
If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still be
encrypted in both directions, as the other router will trigger to turn on the encryption on both end.
Slide 56
Private and Confidential – Not for Distribution
Once the VPN profile has been created on both sides, and if the WAN links are
up, the routers will automatically initiate the VPN connection. If all the parameters
are correct, it will take only few minutes.
As shown in the screenshots, at the Dashboard page, the status of the VPN
connection will change to “Established”, indicating a successful VPN connection.
Slide 57
Private and Confidential – Not for Distribution
To verify which links are participating in the VPN connection, you can click on the
Status button in the SpeedFusion or PepVPN section as shown in the screen
capture.
It also lists the network(s) learned from other sides, via the built-in routing
protocol. HQ will see the 192.168.0.0/24 network from Remote router, and
Remote will learn 10.0.0.0/8 network from the HQ side.
In our screencaps, the HQ side router is using WAN 1 for the VPN connection,
while the remote site is using WiFi WAN as VPN link.
Slide 58
Private and Confidential – Not for Distribution
To ensure the end-to-end connectivity is up, a PING test to the other side host
(LAN IP) should receive a response as shown above.
Ping Test:
1) HQ side ping to Remote LAN IP: 192.168.0.11
• Passed or Failed
Slide 59
Private and Confidential – Not for Distribution
Failover Test:
1) Unplug WAN 1 at HQ, and/or
2) Disconnect the WiFi WAN at Remote
3) Observe the changes to the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
• Passed or Failed
Slide 60
Private and Confidential – Not for Distribution
Easy setup − Just add connections, you can even mix wired and wireless links
of different WAN technologies.
Unbreakable VoIP and VPN − With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion
Hot Failover prevents this by maintaining secure tunnels over all available WAN
links. In case of a WAN failure, SpeedFusion Hot Failover will instantly and
seamlessly switch traffic to another available tunnel. This provides unbreakable
VPNs and VoIP sessions.
Requirement:
A customer with branch-to-HQ connections often run delay sensitive applications like VoIP, so it
needs a fast failover VPN connectivity to ensure the VoIP session not interrupted if any of the
WAN links break. The following set-up will fulfill this requirement:
- A MAX BR1 installed at branch level with Wired and WiFi WAN,
- A Balance 380 deployed in HQ with 2 wired WAN (eg. Metro-e) with static Public IP assigned at
each WAN link.
Slide 61
Private and Confidential – Not for Distribution
The user interface is same across the MAX router series. Assuming we are taking
the same HQ setup in previous example, the VPN profile creation process is the
same except the name changed to MY-MaxBR1. Here are the steps to creating a
VPN profile on the MAX BR1.
At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. MY-MaxBR1.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite
side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all the IPs.
4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN will
follow the state of the WAN link in order to maintain the VPN link, (eg. if WAN
1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 as
primary link to forward VPN traffic, while keep WAN 2 in hot standby mode).
5) Save and apply the changes.
Slide 62
Private and Confidential – Not for Distribution
Once the VPN profile is created on both sides, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters correct, the
VPN will come up in minutes.
As shown in the screenshots, on the Dashboard page, the status of the VPN
connection will change to “Established”, indicating a successful VPN connection.
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt
window and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 1 at Remote (MAX BR1)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
• Passed or Failed
Slide 63
Private and Confidential – Not for Distribution
Recovery Test:
1) Before starting the test, at the Remote site, launch the command prompt
window and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Plug back the WAN 1 at Remote (MAX BR1)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
• Passed or Failed
Slide 64
Private and Confidential – Not for Distribution
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the
SpeedFusion Status window.
Slide 65
Private and Confidential – Not for Distribution
Requirement
SpeedFusion VPN Bonding technology is particularly useful for customers with a higher volume
of VPN traffic between sites. It assures that the VPN link is aggregated as bigger pipe, and same
time provide the reliability.
In this example, we will install a Balance 310 at the branch level, while HQ maintains with
Balance 380. We also configure the Balance 310 to Drop-In mode, assuming the branch has
existing infrastructure setup.
Slide 66
Private and Confidential – Not for Distribution
We take the same HQ setup in previous example, the VPN profile creation
process is the same except the name is changed to MYKL-VPN. Here are the
steps to create VPN profile in MAX BR1.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. MYKL-VPN.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite
side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all that IPs.
4) Balance 310 is capable of VPN Bonding, so choose the active WAN links
from the WAN Connection Priority section to be bond by SpeedFusion
VPN, this example will use WAN 1 & 2 to forward VPN traffic.
5) Save and apply the changes.
Slide 67
Private and Confidential – Not for Distribution
Once VPN profiles have been created on both sides, and if the WAN links are
up, the routers will start negotiating the VPN connection. If all the parameters
are correct, the VPN be online in a minutes time.
As shown in the screenshots, at the Dashboard page, the status of the VPN
connection will change to “Established”, indicating a successful VPN connection.
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt
window and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 2 at Remote router (Balance 310)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
• Passed or Failed
Slide 68
Private and Confidential – Not for Distribution
To monitor the SpeedFusion Hot-Failover and recovery process, you can view
the SpeedFusion Status window.
1) Go to DashBoard, click on Status tab at the top, and the SpeedFusion tab
on the side
2) Click on the blue triangle beside “MYKL-VPN” (or the name of your VPN) to
expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
Recovery Test:
1) Before sttest start, at the Remote site, launch the command prompt window
and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Plug back the WAN 2 at Remote router (Balance 310)
3) Observe the changes at the routers
Ping Test:
1) Remote side ping to HQ LAN IP: 10.0.0.10
Slide 69
• Passed or Failed
Private and Confidential – Not for Distribution
Ethernet-easy WAN
Unlike traditional WAN technologies, PepVPN works with any IP connection,
sets up in minutes, and requires almost no maintenance. It connects sites,
regardless of the distance, with a lightning-quick 256-bit AES-encrypted tunnel.
It is 100% compatible with all your Peplink/Pepwave devices.
PepVPN is so fast and easy to use, it’s like having everyone on the same LAN,
connected by Ethernet cables. PepVPN eliminates the 100-meter limitation. In
fact, it eliminates any distance limitations, so go ahead and do business
anywhere you please – across town, throughout the country, around the globe.
Requirement
Many companies need to mobilize a team at the project while keeping the team
connected to the company network. However, some systems in their company
don’t work well in a routed environment or a VPN (eg. NetBIOS, Mainframe
base application, and even Vmware SRM). In these situations, the solution is to
extend the office network to the project site using SpeedFusion Long Distance
Ethernet VPN solution.
In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-The-
Go (MOTG) at the remote site. The HQ’s LAN IP (192.168.125.0/24) will be
extend to remote site, with DHCP enabled to assign IP to remote hosts.
Slide 70
Private and Confidential – Not for Distribution
Extending the HQ LAN to the remote site can be done using the SpeedFusion L2
approach. These screencaps show the VPN profiles at both HQ and Remote
sites.
HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SF-
L2.
2) To enable Layer 2, first click on the “?” at the top-right of the SpeedFusion Profile window and click on the link to
unhide the Layer 2 Bridging feature.
3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default setting).
4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve LAN Settings Upon Connected.
5) Save and apply the changes.
Slide 71
Private and Confidential – Not for Distribution
Once both sides VPN profile created, and if the WAN links are up, the routers will
start negotiating the VPN connection. If all the parameters correct, the VPN will
come up in a minutes time. The description on the SpeedFusion will change, with
the added wording “Layer 2” beside SpeedFusion. At the remote router, a
warning message display at the bottom of the Device Information section.
Slide 72
Private and Confidential – Not for Distribution
To verify the SpeedFusion tunnel, you can view the SpeedFusion Status window.
Ping Test:
1) Remote side ping to HQ LAN IP: 192.168.125.10
• Passed or Failed
Slide 73
Private and Confidential – Not for Distribution
However, no matter how quickly cellular data bandwidth and quality improve,
mobile business always to demand more. From live video streaming and
conferencing to ever-larger file transfers and real-time collaboration, today’s
mobile applications strain even the latest and greatest cellular technology to its
limits. The result is fluctuating data quality, unpredictable data rates, and
widespread frustration, in addition to costly overage charges
Requirement
In our previous case, the remote site area doesn’t have any WiFi or Wired
Internet facility. So, the project team needs to use Cellular WAN to establish a
VPN back to the office. We can combine both 3G cellular lines into SpeedFusion
Bonded VPN to allow greater throughput and reliability. The remote site LAN IP is
192.168.0.0/24, and the HQ LAN IP is 192.168.125.0/24.
Slide 74
Private and Confidential – Not for Distribution
Assuming the HQ router has created the SpeedFusion profile named SF-L2, a
normal Layer 3 bonded VPN. Here are steps to creating a VPN profile in MAX
OTG.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. SF-L2.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite
side.
3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ
router WAN link, if HQ has multiple WAN links with static Public IP, you can
key in all the IPs.
4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from
the WAN Connection Priority section to be bonded by SpeedFusion VPN,
this example will use WAN 1 & 2 to forward VPN traffic.
5) Save and apply the changes.
Slide 75
Private and Confidential – Not for Distribution
Once VPN profiles have been created on both sides, and if the WAN links are up,
the routers will start negotiating the VPN connection. If all the parameters correct,
the VPN will come up in a minutes time.
As shown in the screenshots, the Dashboard shows the status of the VPN
connection changing to “Established”, indicating that the VPN connection process
is successful. Also notice that both WAN 1 & 2 are up and connected to the
Internet.
Slide 76
Private and Confidential – Not for Distribution
To further verify the SpeedFusion tunnel, you can view the SpeedFusion Status
window.
Slide 77
Private and Confidential – Not for Distribution
Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN
tunnel. In the event if the uplink direction experiencing link interruption, the
SpeedFusion graph will indicate packet loss.
Slide 78
Private and Confidential – Not for Distribution
Slide 79
Private and Confidential – Not for Distribution
As the chart on the left shows, when a SpeedFusion VPN tunnel is used to
transmit IMIX data (4084 bytes), an additional 960 bytes of SpeedFusion
overhead is required.
The SpeedFusion overhead is 19% of the total transmitted data (IMIX +
overhead). Since it uses a fixed number of bytes per packet transmitted (an
additional 80 bytes), SpeedFusion is much more efficient when transmitting
larger packet sizes.
Slide 80
Private and Confidential – Not for Distribution
Accounting for SpeedFusion bandwidth overhead and assuming that the traffic
passing across the links is similar to the previously mentioned IMIX standard, we
can calculate available real-world bandwidth at the remote site:
Slide 81
Private and Confidential – Not for Distribution
We always recommend the use of WAN links with similar bandwidth profiles from
different ISPs to allow for the best possible SpeedFusion throughput.
Using at least two different ISPs offers the benefit of provider diversity, which
means less chance of a technical (or even accounting/billing) error causing a
network outage. Provider diversity also lessens the impact of bandwidth sharing,
a common problem when using multiple circuits from a single provider.
The above configuration example uses two DSL circuits from two different ISPs,
each circuit having a similar bandwidth profile, as the best use case for fixed line
SpeedFusion bonding.
Slide 82
Private and Confidential – Not for Distribution
2) Internet Connection Reliability – We often see poor physical line quality at customer
locations, particularly DSL using old copper (and sometimes even lead) cable over a long run
from the nearest exchange or POP. These connections are inherently unreliable and can
sometimes be affected by rain ingress into the physical circuits, as well as temperature
changes. We also see customers who have no physical lines and want to use cellular
connectivity. Naturally, the quality, bandwidth availability, and reliability of cellular connections
vary depending on location.
4) ISP Diversity – This is a big driver for customers who want to make sure that even if an ISP
has a service issue, they can still connect using a WAN link from another ISP. The same DSL
product from different ISPs can have quite different characteristics, with everything from
variable contention, latency, and bandwidth availability being factors.
Slide 83
Private and Confidential – Not for Distribution
Packet Loss
When the SpeedFusion engine detects excessive packet loss on a WAN link, the link will fail its
health test and will not be used by SpeedFusion as an active link until it passes a subsequent
health test.
Latency
When latency characteristics are the same across connected WAN links, it has very little effect
on SpeedFusion bandwidth throughput. However, when the latency of WAN links vary
considerably, bandwidth throughput will be affected.
Example 1. If WAN1: 100ms, WAN2: 400ms, the resulting latency of SpeedFusion bonded link
will be 400ms, which follow the higher WAN.
Example 2. Or, if packets travel multiple SpeedFusion hops (site A-> site B-> site C), with 100ms
per link between 2 sites, then total latency will be 200ms from site A to site C (via site B).
Any variation of these characteristics have an effect on the amount of WAN link bandwidth that is
available for use by SpeedFusion.
In certain conditions, such as a combination of regular timed packet loss and high latency on the
above 3G link, the TCP protocol method of retransmitting lost packets can have a drastic effect
on the available bandwidth over the VPN. This is another reason why we recommend that,
whenever possible, high latency links be used for failover and not as an active SpeedFusion
WAN link.
Recommended latency difference = Less than 150ms
Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCP which has
restrictive flow control.
Slide 84
Private and Confidential – Not for Distribution
• Signal Strength – Determined by the distance to the nearest cellular tower (or visibility of the
satellite) and the subsequent signal quality received.
• Backhaul Bandwidth Availability – From the cellular tower to the ISP's core network or from
the satellite ground station to the ISP's core network.
• Device Contention – At the tower or satellite you are connected to (determined by the
number of active subscribers on a tower or satellite at any given moment).
Slide 85
Private and Confidential – Not for Distribution
In the first example, the third user only gets 1/3 (33Mbps) of the available bandwidth (100Mbps)
from the Cell Tower, but in second example, the third user with Pepwave MAX device (installed
with 2 LTE data SIM), able to gets half (50Mbps) of the available bandwidth from Cell Tower.
However, an additional cellular connection can provide the end user with a larger share of the
available bandwidth at a tower.
So, if there is multiple LTE carriers available, it is always recommended to connect to two
different cellular providers to gain bigger bandwidth share of your LTE connections.
Slide 86
Private and Confidential – Not for Distribution
Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg.
Cisco and Juniper, but Peplink always recommend to establish SpeedFusion
VPN whenever possible, if both peers are Peplink routers.
Notes:
• We advise you to only use IPSec Aggressive Mode when one of your device
has a dynamic IP address. You should choose Main Mode whenever possible
because Aggressive Mode is not as secure as Main Mode, although
Aggressive Mode is a little bit faster because of fewer packets exchange.
• With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA
negotiation, they will generate a new set of Phase 1 keys, so that if the
security key was compromised, the attackers will only be able to access the
data protected by that key. After the new SA is negotiated, all data will be well
protected and not affected by the previously compromised key.
• You can only select Force UDP Encapsulation if you have turned on NAT-
Traversal. This option is useful when you do not want NAT-T to automatically
detect a NAT connection, or if the remote peer failed to detect NAT. If
enabled, it will force Balance / MAX to tell the remote peer that UDP
encapsulation (Port 4500) is required (even you are connecting to internet
directly without NAT).
•IPSec Tunnel will not be treat as WAN interface when configuring Outbound
Policy
Slide 87
Private and Confidential – Not for Distribution
Slide 88
Private and Confidential – Not for Distribution
Assumptions:
1) Both ISPs are providing static Public IP ranges.
2) All outgoing traffic will be load balance across both Internet links.
Slide 89
Private and Confidential – Not for Distribution
1) Go to Network > Outbound Policy, click on Add Rule button, the Add a
New Custom Rule window will appear.
2) Give a name for the Service Name, in this example is All-Traffic.
3) Choose Any for Source, Destination, and Protocol base on the assumption
made above.
4) We have WAN 1 and WAN 2 active, so choose Weighted Balance from the
Algorithm drop-down list. This will allow 50:50 load balance between WAN 1
and WAN 2.
5) For WAN 3 and Mobile Internet, either to leave it as it is, or drag the pointer to
0, as it will not affect the connectivity.
6) Click Save button to save the configuration.
7) At the Rules window, drag the newly created service All-Traffic to below the
HTTPS_Persistence. This is to ensure the HTTPS _Persistence rule being
process before All-Traffic, as the policy being processed from top to bottom.
8) Save to apply the changes.
Done, now the Balance router is performing outgoing Internet traffic load
balancing between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to
WAN 1 and WAN 2 Public IP. You may proceed to configure the firewall rules if
needed, else you can leave it with the default policy.
Slide 90
Private and Confidential – Not for Distribution
A flexible rule-based configuration design enables the fine-tuning of outbound traffic at a per-
service level by allowing multiple rules to be configured. The following types of Outbound Traffic
Rules are available:
• Weighted Balance
• Persistence
• Enforced
• Priority
• Overflow
• Least Used
• Lowest Latency
Slide 91
Private and Confidential – Not for Distribution
Custom policy
With the selection of this policy, outbound traffic behavior can be managed by defining custom rules.
Rules can be defined in a custom rule table. A default rule can be defined for connections that cannot be
matched with any one of the rules.
"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcp traceroute packets every 10
seconds to measure link latency. Change to any algorithm other lowest latency can stop the latency measurement
packet and reduce link usage.
Note:
HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.
Slide 92
Private and Confidential – Not for Distribution
Weighted Balance
Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap. Set a weight on the scale for each
connection and outgoing traffic will be proportionally distributed according to the specified ratio.
The amount of matching traffic that is distributed to a WAN connection is proportional to the weight of WAN connection
relative to the total weight. Use the sliders to change each WAN’s weight.
Example: With the following weight settings on a Peplink Balance 310:
WAN1: 10
WAN2: 10
WAN3: 5
Total weight is 25 = (10 + 10 + 5)
Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100%
Matching traffic distributed to WAN2 is 40% = (10 / 25) x 100%
Matching traffic distributed to WAN3 is 20% = (5 / 25) x 100%
Note:
If the LAN user is running multiple Internet session like Bittorrent or Download Manager, that user can utilize all available
WAN's bandwidth at particular moment.
Slide 93
Private and Confidential – Not for Distribution
Persistence
Eliminate session termination issue for HTTPS, E-banking, and other secure websites. Specify a traffic type and it will be
routed through the same connection persistently based on its source and/or destination IP addresses. Traffic will keep
routing on the same connection until the session ends.
In general, different Internet IP addresses represent different computers. The security concern is that an IP address
change during a session may be the result of an unauthorized intrusion attempt. Therefore, to prevent damages from the
potential intrusion, the session is terminated upon the detection of an IP address change.
Peplink Balance can be configured to distribute data traffic across multiple WAN connections. Also, the Internet IP
depends on the WAN connections over which communication actually takes place. As a result, a LAN client computer
behind Peplink Balance may communicate using multiple Internet IP addresses. For example, a LAN client computer
behind a Peplink Balance 310 with three WAN connections may communicate on the Internet using three different IP
addresses.
With the Persistency feature of Peplink Balance, rules can be configured to enable client computers to persistently utilize
the same WAN connections for e-banking and other secure websites. As a result, a client computer will communicate
using one IP address and eliminate the issues.
There are two Persistent Modes. One is by source and the other by destination. The default Mode is By Source.
Slide 94
Private and Confidential – Not for Distribution
Enforced
Restrict outbound traffic to a particular connection. Select a connection and the specified traffic type will be routed
through it at all times, whether the link is up or down. For scenarios like accessing a server that only allows users from a
specific IP.
Starting from firmware 5.2, outbound traffic can be enforced to go through a specified SpeedFusion connection.
(Available on Peplink Balance 210+)
Slide 95
Private and Confidential – Not for Distribution
Priority
Route traffic to your preferred link as long as it's available. Arrange the connection priority order, and traffic will be routed
through the healthy link that has the highest priority in the list. Lower priority links will only be used if the current
connection fails.
Starting from firmware 5.2, outbound traffic can be prioritized to go through SpeedFusion connection(s). By default, VPN
connections are not included in the priority list. (Available on Peplink Balance 210+)
Slide 96
Private and Confidential – Not for Distribution
Overflow
Prevent traffic flow from slowing down when the connection runs out of available bandwidth. Drag and drop to arrange
the connection overflow order and the highest priority link will route traffic as long as it has not been congested. Once it
saturates, the lower priority links will start routing traffic.
Least Used
Help you choose the better connection with more free bandwidth. Traffic will be directed to the link with the most
available bandwidth among the selected connections. This option is useful for maximizing reliability and bandwidth
utilization.
Lowest Latency
Give you the fastest response time when using applications like online gaming. Traffic will be assigned to the link with the
lowest latency time among the selected connections. Latency checking packets are issued periodically to a nearby router
of each WAN connection to determine its latency value. The latency of a WAN is the packet round trip time of the WAN
connection. Additional network usage may be incurred as a result.
Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it will fallback to use ping
Note: The round trip time of a “6M down /640k up ”link can be higher than that of a “2M down /2M up” link. It is because
the overall round trip time is lengthened by its slower upload bandwidth despite of its higher downlink speed.
Therefore this algorithm is good for two scenarios:
All WAN connections are symmetric; or
A latency sensitive application requires to be routed through the lowest latency WAN regardless the WAN’s available
bandwidth.
Slide 97
Private and Confidential – Not for Distribution
In addition to physical WAN interfaces, Peplink Balance allows you to redirect the designated traffic to VPN tunnel, eg.
SpeedFusion VPN tunnel. For example, a customer with centralized Internet access can force all branch Internet traffic
go thru the VPN tunnel back to HQ (and probably web content filtering/security assessment) before reaching Internet
sites. Another example would be customer internal applications (email, CRM, etc) that should be redirect via a secured
VPN tunnel to access servers in HQ, rather going through unsecure Internet.
Slide 98
Private and Confidential – Not for Distribution
With these rules enabled, Peplink Balance will route IPSec VPN traffic with NAT-T (that require
UDP ports 500 and 4500) to WAN1 regardless of its up/down status. In the event the WAN1 is
down the specified traffic will simply be dropped rather than routed via the other WAN links.
Slide 99
Private and Confidential – Not for Distribution
Expert Mode
Expert Mode is available for advance users. To enable the feature, click on the help test balloon
and click the link turn on Expert Mode.
Under Expert Mode, a new special rule - "SpeedFusion Routes" is displayed on the Custom Rules
table. It represents all SpeedFusion routes learned from remote VPN peers. By default, this bar is
on the top of all custom rules. That means traffic for remote VPN subnets will be routed to its
corresponding VPN peer. You can create custom Priority or Enforced rules and move them
above the bar to override the SpeedFusion Routes.
Upon disabling the Expert Mode, all rules above the bar will be removed.
Slide 100
Private and Confidential – Not for Distribution
We will be installing the Peplink Balance transparently in between the router and
the firewall. Then we will add more ISP connections to the network.
Slide 101
Private and Confidential – Not for Distribution
Done.
1) You may now install the Peplink Balance to the production network.
2) Notice that some routers and firewalls may have problems updating their ARP tables.
Resetting these devices may be necessary.
3) You have just completed the Drop-in mode configuration of the Peplink Balance. You should
verify the network with single WAN before moving to the next step of connecting additional
internet connections.
NOTE:
1) Existing network equipment settings are not affected
2) Router (Default Gateway) IP: 210.10.10.1, remain unchanged
3) Firewall IP: 210.10.10.10, default gateway still pointing to IP: 210.10.10.1
Slide 102
Private and Confidential – Not for Distribution
Your Balance should now aggregate and load balance across the two links.
Please repeat Step 1 to 4 for more internet connections.
Slide 103
Private and Confidential – Not for Distribution
Prerequisite
This task assumes that you already have a good understanding of Drop-in Mode. If not, please
read the guide on Drop-in Mode before proceeding further.
Scenario
We will use an example throughout this note. Suppose you currently have a network similar to
the following:
• Peplink Balance installed and connected to three ISPs, using Drop-in Mode
• Static IP address ranges (subnets) from the ISPs
• A firewall protecting your trusted LAN
• Hosts and servers on the trusted LAN are using private IP addresses
Conceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISP A to
achieve inbound load balancing.
Our Target:
We want to map IP addresses from ISP B and ISP C to “logically” point to the mail servers.
Slide 104
Private and Confidential – Not for Distribution
Slide 105
Private and Confidential – Not for Distribution
Slide 106
Private and Confidential – Not for Distribution
How to set up Inbound Load Balance via built-in DNS (Drop-in Mode)
Peplink Balance has a built-in DNS server for inbound link load balancing. You can delegate a
domain’s NS/SOA records, e.g. “www.mycompany.com”, to the Peplink Balance’s WAN IP
address(es). The Peplink Balance will return healthy WAN IP addresses as an “A” record when a
DNS query for the host name is received.
It can also act as a generic DNS server for hosting “A”, “CNAME”, “MX”, “TXT” and “NS” records.
The Peplink Balance can perform this in two methods, either in Non Drop-in or Drop-in Mode.
PTR records are created along with A records pointing to Custom IPs. For example, if you
created an A record www.mydomain.com pointing to 11.22.33.44, then a PTR record
44.33.22.11.in-addr.arpa pointing to www.mydomain.com will also be created. When there are
multiple host names pointing to the same IP address, only one PTR record for the IP address will
be created.
To illustrate this, we will use the previous example, changing the server from mail to web, and
only using single server for simplified illustration. The steps to define the server(s) and service(s)
are the same as the previous example, so we will start with the DNS settings.
Slide 107
Private and Confidential – Not for Distribution
To define the DNS records to be hosted in Peplink Balance, go to the setup page located at:
Network > Inbound Access > DNS Settings, as shown in above.
Slide 108
Private and Confidential – Not for Distribution
There, select the desired WAN link(s) and respective WAN Interface IP addresses. Multiple
addresses in the list can be selected by holding the CTRL key while clicking on the addresses.
Click Save to continue.
Slide 109
Private and Confidential – Not for Distribution
Slide 110
Private and Confidential – Not for Distribution
In the above example, WAN 1, 2 & 3 are the DNS query answering interface, so it should be
selected. And we are assuming all three WAN links are equally healthy.
Slide 111
Private and Confidential – Not for Distribution
Click on the New A Record button to create A Record for the web server.
Slide 112
Private and Confidential – Not for Distribution
As the A Record window appears, enter the name of the server (eg. www) which will be auto
associated with the previous defined domain name (.mypeplink.com).
Check on the IP at the respective WAN interfaces, these will be mapped to www.mypeplink.com.
Only the highlighted IP addresses in the lists receive responses to a DNS query.
(Multiple items in a list can be selected by holding CTRL and clicking on the
items.) In case a WAN link is down, the corresponding set of IP addresses will not
be returned. However, the IP addresses in the Custom IP field will always be
returned.
Slide 113
Private and Confidential – Not for Distribution
Domain Delegation
This diagram is useful for users who want to delegate a sub-domain to be resolved and managed
with the Peplink Balance (Assuming they host their domain at an ISP or domain registrar).
In order for Internet users to look up the host name (e.g. “www.mypeplink.com”) using the Peplink
Balance, you have to point NS records of it in the domain (e.g. “mypeplink.com”) to the Peplink
Balance’s WAN IP addresses. If you are using ISC BIND 8 or 9, add these lines in the zone file of
“mypeplink.com”:
www IN NS balancewan1
www IN NS balancewan2
www IN NS balancewan3
balancewan1 IN A 210.10.10.5
balancewan2 IN A 22.2.2.5
balancewan3 IN A 33.3.3.5
Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the Peplink Balance in
this example. The IP values here are for illustration only and would likely be different for you. In
order to host the complete domain on your own DNS server with the Peplink Balance, contact the
DNS registrar to have the NS records of the domain (eg. “mypeplink.com”) point to your Balance’s
WAN IP addresses.
Slide 114
Private and Confidential – Not for Distribution
Testing
From a host on the Internet, use an IP address of Peplink Balance and nslookup to lookup the
corresponding hostname. Check if the returned IP addresses are the desired addresses for the
host name. Above is a sample Windows nslookup.
The IP values here are for illustration only and would likely be different for you. In the lab example,
it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you query for
www.mypeplink.com.
Slide 115
Private and Confidential – Not for Distribution
Background
1+1 backup enables failover to happen when the master device goes out of service. This
requires a pair of Peplink Balance devices operating in active-standby mode. When the master
device is down, the slave device takes over and handles all the LAN traffic.
The Peplink Balance series supports failover between two Balance devices based on Virtual
Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets are sent out from
the master device to VRRP-specific IP multicast addresses. The slave device assumes the
master device’s responsibilities when these messages have not been heard from for a pre-
defined time interval.
In the above example, a VRRP Group 20 is assigned to the HA pair. The virtual IP address (VIP)
is 210.10.10.2. However, the default gateway for the firewall should remain unchanged, as
Internet router IP: 210.10.10.1, as this is Drop-In Mode. A unique VRRP group identifier is used
for each HA pair subsequently set up on the same LAN. Balance devices have to be on the
same subnet to support VRRP and the same VRRP group identifier must be used on the HA
pair.
Additional Ethernet switches are required to separate each ISP connection so that Master and
Slave Balance devices can both be connected. More than one Ethernet switch must be used in
order to prevent a single point of failure, which would otherwise defeat the purpose of the 1+1
backup concept.
In this example, Master Peplink unit will use 210.10.10.3 as its LAN IP, Slave Peplink unit will
use 210.10.10.4 as its LAN IP. Both Master and Slave units use the same VIP 210.10.10.2.
The the master unit goes down, the failover will place with a typical recovery time of 10-15
seconds. After the Slave unit changed its role to Master, all WAN connections will be re-
established again.
Slide 116
Private and Confidential – Not for Distribution
NOTE:
The failover takes place with a typical recovery time of 10-15 seconds. After the Slave unit
changed its role to Master, all WAN connections will be re-established again.
Two Balance units should connect to the Internet in the same mode. For example, they
should be both in NAT mode or both in Drop-in mode.
Slide 117
Private and Confidential – Not for Distribution
NOTE:
Once the slave unit is configured to automatically synchronize configuration from the master unit,
the web admin of slave unit will be locked. Changes can only be made after you have disabled the
Configuration Sync. Function, sample captured screen above.
In HA mode, configuration synchronization only happen from Master unit to Slave unit,
configuration will not be obtained from Slave unit to Master unit.
Slide 118
Private and Confidential – Not for Distribution
Slide 119
Private and Confidential – Not for Distribution
Note:
• Starting from firmware version 5.0, Drop-in mode can be configured on any WAN ports.
Please be noted that still only one WAN port can be configured in Drop-in mode.
• If you have selected the LAN Bypass port (which is currently available on WAN1 of Balance
1350 and WAN5 of Balance 580) as the WAN for Drop-in Mode, High Availability feature will
be DISABLED automatically.
• When the LAN Bypass feature is enabled, the High Availability feature will be automatically
DISABLED.
Slide 120
Private and Confidential – Not for Distribution
For model 305 onwards, the Balance comes with built-in WLC. This is useful for deploying a
centrally controlled AP setup at significantly lower costs. The Balance can serve as a AP
Controller for Managing Pepwave AP Devices, as well as multiple SSIDs. The Balance and the
Pepwave AP can automatically discover each other using DNS and DHCP protocols.
Requirement
The customer has a Balance router installed and operating in their network. Recently, they have
purchased two units of Pepwave AP One. The customer wants to integrate these APs into their
existing LAN for their staff, while creating “Guest” access which would allow visitors to only access
the Internet.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Captive Portal with Open security
The Balance router, acting as the WLC will need to configure above settings and push the policy
to the AP(s).
Slide 121
Private and Confidential – Not for Distribution
1) Select AP from the top menu. Choose AP Controller from the left menu, and then select the
check box to enable the feature.
1) You can set up a list of recognized access points with Permitted AP. Input the serial number
of the AP you want to manage in the box.
Slide 122
Private and Confidential – Not for Distribution
1) Choose Wireless SSID from the left menu. Click the New SSID button displayed on the
bottom of the page.
1) In the SSID Settings dialog box, enter the SSID (Network Name) used to identify the Wi-Fi
network. Enter “Staff” as the SSID, as this will be used for internal access.
1) Under Wireless Security Settings, select WPA/WPA2 - Personal for home or small business
use. Enter an authentication password of at least 8 characters in the Shared Key field. If you
are managing the network of a larger company, you may consider using WPA/WPA 2 -
Enterprise, which allows you to use a separate RADIUS server to handle the wireless
network’s authentication. Assign the WPA/WPA2 PSK as “staffwlan” for this example.
1) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless
network.
1) Repeat the above steps to add more wireless networks and/or specify additional name and
network permissions for various user groups. Next we will create “Guest” SSID.
Slide 123
Private and Confidential – Not for Distribution
1) Choose Wireless SSID from the left menu. Click the New SSID button displayed on the
bottom of the page.
1) In the SSID dialog box, enter the SSID (Network Name) used to identify the Wi-Fi network.
Enter “Guest” as the SSID, as this will be used for visitor Internet access.
1) To further customize network permissions, you can also change Guest Protect, Bandwidth
Management, and Firewall Settings. As this is for visitor usage, click on the Block All
Private IP checkbox to protect internal LAN (assuming the LAN IP range is using private IP
range).
1) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless
network.
To show a splash screen for your Wi-Fi service, which is useful for Wi-Fi service offered to guests
in restaurant, hospitality, and other settings,enable Captive Portal for the VLAN that the SSID has
been assigned to. You can access VLAN settings by navigating to Network > LAN, clicking on the
(?) icon, and clicking the affected VLAN. Please remember to configure your captive portal.
Slide 124
Private and Confidential – Not for Distribution
Creating AP Profiles
1) Navigate to AP > Profile. Click the New AP Profile button displayed on the bottom of the
page.
1) In the AP Profile dialog box, enter a name for the device configuration profile, eg. “Office”.
1) Select up to four wireless networks to include in the AP profile, check on the “Guess” and
“Staff” SSIDs to be included in this profile.
1) Optimize your device’s radio performance by adjusting the options in AP Advanced Settings.
For example, you can select a different 2.4 GHz Wi-Fi radio channel in order to ensure the
best signal strength and eliminate potential channel conflicts.
1) Change your AP One’s device security settings, such as passwords, under Web
Administration Settings. Set the password to “public, which is default for AP One.
1) Click Save at the bottom of the dialog box, and then click Apply Changes to store the AP
profile.
Note:
You can select up to maximum of 16 “Wireless Networks” in an AP Profile when using Balance
router as WLC.
Slide 125
Private and Confidential – Not for Distribution
1) AP One devices in the network will be automatically discovered. The number of APs detected
will be shown on the Dashboard and Access Point section of Status.
1) To manage access points located in a remote network, enable Manage Remote AP.
1) You can set up a list of recognized access points with Access Point to be Managed. In this
case, one unit has been connected.
Slide 126
Private and Confidential – Not for Distribution
1) In the AP tab, the real time status shows that the AP is connected to WLC.
Slide 127
Private and Confidential – Not for Distribution
Applying AP Profiles
1) Select the check box for the AP One device you wish to configure.
1) Select AP Profile from the drop-down menu located in the lower right corner.
1) In the AP Profile dialog box, select a previously created AP profile (eg. “Office” for this
case) and Click OK.
Slide 128
Private and Confidential – Not for Distribution
1) To upload an image for the portal page, first click Choose File. Select the desired image from
your system and click Upload. If no image is select, then the default image of the AP One will
be used.
1) Customize your portal page with a Message and Terms & Conditions.
1) Specify where the customer will be redirected after successful authentication with a Custom
Landing Page if desired.
1) Click Preview to review your design, and click Publish to save your portal page and make it
available to guests.
Slide 129
Private and Confidential – Not for Distribution
1) On your notebook, try to connect to the Guest SSID broadcasted from the AP One. It should
have Open security without any WPA/WPA2 key required.
2) Once connected, open the command prompt and use ipconfig to check your notebook IP
address.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
• Passed or Failed
2) Ping to AP One IP: 192.168.0.11
• Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
• Passed or Failed
Slide 130
Private and Confidential – Not for Distribution
1) On your notebook, open your web browser and enter “www.google.com” in the URL.
1) You will be redirected to the Captive Portal page, where you will need to review the T&C and
click Agree to proceed.
1) This will depend on how you configure the Custom Landing Page. If you have none
configured, then you will be redirected to your designated page, www.google.com.
Slide 131
Private and Confidential – Not for Distribution
Once the wireless client access is granted, you will able to access Internet sites. However the
“Guest” SSID access will not be allowed to access to internal LAN hosts.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
• Passed or Failed
2) Ping to AP One IP: 192.168.0.11
• Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
• Passed or Failed
Slide 132
Private and Confidential – Not for Distribution
1) At your notebook, try to connect to the Staff SSID broadcasting from the AP One. Key in
staffwlan when Windows prompts you for your WPA/WPA2 key.
2) Once connected, open the command prompt, use ipconfig to check your notebook IP address.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
• Passed or Failed
2) Ping to AP One IP: 192.168.0.11
• Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
• Passed or Failed
Slide 133
Private and Confidential – Not for Distribution
Slide 134
Private and Confidential – Not for Distribution
Example:
The Balance router has built-in standard firewall functionality, thus it can be used
as firewall in the environment that doesn’t has any firewall. Assuming the
company wants to prevent their staff from accessing social websites, eg
facebook.com, the Balance firewall rule by domain name can be configured.
Example
String Matching Example
foobar.com
foobar.com *.foobar.com www.foobar.com
mail.foobar.com
foobar.com
foobar.* *.foobar.* foobar.co.uk
www.foobar.co.uk
After a firewall rule by domain name is created, all traffic from that domain will be allowed or
denied according to your settings.
TIP: If you are trying to block outgoing HTTP access to a website using a domain name, consider
using the Web Blocking feature.
Slide 135
Private and Confidential – Not for Distribution
The Balance router has QoS features, allowing you to control the traffic based
on its user groups (predefined 3 groups – Manager, Staff, Guest), as well as by
application. You can apply different bandwidth and traffic prioritization
policies on each user group in the Bandwidth Control and Application sections.
In this scenario, we have implemented an IP Telephony system in the branch
office, and we have deployed an IP Telephony server reside in HQ. To optimize
the voice quality over the Internet links, QoS is essential for ensure the VoIP
traffic can be smoothly delivered across sites.
NOTE:
Please refer to user manual, Chapter 18 – QoS for detailed QoS settings.
Slide 136
Private and Confidential – Not for Distribution
Assuming your business partner is running systems that only allow access from IPSec Clients in
your office environment. In such a situation, you would need to enable Service Passthrough
Support in your Balance router. By default, the router has enabled IPSec NAT-T, if the IPSec is
running on custom ports, then you can define the ports accordingly.
Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in this page as well.
Slide 137
Private and Confidential – Not for Distribution
When this option is enabled, all outgoing SMTP connections destined for any
host at TCP port 25 will be intercepted. These connections will then be redirected
to a specified SMTP server and port number. SMTP server settings for each
WAN can be specified after selecting Enable.
If any LAN device is using DNS name servers of a WAN connection, you may want to enable this
option to enhance the DNS availability without modifying the DNS server setting of the clients. The
built-in DNS name server will distribute DNS lookups to corresponding DNS servers of all
available WAN connections. In this case, DNS service will not be interrupted even if any WAN
connection is down.
Slide 138
Private and Confidential – Not for Distribution
NOTE:
Authentication and Accounting by RADIUS server for Web Admin (Available on Peplink Balance
210+). With this feature enabled, Web Admin will authenticate using an external RADIUS server.
Authenticated users are treated as "admin" users with full read-write permission. Local "admin"
and "user" accounts will be disabled. When the device is not able to communicate with the
external RADIUS server, local accounts will be enabled again for emergency access.
Authentication options will be available once this feature is selected.
Slide 139
Private and Confidential – Not for Distribution
Some of the System settings are crucial to the operation, eg. InControl, Remote Assistance, and Email Notification.
Default: Enabled
(Post usage data): Disabled
Email Notification
The feature Email Notification allows email to be sent to the listed recipient email addresses when the following events
take place:
• Email notification test
• A new firmware version is available
• Health status changes for any WAN connection
• VPN status changes
• Bandwidth usage has reached 75% of the allowance
• Bandwidth usage has reached 95% of the allowance
Click the button Test Email Notification and click Send Test Notification to send a testing email.
Remote Assistance
When you face some serious technical issue with the Balance router, where you need Peplink Technical Support to
check on the device, you can turn on this feature, go to Status > Remote Assistance under System Information
window.
Diagnostic Report
Normally when you report problem related to the Balance router to Peplink Technical Support, it is good to attach the
Diagnostic Report together so the support team can analyze the report to understand the router condition. To generate
the report, go to Status > Diagnostic Report under System Information. Click on the Download button to save the file.
with:
YYYY – 4 digits represent year
MM – 2 digits represent month
DD – 2 digits represent day
Model No. – The Balance Model, eg. B380
SSSSSSSSSSSS – 12 digits serial number
Slide 140
Private and Confidential – Not for Distribution
Diagnostics Report also can be obtain in this page, besides from Status page.
In this page, the router Ethernet connections negotiated speed and duplex status was shown, in
which it aids in troubleshooting tasks, like debugging connectivity issues.
1) To log case with Peplink support, you can send your case to priority.support@peplink.com.
Slide 141
Private and Confidential – Not for Distribution
Out of the box, the Pepwave MAX router comes with the following default
settings:
• IP: 192.168.50.1/24
• Username: admin
• Password: admin
• LAN DHCP: Enabled
• DHCP IP Range: 192.168.50.10 – 192.168.50.250
In the diagram, the switch is optional as a console into the Pepwave MAX
Routers. You can plug the UTP cable directly from PC/Notebook into MAX Router
LAN port for the same purpose.
Generally, the Web Admin UI is similar to Balance router, making to easier for
users who have experience with the Balance router UI.
Slide 142
Private and Confidential – Not for Distribution
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
A unique feature on the MAX router interface is that you can configure the WAN interfaces on the
Wan Connection Status page. You can do so by clicking the Details button of each of the WAN
interface bar. Alternately, you can go to Network > WAN to reach to same setting page.
In this page, you can also assign different priority levels to the WAN interfaces by dragging the
interface bar up or down. If all WAN interfaces are assigned with same priority, then it will perform
load balancing for the WAN traffic.
Note:
Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 & U4-SF) will
allow WAN load balancing, the other models will allow WAN failover.
Slide 143
Private and Confidential – Not for Distribution
When you click on the Details button of any of the active Cellular WAN interfaces, you will reach
the Connection Details setting page shown above. If the mobile broadband provider or the data
plan has a quota limit (eg. 2GB/month), then you need to enable Bandwidth Allowance Monitor
and set the data limit on this WAN to 2GB. At the same time in the Action section, you can set the
MAX router to notify you via email if the usage hits 75% of quota. Lastly, you can further control
the WAN condition to either continue or disconnect this particular WAN link if usage hits to 100%
of that month.
If the Cellular WAN has limited data usage/quota, and you want to reduce the Cellular WAN
utilization, you can:
1) Choose SmartCheck as Health Check Method
2) Set Standby State of Cellular WAN to "Disconnected" instead of "Remain Connected“
3) Increase the value of Health Check Interval
Slide 144
Private and Confidential – Not for Distribution
MAX routers come with various connectivity options, allowing you to set it up in
different ways to suit customer requirements. In the following scenarios, we will
exploring three most common MAX routers deployment setups.
Let’s take a look at each of these scenarios in detail, and what configurations
need to be done to achieve the objective.
Slide 145
Private and Confidential – Not for Distribution
Requirements
1) WAN
• The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and a Cellular
WAN.
2) LAN
• The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal staff as well
as their guest.
Slide 146
Private and Confidential – Not for Distribution
Configuration for the WAN/LAN interfaces are the same as for the Balance
routers, please refer to previous section if you need instructions.
This screenshot shows the MAX BR1 router configured with a wired WAN as
primary link, followed by a WiFi WAN as first standby, and Cellular as secondary
standby WAN link.
Slide 147
Private and Confidential – Not for Distribution
Failover Test:
1) Before starting the test, take a Windows machine, launch a command prompt window and
conduct a continuous ping to Internet host IP (eg. 8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1)
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
5) Any timeout during failover? Yes or No
6) How many timeout during failover?
Slide 148
Private and Confidential – Not for Distribution
Failover Test:
1) Before starting the test, take a Windows machine, launch a command prompt
window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN
WPA/WPA2 Key to simulate 2 WAN links failed
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
5) Any timeout during failover? Yes or No
6) How long was the timeout during failover?
Slide 149
Private and Confidential – Not for Distribution
Recovery Test:
1) Before starting the test, at the Remote site, launch the command prompt window and conduct
a continuous ping to HQ LAN IP (10.0.0.10)
2) Plug back the Wired WAN & enter the correct WiFi WAN WPA/WPA2 Key for the MAX BR1
router
3) Observe the changes at the routers WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
5) Any timeout during failover? Yes or No
6) How long was the timeout during failover?
Slide 150
Private and Confidential – Not for Distribution
Mobile Command
In this example, we have a police patrol driving in an urban area. The MAX BR1 router can be
installed in these vehicles, allowing them stay connected to their control center while they are on
the move. This is accomplished with 2 different WAN options.
Requirement
1) WAN
• The police vehicle can use WiFi WANas primary WAN link, backed up by a Cellular
WAN.
2) LAN
• The wired LAN will be used for fixed machines, while the WiFi AP can serve the
policemen any handheld devices.
Slide 151
Private and Confidential – Not for Distribution
We have gone through the configuration steps of the WAN/LAN interfaces in the
Balance router section, so we will skip that step.
The screenshot shows the MAX BR1 router configured with WiFi WAN as the
primary link, followed by Cellular as the standby WAN link.
Slide 152
Private and Confidential – Not for Distribution
Public Transport
Public transport systems often travel long distances, so WiFi WAN may not able to cover the
entire path. The only available WAN option would be Cellular broadband. If bus companies want
WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem so they can put in second SIM
card for Cellular failover purposes.
Requirement
1) WAN
• The bus needs to be equipped with Cellular WAN.
2) LAN
• The wired LAN will be used for machine in the bus, and the WiFi AP can serve the
passengers handheld devices.
Slide 153
Private and Confidential – Not for Distribution
Above screenshot shows the MAX BR1 router configured with Cellular as the
primary and the only WAN link.
Slide 154
Private and Confidential – Not for Distribution
Slide 155
Private and Confidential – Not for Distribution
The difference between Balance and MAX router is that non-interface related
settings are placed in the Advanced section. You can configure WiFi Settings,
SpeedFusion VPN, Port Forwarding, etc in this panel.
Slide 156
Private and Confidential – Not for Distribution
The System and Status menus are identical to those for the Balance router.
For further details on these settings, please refer to the relevant firmware user
manual.
Slide 157
Private and Confidential – Not for Distribution
To receive cached content from HTTPS sites, client devices need to install the
appropriate certificates. To install the appropriate certificate, connect your client to
the LAN side of your MediaFast router. Then use your client device to navigate to
cert.peplink.com. There, you will receive device-specific instructions for installing
the certificate.
Private and Confidential – Not for Distribution
With MediaFast, you can cache entire websites at regular intervals. To do so,
navigate to Network > MediaFast > Prefetch Schedule. Under the Prefetch
Schedule submenu, click New Schedule, and a new menu called MediaFast
Schedule will pop-up.
In that new menu, you can name the schedule and toggle its activation.
In the URL menu item, you can set the web domain(s) you wish to cache
(http://www.peplink.com in this example).
In the Depth menu item, you can select how many levels away from the
homepage you wish to cache. The number of levels refers to the number
of backslashes following the address. For peplink.com:
www.peplink.com would have a depth of 0
www.peplink.com/products/max-cellular-router has a depth of 2.
http://www.peplink.com/products/max-cellular-router/outdoor/ has a
depth of 3.
In the Time Period menu item, you can select the time period in which
MediaFast will attempt to cache.
In the Repeat menu item, you can determine on what days of the week the
Mediafast will cache the website.
MDM enables you to remotely manage any connected iOS devices, performing
tasks such as installing apps and applying configuration profiles. To use your
MediaFast as an MDM, you need configure your MediaFast Router and each
Client.
You can access detailed reports of your content caching from your Web UI by
navigating to Status > MediaFast.
The Storage Usage section illustrates the amount of space each type of
content occupies.
The Bandwidth Summary section displays the total bandwidth consumption,
as well as the bandwidth saved over the course of the last day, week,
month, and year.
The Bandwidth Details section contains detailed bandwidth usage and
savings information organized by web domain, content type, file extension,
and clients.
Private and Confidential – Not for Distribution
The Information displayed is similar to what you’ll find on the Web-UI report (hard
disk contents, bandwidth consumption, usage details). However, there are some
advantages to viewing the Medifast report using InControl 2:
Group and Organization level reports: In addition to viewing MediaFast
related information for each device, you can also view it on a group and
organization level, giving you a bigger picture of your network.
Searchable Databases: In the InControl 2 report, each summary contains a
search field, enabling you to find specific file categories, devices, file
extensions.
Downloadable CSV Output: In the InControl 2 report, you can download the
complete information for each report in a CSV format for further analysis.
Module 4: Wireless Access
Points
This module will examine different real life deployment scenarios, and how to
configure the access points to achieve the desired results.
Slide 165
Private and Confidential – Not for Distribution
Features At A Glance
Network
- Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for PPPoE, Static IP, DHCP,
Management VLAN (802.1p), Spanning Tree Protocol (802.1d)
- Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4 SSIDs concurrently
Per SSID: VLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2 Client Isolation, Limit on
Max. Number of Client
Per Client: VLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP Snooping/Multicast
Enhancement
AP Security: Open, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Captive Portal Support: Supports External captive portal, or Social Wi-Fi with Facebook login.
3) AP One In-Wall
- 802.11 a/b/g/n, 2x2 MIMO Wi-Fi
- 2.4GHz Throughput: 300Mbps
- 5GHz Throughput: 300Mbps
- Simultaneous 2.4GHz and 5GHz
Slide 166
Private and Confidential – Not for Distribution
Hardware Overview
Slide 167
Private and Confidential – Not for Distribution
Hardware Overview
Slide 168
Private and Confidential – Not for Distribution
1) Default settings
• IP: 192.168.0.3/24
• Username: admin
• Password: public
• LAN DHCP: Disabled
1) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome
2.0 or above. Connect to https://192.168.0.3.
1) Enter the default admin login ID and password, admin and public respectively.
After logging in, the following information main page will appear. Click System, located under
Configure on the left, to begin setting up your access point.
Slide 169
Private and Confidential – Not for Distribution
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
Click the Status item on the top menu bar to see an overview of System
Information:
• AP Name
• Location (user define for the AP physical location)
• Serial Number
• MAC Address
• Network IP Information (details will be display if default settings changed)
• System Time
Slide 170
Private and Confidential – Not for Distribution
1) If you want the AP to keep the default Management IP after reboot, click the
checkbox to enable Keep Default IP, else uncheck the box.
Slide 171
Private and Confidential – Not for Distribution
Pepwave AP One series has an unique feature: it can operate in either Layer 2
(Bridge) or Layer 3 (Router) mode.
A. Router Mode
- When using Router mode, your Pepwave access point can be used as a DHCP server for
devices located behind it in the network, and provide routing between the wired and wireless
networks
- In this example, putting AP One in router mode would be separate the wireless LAN from wired
LAN segment, either for security control & enforcement, or broadcast isolation purpose.
B. Bridge Mode
- This would be typical WLAN deployment, where the AP bridge between the wired and wireless
networks in the same broadcast domain.
Slide 172
Private and Confidential – Not for Distribution
LAN Settings
Manual Router Settings are available only when AP Mode is set to Router.
1) Under DHCP Server Settings, assign the IP Range of the wireless segment. This IP address
range will be assigned to wireless client. The IP address of the AP will be the default gateway
for the wireless clients.
Slide 173
Private and Confidential – Not for Distribution
When AP One set to bridge mode, the LAN Settings are disabled, and the
wireless client will get the IP address assigned by the wired LAN DHCP server.
The packets will transparently pass through the AP One to reach to the wired
LAN.
Slide 174
Private and Confidential – Not for Distribution
In a normal office WLAN deployment scenario, the AP will host at least 2 different
sets of users, namely internal and external.
Requirement
The customer has purchased one unit of Pepwave AP One recently. They want to enable wireless
access for their staff and visitors. Staff will have full access to internal networks and the Internet,
and visitors only have Internet access.
Slide 175
Private and Confidential – Not for Distribution
1) Go to AP > Wireless SSID, click on the New SSID button on the Wireless SSID tab.
1) Assign the Security Level from choices of “Open”, “WEP”, “802.1X”, “WPA2 - Personal”,
“WPA2 - Enterprise”, “WPA and WPA2 - Personal” and “WPA and WPA2 - Enterprise”. For
“Guest” SSID, choose “Open”.
Next two slides will show you the advanced SSID configurations.
Slide 176
Private and Confidential – Not for Distribution
As mentioned earlier, visitors are only allowed to access the Internet, so we need
to prevent them from reaching internal networks:
1) If this AP One has established a SpeedFusion VPN tunnel, and you don’t want the “Guest”
traffic through it, tick on the checkbox for Block PepVPN as well.
You can also block custom subnets using the Custom Subnet setting, or prevent
all with exception via the Block Exception setting.
One more step is needed to complete the “Guest” SSID configuration, as shown
in next page.
Slide 177
Private and Confidential – Not for Distribution
1) Leave other settings as it is, select the checkbox for Layer 2 Isolation to turn on the feature.
Once this feature turned on, each of the wireless client in “Guest” network will not
able to access each other.
Slide 178
Private and Confidential – Not for Distribution
Slide 179
Private and Confidential – Not for Distribution
1) In SSID field, define staff SSID as “Staff”, assign the Security Level to “WPA
and WPA2 - Personal”, the key is “staffwlan”.
1) Make sure Guest Protect under Wireless SSID for “Staff” SSID is not
enabled.
1) If this AP One has established SpeedFusion VPN tunnel, and you want to
include “Staff” traffic forward to the tunnel, uncheck the checkbox for Block
PepVPN.
1) Leave other settings as it is, make sure the checkbox clear for Layer 2
Isolation.
Slide 180
Private and Confidential – Not for Distribution
Slide 181
Private and Confidential – Not for Distribution
1) Go to AP > Wireless SSID to edit the SSID settings required for Radius
Authentication
2) Change security setting using WPA2 Enterprise or WPA/WPA2 Enterprise
3) Make sure radius server settings are configured.
Note: The AP One does not have a built-in Radius server, an external Radius server is required
for Radius server integration.
Slide 182
Private and Confidential – Not for Distribution
Captive Portal
1) Go to AP > Wireless SSID to edit the require SSID settings for Captive
portal authentication
2) Enable Captive portal authentication for “Open Access” or “Radius”
3) Make sure radius server settings are configured.
Reference:
http://www.peplink.com/knowledgebase/configuring-an-external-splash-page-for-captive-portal/
Slide 183
Private and Confidential – Not for Distribution
Reference: http://www.peplink.com/knowledgebase/how-to-set-up-social-wi-fi/
1. Make sure you are running Firmware 6.2.2 or AP Firmware 3.5.2. You can find your
Firmware status and update your Firmware onSystem > Firmware.
2. If you have disabled InControl 2 management, please re-enable it. For MAX devices,
you can find the settings on System > InControl. For Pepwave APs, you can find the
settings on System > Controller. Click the “Controller Management” checkbox to
enable InControl management.
Requirements:
To set up a Social Wi-Fi Hotspot, you will need the following items:
An InControl 2 account.
A Facebook homepage.
A supported device running Firmware 6.2.1 or above or AP Firmware 3.5.2.
Supported devices:
Peplink devices that have built-in Wi-Fi AP capability can deliver Social Wi-Fi, including:
Balance: One
MAX: 700, OTG, BR1*, BR2, HD2*, HD4
MediaFast: HD2, HD4
AP One: AP One, Mini, AC Mini, 300M, In-Wall, Flex 300M
AP Pro: AP Pro, 300M, Duo
*With the exception of the BR1 ENT, and the HD2 Mini
Private and Confidential – Not for Distribution
1.On your organization dashboard, click on the group you will use. Navigate to Wi-Fi AP >
Group-wide SSID Settings.
2. Click “Add New SSID”, and the following menu will appear: (Refer to next page)
Private and Confidential – Not for Distribution
1. After naming your SSID, Scroll down to Captive Portal Settings, click the “Captive
Portal” checkbox.
3. For your Facebook Page ID, enter your company’s Facebook Page.
1. The last part of your facebook page URL is your Facebook Page ID.
2. If a number string appears at the end of the URL, that will also work. Either way,
Copy it and return to InControl.
Private and Confidential – Not for Distribution
1. Enter your Facebook Page ID or number string into the “Facebook Page ID” text
field, setup any usage limitations if needed, and press the Save Changes button to
finish your configuration.
Private and Confidential – Not for Distribution
1. If you wish, you could also click the Preview link next to the Captive Portal checkbox
to preview your captive portal:
Private and Confidential – Not for Distribution
Wireless distribution system (WDS) are useful to for deployment sites where area
cables cannot reach, and for temporary deployments. Using WDS, it is possible
to wirelessly connect Access Points, and in doing so extend a wired infrastructure
to locations where cabling is impossible or inefficient to implement.
Note:
WDS may also be considered a repeater mode because it appears to bridge and accept wireless
clients at the same time (unlike traditional bridging). However, with this method, throughput is
halved for all clients connected wirelessly.
Requirement
The customer is expanding their head office, and the cabling work can only be completed in a
month’s time. However, the staff need to move-in to the new office immediately. In response, the
IT manager will setup a WDS using an additional AP One (AP #2), to wirelessly connect back to
existing the AP One (AP #1).
For AES
• Passphrase
• Encryption Key
Slide 190
Private and Confidential – Not for Distribution
1) Navigate to AP> WDS, the and the WDS Profile window will appear.
2) Click “Add” button to add the WDS connection.
3) Key in the WDS LAN MAC Address of the peer AP.
4) If AES is enabled, then enter any wording for the Passphrase, eg. wdskey. Click the
Generate Key button to create the Encryption Key
5) Click Save and Apply Changes.
Once the settings are applied, it will take a moment for both APs to recognize
each other, initiate and negotiate the WDS connection. Go to status page to verify
the WDS status.
Slide 191
Private and Confidential – Not for Distribution
Slide 192
Private and Confidential – Not for Distribution
Slide 193
Private and Confidential – Not for Distribution
Requirement
A company wishes to install an AP in their office, but they aware that other tenants in the same
floor who have already installed a WLAN infrastructure. They want to know which wireless
spectrum (channel) will have the least interference.
The AP One series is capable of discovering nearby wireless networks and reporting information
regarding each network. That way, you can choose the least affected channel (if no free channels
are available) for your AP.
Slide 194
Private and Confidential – Not for Distribution
Slide 195
Private and Confidential – Not for Distribution
Slide 196
Private and Confidential – Not for Distribution
If you need the AP provide higher power output to cover bigger area, you can
enable the Power Boost feature:
1) Go to AP > Settings > Output Power menu item.
2) Click on the Boost checkbox to enable the feature.
3) Click Save and Apply Changes.
Note:
Enabling the power boost feature will increase the output power from 400mW to 2W. Please
enable only if local regulations permit.
Slide 197
Private and Confidential – Not for Distribution
Slide 198
Module 5: Surf Series
This module will examine different real life deployment scenarios, and provide detailed
instructions on how to utilize the major features of the Surf On-The-go.
Slide 200
Private and Confidential – Not for Distribution
1) Default settings
• LAN IP: 192.168.20.1/24
• Admin ID: (No ID by default)
• Admin PW: (No password by default)
• DHCP Enabled
• DHCP Range: 192.168.20.10 – 192.168.20.250
• WLAN AP: Enabled
• SSID: PEPWAVE_#### (where #### is the suffix of MAC Address of SOTG)
1) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome
2.0 or above, connect to https://192.168.20.1.
1) As there is no login security enabled by default, you will be redirect to Dashboard page.
Slide 201
Private and Confidential – Not for Distribution
Dashboard Page
At the Dashboard page, you will see the device’s current WAN connection status. It also displays
a real-time graph displaying Network Data Usage and Signal Timeline (if WiFi or Cellular is
active).
You can change the WAN connection type by clicking the Switch WAN Mode icons (WiFi,
Cellular, Wired)
Status Page
You can view the device status in this page, detail information included:
• Firmware version
• Hardware version
• Model
• Serial Number
• Supported Mode (operating radio frequency, a/b/g/n)
• etc
If WAN link is active, you will see the relevant information like IP Address, Subnet Mask, Gateway,
etc.
Slide 202
Private and Confidential – Not for Distribution
Wi-Fi Mode
Connect to the Internet via Wi-Fi Hotspot (and backup by Cellular),
and provide a Local Access Point and Ethernet Connection. e.g. Wi-
Fi Services from ISP, Hotel, RV Park, Marina.
Cellular Mode
Connect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem,
and provide a Local Access Point and Ethernet Connection. e.g.
Traveler, Remote Area.
Wired Mode
Connect to the Internet via an Ethernet cable (and backup by
Cellular), through a DSL/Cable Modem, or Router, and provide a
Local Access Point. e.g. Home, Hotel
Slide 203
Private and Confidential – Not for Distribution
Slide 204
Private and Confidential – Not for Distribution
1) In the Wireless Settings section, change Wireless Network Name (SSID) from the default
value of MySSID to the SSID specified by your wireless Internet service provider. Otherwise,
you may change this field to a blank value, and then select an SSID from the resulting list,
which also includes corresponding encryption types and signal strengths. With the MAC Clone
function, you can use the Ethernet client MAC address as Surf's WAN MAC
address.
1) From the Authentication drop-down menu, select the authentication type required by your
Wi-Fi Internet service provider. Then, if applicable, enter the Encryption Key value provided by
your ISP.
1) In the AP Settings section, select Configure Manually. In the AP SSID field, enter the
network name used to identify the home Wi-Fi network. The default AP SSID value is
PEPWAVE_####, change to “MY-MOTG”.
1) Navigate to the Dashboard page, which displays connection details and signal strength level.
1) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
• PWR – Solid Green
• RDY– Yellow
• ENET– Solid Green
• Wi-Fi – Displays a varying number of lit signal bars depending on the strength of the
received signal
If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable the
Connect to Any Open Mode AP feature, which it will connect to these Hotspot automatically.
When needed, you can use the Ethernet client MAC address as Surf's WAN MAC address by
enabling the "MAC Clone" under Wi-Fi WAN Settings.
Slide 205
Private and Confidential – Not for Distribution
Slide 206
Private and Confidential – Not for Distribution
Slide 207
Private and Confidential – Not for Distribution
1) Connect to the Web Admin Interface. Click Cellular, and then Settings.
1) Click Cellular Settings on the left. In general, selecting Auto Operator Settings is sufficient
to connect to the Internet. If not, select Custom Operator Settings to manually enter settings
specified by your cellular service provider (typically APN and Dial Number). When nished,
click Save on the lower right.
1) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” and WPA/WPA2 key
is “motgwlan”.
1) Navigate to the Dashboard page, which displays connection details and signal strength
1) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
• PWR – Solid Green
• RDY– Yellow
• ENET– Solid Green
• Wi-Fi – Displays a varying number of lit signal bars depending on the strength of the
received signal
Slide 208
Private and Confidential – Not for Distribution
Slide 209
Private and Confidential – Not for Distribution
Slide 210
Private and Confidential – Not for Distribution
1) Connect one end of an Ethernet cable to the Surf On-The-Go and the other end to your
Internet source.
1) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” and WPA/WPA2 key
is “motgwlan”.
1) Connect to the Web Admin Interface. Click Wired, and then Settings.
1) In the WAN IP Settings section, select a method the Surf will use to obtain IP address:
• Congure Manually - After selecting this option, manually enter a static IP address.
• Obtain an IP Address using DHCP - Obtain an IP address automatically.
• Obtain an IP Address using PPPOE – Connect to Internet service using PPPoE.
1) Navigate to the Dashboard page, which displays connection details and signal strength level.
1) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
• PWR – Solid Green
• RDY– Yellow
• ENET– Solid Green
• Wi-Fi – Displays a varying number of lit signal bars depending on the strength of the
received signal
Slide 211
Private and Confidential – Not for Distribution
Slide 212
Private and Confidential – Not for Distribution
Slide 213
Private and Confidential – Not for Distribution
At the Dashboard, Cellular 1 icon will appear below the Wired WAN, depending
on the Cellular settings, if you choose disconnect then it will be remained
disconnected (icon dimmed) when primary WAN link active. If you select
remained connected in the Cellular settings, the cellular will establish connection
and remain in hot-standby mode (icon turned green).
Slide 214
Private and Confidential – Not for Distribution
Surf OTG detected Wired WAN failed, it will automatically bring up the Cellular
WAN. As shown in the screen capture, Cellular 1 is active (green icon) with
signal strength status display.
Slide 215
Private and Confidential – Not for Distribution
Slide 216
Private and Confidential – Not for Distribution
Surf OTG detected Wired WAN restored, it will forward traffic on the Ethernet port
again, at same time put Cellular WAN in standby mode by disconnecting from
cellular connection.
Slide 217
Private and Confidential – Not for Distribution
Slide 218
Private and Confidential – Not for Distribution
For further details on these settings, please refer to the relevant firmware user manual.
Slide 219
Module 6: Cloud-Based
Networking
This module will examine different real life deployment scenarios, and provide detailed instructions
on how to utilize the major features of the Surf On-The-go.
Slide 221
Private and Confidential – Not for Distribution
Slide 222
Private and Confidential – Not for Distribution
FusionHub runs on nearly all mainstream virtual machine software, the supported Hypervisors
including:
3. Citrix XenServer
4. Oracle VirtualBox
5. Microsoft Hyper-V
Please refer to Peplink FusionHub website for details on each Hypervisor installation instructions,
the URL as below:
http://www.peplink.com/support/downloads/fusionhub-binary-installation-guide/
Slide 223
Private and Confidential – Not for Distribution
Hardware Specifications
1. Minimum Requirements for VM Host Hardware*
Intel Core i5 processor
4GB RAM
100GB hard drive
1. Recommended VM Host Hardware for 1Gbps of SpeedFusion VPN Throughput*
Xeon E3-1270V2 @3.5GHz
8GB RAM
500GB hard drive
* Not applicable for AWS instances.
Slide 224
Private and Confidential – Not for Distribution
Currently, the only means to acquiring FusionHub for AWS is through private sharing. You would
need to provide the following information to trial@peplink.com. Peplink will then share the AMI
image to your account:
12-digit Amazon ID
Slide 225
Private and Confidential – Not for Distribution
FusionHub deploys in Enterprise Networks could combines multiple commodity links from different
ISPs to create an unbreakable connection to your most important enterprise applications.
Key Benefits:
2. Session Persistence: Maintain session integrity even when WAN connections break.
3. Pay as You Grow Pricing: Save on initial capital expenditures. Grow your network
affordably.
1. Branch Office VPN: Remotely access head office resources with the same bandwidth
and reliability as a local user.
2. Faster Internet via Datacenter: Route remote site traffic over SpeedFusion for
centralized Web filtering or to take advantage of high-speed Internet links at the main site.
3. Upload HD Video on 4G LTE: Bond multiple 4G LTE connections for fast HD video
uploads to your cloud-based datacenter.
Slide 226
Private and Confidential – Not for Distribution
In MSP deployment model, running multiple instances of FusionHub in your datacenter or cloud
infrastructure to provide each customer with their own SpeedFusion-enabled cloud server.
Key Benefits:
1. Add Value to Your Existing Services: Add SpeedFusion to your services to make them
faster.
1. Solve Connectivity Issues: Use bandwidth bonding to provide fast Internet to places
with poor Internet access.
1. Offer Unbreakable VPN: Provide highly available redundant site-to-site VPN connectivity
using cheap commodity Internet connections.
You are the deploying FusionHub in MSP through Peplink SpeedFusion Alliance Programme:
1. Unlimited Scalability: Run as many FusionHubs as you need and manage them using
InControl 2. Pay as you grow with price based on throughput and the number of peers
connected.
* More on Peplink SpeedFusion Alliance Programme can be found at the below URL:
http://www.peplink.com/partners/speedfusion-alliance/
Slide 227
Private and Confidential – Not for Distribution
Branch Office VPN: Remotely access head office resources with the same bandwidth and
reliability as a local user. Data, voice, and video communications between these locations are kept
confidential across the public Internet.
Slide 228
Private and Confidential – Not for Distribution
Faster Internet via Datacenter: Combining multiple low speed Internet links at remote office into
SpeedFusion tunnel, towards the Datacenter. This setup could route remote site traffic over
SpeedFusion for centralized Web filtering or to take advantage of high-speed Internet links at the
main site.
Slide 229
Private and Confidential – Not for Distribution
As an MSP, you can run multiple instances of FusionHub in your datacenter or cloud infrastructure
to provide each customer with their own isolated SpeedFusion-enabled cloud server.
Offer SpeedFusion as a Service (SaaS): Run multiple FusionHub virtual appliance to provide
separate SpeedFusion WANs for your customers.
Slide 230
Private and Confidential – Not for Distribution
Peplink FusionHub securely connects one or more branch offices to your company's main
datacenter or to other branches. Data, voice, and video communications between these locations
are kept confidential despite going across the public Internet.
When supporting multiple VPN connections, FusionHub can act as a central hub that connects
branch offices. For example, if Branch Office A and Branch Office B make VPN connections to
Headquarters C, both branch office LAN subnets and the subnets behind them (e.g., static routes)
will also be advertised to Headquarters C and the other branches. In this example, Branch Office
A will be able to access Branch Office B via Headquarters C.
The local LAN subnet and subnets behind the LAN will be advertised to the VPN. All VPN
members (branch offices and the datacenter) will be able to route to local subnets. Note that all
LAN subnets and subnets behind them must be unique. Otherwise, VPN members will not be able
to access each other.
All data can be routed over the VPN using the 256-bit AES encryption standard. In the following
sections, three FusionHub application examples illustrate how to set up your devices.
Slide 231
Private and Confidential – Not for Distribution
Offices interconnect
In this example, the hosts located at Office A want to communicate with the host located at
Headquarters.
Slide 232
Private and Confidential – Not for Distribution
To set up the scenario shown above, we need to configure a MAX HD2 at Site A, a MAX BR1 at
Site B, and FusionHub (two network adapters are needed) at the Datacenter.
Slide 233
Private and Confidential – Not for Distribution
The User Interface (UI) of FusionHub is similar to those found in Balance or Max router.
The default WAN connection method for FusionHub is DHCP. If the DHCP server is available in
your network, the FusionHub IP address will be automatically obtained by the DHCP server. The
Web admin address will appear on the FusionHub console automatically (i.e., Admin:
http://10.8.8.252). Enter the Web admin address (i.e., http://10.8.8.252) in your Web browser's
address field.
If there is no DHCP server in your network, set your computer’s IP address to 169.254.x.x (x
denotes any integer from 2 to 253), using a subnet mask of 255.255.0.0.
Slide 234
Private and Confidential – Not for Distribution
When FusionHub is first installed, only the WAN Interface will be available. The default WAN
connection method for FusionHub is DHCP.
The configuring the WAN Interface of the FusionHub is similar to doing so for Balance / MAX
routers except that fewer parameters will need to be configured.
Slide 235
Private and Confidential – Not for Distribution
The FusionHub - LAN Interface is not enabled by default, you need to add a network adapter at
the FusionHub virtual machine.
After adding one or more network adapters to the FusionHub virtual machine, power on the virtual
machine, and then reconnect to the FusionHub Web admin interface. Navigate to Network > LAN,
and you will able to see the LAN Interface.
By enabling Route PepVPN traffic to LAN, all traffics from remote SpeedFusion will be route to
defined Gateway.
Note: FusionHub virtual machines support a maximum number of two network adapters. By
default, Network adapter 1 is set as the WAN port, and Network adapter 2 is set as the LAN
port.
Slide 236
Private and Confidential – Not for Distribution
Layer 3 Isolation - Enable this option if you want to block layer 3 network traffic between PepVPN
peers, this will not affect the connectivity between the peers and and the local network.
Slide 237
Private and Confidential – Not for Distribution
WAN Smoothing
WAN Smoothing utilizes multiple WAN links to reduce the impact of packet loss and get the lowest
possible latency at the expense of extra bandwidth consumption. This is suitable for streaming
applications where the average bitrate requirement is much lower than the WAN's available
bandwidth.
Normal - The total bandwidth consumption will be at most 2x of the original data traffic.
Medium - The total bandwidth consumption will be at most 3x of the original data traffic.
High - The total bandwidth consumption depends on the number of connected active tunnels.
Default: Off
Slide 238
Private and Confidential – Not for Distribution
To ensure that important data travels through FusionHub with high priority, enable Application
QoS. Choose the application you wish to prioritize, and then set the priority accordingly (eg. Low,
Normal & High).
Slide 239
Private and Confidential – Not for Distribution
To enhance security using external certificates, FusionHub supports self-signed certificates for
SpeedFusion and for the Web Admin. If you have certificates that signed by a CA, you may import
them here.
Slide 240
Private and Confidential – Not for Distribution
Each license key can associated with one FusionHub instance only. If you re-use a license key
without "releasing" it on InControl 2, FusionHub will report "License key already in use".
For details steps in migrating the license, you may refer to URL below:
http://www.peplink.com/knowledgebase/how-to-migrate-your-fusionhub-licence-to-a-new-vm/
Slide 241
Private and Confidential – Not for Distribution
Introducing InControl 2
InControl 2 is our cloud based device management, monitoring, and reporting tool designed
specifically for Peplink and Pepwave devices.
Any of our devices can be registered on InControl 2. Once your device is registered, you can get
advanced administration tools, unprecedented device visibility, and comprehensive reporting.
Slide 242
Private and Confidential – Not for Distribution
Just like FusionHub, the InControl 2 also comes in 2 variants for customers to choose from:
If your devices are in-warranty running Firmware 6.1 and above (or Firmware 3.4.1 and above for AP One),
InControl 2 is free of charge.
There are various User Roles in InControl 2, each carrying different access rights and authorities:
Dashboard Viewer: These users can only for view the organization dashboard. Useful for publicly accessible
accounts.
Group Viewer: These users can read information for the specified group, but cannot make changes.
Group Administrator: These users can access the specified group, reading and making changes.
Organization Viewer: These users can read information for the entire organization, but cannot make changes.
Organization Administrator: These users can access the entire organization, reading and making changes.
In the Private Hosted Model, or sometimes called as MSP Model, there is additional role, MSP Administrator, who has
the access rights to managing all organizations under that particular private InControl 2 system.
Slide 244
Private and Confidential – Not for Distribution
InControl 2 - Dashboard
When you first login to InControl 2 to start managing Peplink devices, you will be see the
Overview Dashboard page.
This page displays several pieces of useful information about the devices managed by your
Organization.
Indicates which access level currently you are A One-glance view of your entire Organization.
working at. There are three access levels: The [Service Expired] and [Service Expiring Soon]
Organization Level: Reports here describe categories change dynamically according to the
your entire organization. Decisions here device warranty status. The [Service Expiring
also tend to affect the whole Soon] notification will display the number of
organization. managed devices whose warranty will expire within
Group Level: Reports here describe the status 60 days.
of the device groups that you define.
Device Level: Here, you can obtain the most 5. Groups Summary
detailed reports and configuration
options regarding each device. This is Lists each group, their Online Devices, their Total
also the level which enables you number of Devices, and Clients connected to all
remotely access the device’s web admin. Online Devices. Click the up-down arrow to sort by
that statistic.
2. Organization Identification
6. User Feedback Button
This area displays the Organization that you have
logged into, along with your login credential. It also If you have any comments, suggestion, or
gives you shortcut access to Organization-related problems to report, click on the <Feedback>
settings, as well as quick access to your Groups. button. You will be able to enter a short
description, as well draw free-hand on the current
3. Associated Setting Options screen. When you click the <Submit> button, the
system will send a notification immediately to
This area indicates the relevant settings available InControl 2 team for review.
on the current access level, it will change
according the level you access.
Slide 245
Private and Confidential – Not for Distribution
Once you have registered a new device, you can add it to the group of your choice. You
can also move it to new department (Group), and rename the device same time if needed.
2. Firmware Policy
You can utilize InControl 2 to automate the firmware management. You can push
firmware based on a schedule or push firmware immediately to the designated Group.
Please note that InControl 2 will push the Firmware onto devices even if the device is
already running newer Firmware. If your device is running a Firmware version not
available on InControl 2, we recommend that you disable automated firmware
management.
3. Configuration Backup
4. Configuration Cloning
IC2 allows you to clone the configuration from a “Master” device, and replicate (via push
method) the settings to other devices in the same Group. To use this feature, please
ensure that all the devices in the Group are the same model, running the same and
firmware version.
Slide 246
Private and Confidential – Not for Distribution
InControl 2 provides full fleet management when used in combination with our vehicle-mounted,
GPS–enabled devices, such as the MAX HD2 and the BR1.
Track your devices wherever they are using our interactive maps. Check vehicle speed, cellular
coverage, and traffic conditions. Play back route histories in real-time.
1. Locate
Easily find any device using interactive maps. Point and click to see device details, such
as cellular signal strength and number of clients.
2. Track
Track location over the past 24 hours or review any 24-hour period. Play back route
histories in real-time or at high speed to see exactly where a vehicle was at any point.
3. Monitor
Use the color-coded tracking feature to monitor real-time vehicle speed. Drill down
through tracking history data to spot speed patterns.
Slide 247
Private and Confidential – Not for Distribution
Now, you can provision SpeedFusion VPN in various topologies within IC2, namely:
Do take note that the SpeedFusion settings provisioned in IC2 will override any manual
PepVPN/SpeedFusion configuration performed at the devices. So, if you have already configured
PepVPN/SpeedFusion manually, then we recommend that you turn off the SpeedFusion
Management at IC2.
Slide 248
Private and Confidential – Not for Distribution
InControl 2 enables the provisioning of Wi-Fi settings of compatible Balance, MAX, and AP
models. Please note that IC2, will overwrite any manual Wi-Fi configurations performed at the
device level.
There are a few key Wi-Fi settings that can be configured and pushed to the devices.
1. Wireless SSID
2. Wireless Radio
Configure the wireless radio related settings, eg. frequent channel, transmit power, etc.
1. Captive Portal
Define the captive portal for certain wireless networks. For details of the captive portal
settings in IC2, please refer to Module 4 - Wireless AP.
Slide 249
Private and Confidential – Not for Distribution
As a part of the centralized management features, IC2 provides reports and monitoring
capabilities to its users.
The available reports in IC2 include Device Reports, Wi-Fi Reports, Captive Portal Reports,
DPI Reports (only available to FusionHub), Client Reports, Event Log, Device Status.
You can select your range of periods such as: Real Time, Today, Yesterday, Last 7 Days, Last
Month, and Custom.
Slide 250
Private and Confidential – Not for Distribution
InControl 2 has few levels of system administration, the highest level is Organization Settings.
Changes here will affect the entire organization. Few of the important tasks include:
Create, rename, delete User ID, change email ID, and change user role (from
Organization Administrator, down to Dashboard Viewer).
At the Warranty & License page, you can view the devices warranty & IC2 subscription
date.
IC2 allows users to manage the FusionHub license key. You can delete, release, and
import the full FusionHub licenses, or generate FusionHub Evaluation License Keys for
testing purposes.
Slide 251
Private and Confidential – Not for Distribution
InControl 2 allows the delegation of device management down to the group level. This feature
gives a flexibility to assign device administration to different persons, while preventing
unauthorized access. The example above illustrates, a Managed Service Provider setting up a
muti-tenant environment.
Create, rename, delete User ID, change email ID, and change user role (from Group
Administrator, down to Dashboard Viewer).
You can enable email notifications when any device in the group goes off-line.
The Group Administrator could centrally maintain or change the Web Admin password of
managed devices from IC2. This features also allow password restoration, just in case a
device Web Admin password has been accidentally changed.
Slide 252
Private and Confidential – Not for Distribution
InControl 2 has built-in audit trail feature, which logs down every transaction performed by each
user.
Slide 253