Peplink Certified Engineer Training Program

Training Materials

Last updated: 26-09-2013© 2013 Peplink / Pepwave All rights reserved. No part of this manual may be reproduced, transcribed, stored in a retrieval system, translated into any language or computer language or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the copyright owner.The copyright owner gives no warranties and makes no representations about the contents of this manual and specifically disclaims any implied warranties or merchantability or fitness for any purpose.

The copyright owner reserves the right to revise this manual and to make changes from time to time in its contents without notifying any person of such revisions or changes.

Course Agenda

Module 1: Understanding Multi-WAN and SpeedFusionBrief description of Peplink/Pepwave’s most important technologies

Module 2: Peplink and Pepwave Products OverviewIntroduction of Peplink and Pepwave products.

Module 3: Balance and MAX RoutersExploring different configuration scenarios with Balance and MAX routers.

Module 4: Wireless Access PointIn-depth configuration guide for Wireless Access Points.

Module 5: Surf SeriesExplanation and setup instructions for the Surf Series.

Peplink Balance Series Enterprise-class Multi-WAN Router

Peplink 2

In this chapter, we will focus on how SpeedFusion functions, it’sdistinguishing features/benefits, and it’s implementation scenarios.


Peplink 3

Course Agenda

Module 1: Understanding Multi-WAN and SpeedFusionBrief description of Peplink/Pepwave’s most important technologies

Module 2: Peplink and Pepwave Products OverviewIntroduction of Peplink and Pepwave products.

Module 3: Balance and MAX RoutersExploring different configuration scenarios with Balance and MAX routers.

Module 4: Wireless Access PointIn-depth configuration guide for Wireless Access Points.

Module 5: Surf SeriesExplanation and setup instructions for the Surf Series.


Peplink 4

A well-designed VPN provides a business with the following benefits:

- Extended connectivity across multiple geographic locations without using a leased line

- Improved security for exchanging data

- Ability for remote offices and employees to use business intranet over an existing Internet connection as if they were directly connected to the network

- Savings in time and expense for employees to commute if they work from virtual workplaces

- Improved productivity for remote employees

Examples of VPN usage, accessing resources only available in HQ (File orPrint sharing), and some restricted internal applications require VPN to beestablished.


Peplink 5

Peplink’s Unbreakable VPN uses multiple WAN connections to keep VPNs upand running when a connection fails. Powered by our patent-pendingSpeedFusion technology, Unbreakable VPN automatically and seamlesslymoves VPN sessions to standby WAN links when active links drop out. All this istransparent to users, making all VoIP calls and video streams run flawlessly.Your business continues, uninterrupted.

SpeedFusion VPN is useful for Public Transport, Video Streaming, MobileCommand, Branch-to-HQ, and Rural Areas. It is applicable anywhere you need areliable VPN connections.


Peplink 6

Introducing the World’s Easiest VPN

PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel overany WAN link. On top of all the benefits of IPsec and other conventional VPNtechnologies, the PepVPN engine also offers:

Long-distance Ethernet cable − You can easily build a secure and seamlessEthernet tunnel over any IP connection (Layer 2 over Layer 3). It virtuallyprovides a long-distance Ethernet cable over any WAN link.

Seamless transition − PepVPN and SpeedFusion share the same core VPNengine, meaning that all your PepVPN and SpeedFusion-enabled devices willwork flawlessly together. It also allows you to easily upgrade a PepVPN endpointto SpeedFusion, taking advantage of the added benefits without worrying aboutcompatibility.

Works in any dynamic IP environment − PepVPN is fully compatible with anydynamic IP environment and NAT, allowing you to establish a VPN behind a NATgateway or firewall without worrying about static IP addresses.

This technology can be applied to SOHO and Mobile Office; any environment that


Peplink 7

requires reliable connectivity, without using multiple low cost Internet links for theirbusiness operations via VPN. Even if you have one encrypted peer and anothernot encrypted, PepVPN will still create an encrypted tunnel. As PepVPN is easy tosetup, hence no technical assistance needed on-site.

SpeedFusion Hot Failover − Unbreakable VoIP and VPN

SpeedFusion Hot Failover is a premium add-on that manages multiple redundantconnections to keep VPNs and VoIP deployments up and running at all times.

Easy setup − Just add connections, you can even mix wired and wirelesstechnologies.

Unbreakable VoIP and VPN − With other VPN technologies, WAN failoverterminates existing VPN connections, creating costly downtime. SpeedFusion HotFailover prevents this by maintaining secure tunnels over all available WAN links.In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlesslyswitch traffic to another available tunnel. This creates unbreakable VPNs andVoIP sessions.

For scenarios that require uninterruptable connections (like Mobile Command,POS, ATM, and VoIP deployments), SpeedFusion Hot Failover provides analways-on VPN link that helps these application run smoothly. The “make-before-break” mechanism built-into SpeedFusion Hot Failover VPN. This provides atransparent switch-over: if there is any link failover or link recovery, the user willnot notice any interruptions. This cannot be accomplished with any other VPNsolution in the market.


Peplink 8

SpeedFusion Bonding − Packet-Level Bandwidth Bonding.

Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bondingbuilds a fat tunnel using all your connections, giving you blazing throughputwhenever you need it.

Multi-WAN bandwidth bonding − SpeedFusion Bonding combines multiple linksfrom multiple providers into a single, superfast tunnel.

VPN Bonding – SpeedFusion Bonding can create high speed VPNs by bondingmultiple WAN links together.

Unbreakable Session Hot Failover − SpeedFusion Bonding monitorsconnections and automatically turns control over to Hot Failover when linksbecome unstable.

Packet Level Bandwidth bonding – The packets of your session are distributedacross all your available links.

Layer 2 Tunneling – SpeedFusion operates on Layer 2, bonding your availablelinks at the data link layer.


Peplink 9

Easy, on-demand scalability − Need more speed for mission-critical VPNs? Howabout temporary bandwidth for a specific projects? With SpeedFusion Bonding,you can plug in connections from any provider and get more speed, wheneveryou need it.

Instant Bandwidth Control – And you can unplug connections at any time,keeping your costs under control.

HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport(eg. train): all of these applications need high bandwidth and reliable links to pushhigh volumes of data back to their HQ/Media Center/Control Center forprocessing. SpeedFusion Bonding is able to combine multiple Internet lines intoone logical big pipe to carry the information over.

This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover and SpeedFusion Bonding


Peplink 10

We will now explore the application of SpeedFusion, with various case studies.1) MPLS Replacement2) Branch Network Connection3) SpeedFusion 3G/4G Bonding4) Video Transmission in the Air5) Data Transmission over Water6) Replace Expensive Satellite Connection7) Mission Critical Video Surveillance8) 100% Uptime for First Responders9) Money Saving on Branch Network Connections10) Flawless Connections in Remote Areas


Peplink 11


Peplink 12


Peplink 13

14

15


Peplink 16


Peplink 17


Peplink 18


Peplink 19


Peplink 20

Peplink is the leader in Internet load balancing and VPN bondingsolutions. Peplink Balance Multi-WAN Routers have been deployed aroundthe world, helping thousands of customers increase their bandwidth,enhance their internet reliability, and reduce their costs. Our completeproduct line accommodates business of all sizes, providing an awardwinning Internet experience for customers.

Pepwave is the proven market leader in delivering specialized wirelesssolutions for industrial networking services, wireless mobility services,internet service providers, and professional hotspot providers. As aninnovator in wireless technology solutions, Pepwave operates in globalcooperation with distributors, system integrators, ODM partners, andstrategic allies.


Peplink 21

Course Agenda

• Module 2: Peplink and Pepwave Products OverviewIntroduce Peplink and Pepwave product suite.


Peplink 22

We offer five major categories of products:1. Multi WAN Router2. Cellular Router3. Enterprise Access Point4. Carrier Grade Access Point5. SOHO Router6. Router Utility

Peplink and Pepwave solutions cover different market segments, rangingfrom SOHO, Mobile Office, Small Office, Branch Office, Regional Office,and HQ-level Data Centers.


Peplink 23

Target Market Segments for Balance Products

1) Power User and Home User- Balance 20 & 30- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle - 25 max users recommended

2) Small Business - Balance 210 & 310- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle - 50 max users recommended- Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max

3) Mid-Size Business- Balance 305, 380 & 580- 19” Rack mount form factor- Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000 users max- Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support 50 SF peers max- Default can act as WLAN Controller, support 10 Access Points default- Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate license purchased

4) Large Enterprise- Balance 710 & 1350


Peplink 24

- 19” Rack mount form factor- 710 can support 2,000 users max while 1350 can support up to 5,000 users max- Model 710 support 300 SF peers max, while 1350 support 800 SF peers max- Default can act as WLAN Controller, support 20 Access Points by default- Can manage up to 250 (Model 710), and 500 (Model 1350) AP with separate license purchased

A. Internet Load BalancingBy balancing Internet traffic over active links, Peplink Balance gives you extra reliability.Peplink gives you seven Load Balancing Algorithms to fine-tune your network traffic.

The following types of Outbound Traffic Rules are available:• Weighted Balance • Persistence • Enforced • Priority • Overflow • Least Used • Lowest Latency

B. Inbound Load BalancingInbound Load Balancing distributes inbound data traffic over multiple WAN links tocomputers behind Peplink Balance. Peplink Balance 210, 310, 380, 390, 580, 710, and1350 have a built-in DNS server that enables this functionality.

Authoritative DNS functionality is not available on Peplink Balance 20 and 30.

Inbound Load Balancing is configured via both of the following:• DNS records configured within Peplink Balance• External DNS records at an Authoritative DNS Server


Peplink 25

Site-to-Site VPN Bonding in Mesh Scenario

All offices are connected to each other

Highly reliable network with bonded links and encrypted traffic

Communication between offices has never been faster

All offices deployed with Balance 380 model


Peplink 26

Site-to-Site VPN Bonding in Star Scenario

Headquarters serve as central site

Bonded VPN for reliable and uninterrupted VPN services

Fast and convenient way to securely transfer data to transaction server

HQ installed with Balance 1350

Supermarket POS deployed Balance 380

ATM in Subway station equipped with Balance 210

Shopping Mall POS will need Balance 310

ATM in branch can installed with MAX Mobile Router


Peplink 27

For existing Balance customers who wish to implement a WLAN solution, Peplinkcan help save significant money and effort. From the model 305, 580 andonwards, the Balance comes with built-in AP management. This makes deployingPepwave AP much easier and affordable.

In this example, the Balance Multi-WAN router can serves three roles: it is a WANload balancer, a Wireless LAN Controller, and when needed, a site-to-site VPNtermination point as well.


Peplink 28

Product Market Positioning

1) MAX On-The-GoComes with 3 SKUs: - the lowest SKU connects a single USB modem- the second SKU allows 4 USB modems with Hot Failover- the highest SKU allows SpeedFusion Bonding in addition to the 4 USB modems. - This product is good for mobile offices that reside in rural areas without access to cable internet

2) MAX BR1- Rugged metal case is suitable for industrial-grade usage - Comes with 2 SKU, 3G WAN and 4G-LTE modems built-in- Supports a redundant SIM with dual SIM slots, providing failover functionality between them.*- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle- Ideal for mobile command, high speed public transport, and harsh environment deployment- Advanced Car-Fi Roaming + IPsec X.509 Certificate Support (only available for BR1 as add-on feature)


29

3) MAX 700- Rugged metal case is suitable for industrial-grade usage - Support up to 7 WAN links (2 Wired, 4 USB, 1 WiFi)- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle- Ideal for on-the-field media streaming and live broadcasting deployment, that require bigger bandwidth

4) MAX HD2- Rugged metal case is suitable for industrial-grade usage - Come with 2 variants, built-in 3G and built in 4G-LTE modems- Supports up to 6 WAN links (2 Wired, 2 Cellurar, 1 USB, 1 WiFi)- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply to be deploy in mobile vehicle- Ideal for on-the-field media streaming and live broadcasting deployment, that require a bigger bandwidth- If GPS enabled, both (or any one of its) SMA antenna ports can be use to locate GPS signal and position

5) MAX HD2 IP67- IP67 waterproof enclosure ideal for outdoor applications - 2x embedded cellular modems, each with redundant SIM slots, securely installed inside the unit- Come with 2 variants, 3G and 4G-LTE modems built-in, with options of Verizon and AT&T, AT&T/Telcel/Rogers, and Worldwide carrier- Using 10V-30V DC power supply - Ideal for machine-to-machine communication, surveillance, military and other mission-critical applications outdoor, the MAX HD2 IP67 is as comfortable on a construction site, oil platform, disaster scene, or factory floor as it is on a battlefield

MAX Routers power redundancyFor models which come with dual power sources (DC Jack & Terminal Block), it serves as input power redundancy. If any of the power source is interrupted while the other is active, the MAX router will continue to operate without being affected by the power disruption.

*Please note that redundant SIM does not equal two cellular modems. That is, only one SIM can be active at any time; you will not be able to get better throughput or load balancing by filling both SIM slots.

MAX Router Deployment Scenarios

SpeedFusion Bonding (on MAX HD2)- Deploy multiple low cost 3G connections- Save money, enjoy higher bandwidth, avoid dead spots- Seamless failover ensures reliable video stream from mobile sites to HQ

Hot Failover (MAX BR1 or HD2)- Everywhere LTE- Ensures optimal performance by choosing the carrier with the best signal - Saves money by using only one carrier at a time-Hot failover ensure flawless video stream from mobile sites to HQ

GPS Fleet Tracking (MAX BR1 or HD2)- Homeland security- Monitor and coordinate fleet vehicles wherever they may be- Hot failover ensure flawless video stream from mobile sites to HQ


Peplink 30

Features At A Glance

Network- Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for PPPoE, Static IP, DHCP, Management VLAN (802.1p), Spanning Tree Protocol (802.1d)- Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4 SSIDs concurrently

Client Management

Per SSIDVLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2 Client Isolation, Limit on Max. Number of Client

Per ClientVLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP Snooping/Multicast Enhancement

AP SecurityOpen, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS

Complete VPN SolutionPepVPN, Site-to-Site VPN, 256-bit AES Encryption, Pre-shared Key Authentication, Dynamic Routing


Peplink 31

Captive Portal

Device ManagementWeb Administrative Interface, InControl Cloud Management, Peplink Balance WLAN Controller, SNMP v1, v2c and v3

Pepwave AP One access points offer fast, affordable, and dependable wirelessnetworking without administration headaches. Ready for anything and built to goanywhere, AP One access points deliver enterprise-grade Wi-Fi that drops inquickly and immediately gets to work -- so you can get back to your work.

Minimize Wi-Fi management hassles with the AP One series and the PeplinkBalance with WLAN Controller. Fully integrated with the Peplink Balance, ourWLAN Controller makes it easy to configure, manage, update, and report on upto 500 AP One devices from a single intuitive interface. Prefer the flexibility ofcloud-based administration? Our InControl remote management system givesyou complete control over every device on your network and in-depth reportingwith just a few clicks, all from a simple, yet powerful, web-based tool that’savailable anywhere you have online access and a supported browser.


Peplink 32

Here are four different deployment scenarios for the AP One wireless solution.

Professional Hotspots – coupled with Balance WLAN Controller (or InControlcloud management) feature, the AP One and AP One X can be deployedeffectively as a professional hotspot solution. No expensive controllers required.

Wireless Mobility – Pepwave wireless solutions make wireless application inhigh speed environments a budget friendly reality.

Service Provider Wi-Fi – the AP One can help you deploy a carrier gradewireless solution, install many for citywide Wi-Fi CPEs. The range of thesedevices leads the industry.

Industrial Networking – AP One series allow the IP devices stay connectedwirelessly over long distances. It provides reliable wireless for data devices.


Peplink 33

Highlights of Flex AP Features• World’s First AP with Software Selectable, Embedded Directional and

Omni Antennas• Power up to two Devices from a Single Source• Central Management, Anytime, Anywhere• Reliability in Extreme Environments• Connect Worldwide without External Modems


Peplink 34

Flex AP –Operating Mode and Antenna• Flex AP can operate in Routing or Bridge mode• Flex AP built-in with 2x2 MIMO 802.11n, switchable omni- or uni-directional

WiFi antenna• For 3G and Dual 3G, it comes with a cellular antenna, as for LTE models,

2 antennas needed to operate• It can operate up to 4 antennas simultaneously on the Dual 3G model, to allow

maximum signal coverage and bandwidth


35

The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for homeoffice, small business, and power users. With its support for 4G LTE/3G, cable,DSL, and other broadband connections, the Surf SOHO makes it possible todeploy fast and secure 802.11abgn Wi-Fi hotspots anywhere.

The Surf SOHO also features built-in a long-range antenna, optional externalantennas, business-class VPN, cellular usage monitoring, and URL blocking. Thismakes it an ideal networking solution for a wide range of mobile and office uses.


Peplink 36

Unlimited Wi-Fi. Anytime, Anywhere Connectivity for Every Device.Pepwave Surf combines enterprise-level performance and features with outstandingdurability and versatility. The Surf Pro, our carrier-grade outdoor client solution, isruggedized and features a high-gain, extended-range antenna, making it ideal for videosurveillance, traffic signal control, meter reading, and other outdoor applications.

For indoor wired/wireless connectivity, there's our Surf On-The-Go, the ultimate travelrouter. The Surf On-The-Go's Wi-Fi radio lets you connect an unlimited number ofwireless devices at once. Built-in Ethernet port ensures that no printer, scanner, or otherwired device gets left behind, and multiple connection profiles make device managementa snap.

4 Operating Modes• 4G/3G USB Wi-Fi Router• Cable / DSL / Ethernet Wi-Fi Router• Wi-Fi Repeater• Wi-Fi Adapter for Wired Devices

3 WAN Modes• WiFi WAN• USB Cellular WAN• Wired WAN


Peplink 37

True Enterprise AP. Powerful, Affordable, Elegantly Simple.Pepwave AP One access points sets up quickly and deliver fast, affordable, and reliableenterprise networking without administration headaches. TruePower RF Technologyeliminates dead spots and provides wider signal coverage with less equipment andmaintenance. Secure Captive Portals reinforce your brand and ensure the best possibleonline experience for employees and visitors alike.

Management is easy, too: just add a Peplink Balance router and use the Balance'sintegrated WLAN Controller to manage up to 500 indoor (AP One/AP One 300M) andoutdoor (AP One X) access points from a single intuitive interface. With this powerfulcombo, you get instant access to all devices across your headquarters, district offices,and branches.

Industrial-Grade Reliability. Unmatched Peace-of-Mind.No matter what your industry, Pepwave offers a durable, rock-solid networking solutionto help you get the job done. Ruggedized and certified for harsh environments, the MAXseries handles temperatures of -40 to 65°C and resists shock and vibration on factoryfloors, remote job sites, and anywhere you need tough, ready-for-anything connectivity.

Add the compact and capable outdoor Flex AP to stay connected at all times with built-inhigh-gain Wi-Fi antenna, embedded 3G/4G LTE, and dual Ethernet ports. Stepping up tothe AP Pro, will offer enhanced signal coverage, extreme environment tolerance, andlightning/surge protection.


Peplink 38

Complete WAN, VPN and Wireless IntegrationThis deployment scenario illustrates how Peplink MAX routers, AP One and Flex AP work together to enable wired and wireless connectivity in reliable and cost effective way. Adding the Balance will also provide robust and high bandwidth VPN connectivity to the wireless mobility devices. In addition, the AP One access point can be managed centrally either through the WLAN Controller built-into the Balance, or the InControl cloud management tool.

Router Utility - Peplink Mobile ApplicationThe RU (Router Utility) helps to monitor and control all your Balance and MAX routers*from any iOS or Android device. It is ready when you are, wherever you are, the RouterUtility app gives you instant insight into device status, events, bandwidth usage, andmore. With full support for push notifications, you’ll know immediately whenever there’san important status change or performance issue, helping you to keep small glitchesfrom becoming major problems.

Keep Traffic Moving with Anywhere, Anytime Green Light Checks.Check the status of all your Balance and MAX routers with the Router Utility’s dashboardand traffic light indicators. With just a quick glance, you get the peace of mind of knowingthat your network’s healthy. And if there is a problem, it’s easy to drill down and inspectSpeedFusion VPN parameters, bandwidth statistics, CPU load, and more from any iOSor Android device.

Monitor and Control from the Palm of Your Hand.Check Device Status - Monitor WAN Status, External IP Addresses, and SpeedFusionVPN Links.Inspect Event Logs - Keep an eye on router event logs using any iOS or Androiddevice.View Bandwidth Statistics - Get up-to-the minute insight on bandwidth usage andthroughput across your WAN.

Maximum Mobile Control at Your Fingertips.Our Router Utility gives you new ways to monitor and control your MAX mobile routeranywhere you can use your device.See How You’re Connected - Just check the Router Utility’s dashboard on your deviceto instantly see which SIM and cellular provider your MAX mobile router is using.Adjust Connection Priorities on the Fly - Simply tap and swipe to connect your MAX


Peplink 39

to a Wi-Fi hotspot or change 4G LTE/3G connection priorities.Automatic Cellular WAN Status and SpeedFusion Alerts - Keep tabs on cellular WANand SpeedFusion status with push notifications on your iOS or Android device.

This module will examine different real life deployment scenarios, anddescribe how to configure the routers to achieve the desired result.


Peplink 40

Course Agenda

Module 3: Peplink Balance and MAX Routers ConfigurationsStudy how Balance and MAX routers implement into the various deployment scenario, and explain the steps to configure these routers.


Peplink 41

Physical hardware layout and control panel for Balance high-end model.

Below show some of the frequently used functions in Control Panel Navigation(base on Balance 380 model):HA State: Master/Slave> LAN IP> VIP

System Status> System-> Firmware ver. (shows firmware version)-> Serial number (shows serial number)-> CPU load (shows current CPU loading, 0-100%)-> LAN---> Status (shows LAN port physical status)---> IP address (shows LAN IP address)---> Subnet mask (shows LAN subnet mask)> Link status (shows Connected/Disconnected, IP address list)-> WAN1-> WAN2-> WAN3> Link usage-> Throughput in (shows transfer rate in Kbps)--->WAN1--->WAN2--->WAN3


Peplink 42

-> Throughput out (shows transfer rate in Kbps)---> WAN1---> WAN2---> WAN3

Maintenance> Reboot > Reboot? (Yes/No) (to reboot the unit)> Reset Admin Password? (Yes/No) > Factory default > Factory default? (Yes/No) (to restore factory defaults)> Remote Assistance

NOTE:For model below 310, there is no feature to reset admin password through the Control Panel, it only available for models from 310 and above.

Out of the box, Peplink Balance come with below default settings:• IP: 192.168.1.1/24• Username: admin• Password: admin• LAN DHCP: Enabled• DHCP IP Range: 192.168.1.10 – 192.168.1.250

In diagram above, the switch is optional for console into Peplink Balance. You can plug the UTP cable directly from PC/Notebook into Balance LAN port for the same purpose.


Peplink 43

After entering the parameters correctly, you will be able to login to the Wed Admin page.

The Dashboard provides an overview of the condition on several key parameters:• WAN interfaces connectivity status• LAN interface connectivity status• System Uptime• System CPU Load, in %• Device Throughput, in Mbps


Peplink 44

In Status page, there are a few items to take note of:• Router Name• Model• Hardware Revision• Serial Number• Firmware

Diagnostic Report Download• You can download a copy of the diagnostic report for your reference on the status page

Bandwidth Statistic DisplayIn status page, you can view the following information:• Bandwidth usage on who consumed the most traffic• Top user running most number of sessions• Which user is running active Bittorrent traffic• Who is currently consuming most bandwidth on individual WAN.


Peplink 45

Understanding Peplink Site-to-Site VPNThe proprietary Site-to-Site VPN of Peplink Balance (a.k.a VPN Bonding), is specificallydesigned for a multi-WAN environment. The Peplink Balance can aggregate thebandwidth of all WAN connections available for routing VPN traffic. Unless all the WANconnections of one site are down, the Peplink Balance can still keep the VPN up andrunning.

- Peplink Site-to-Site VPN encrypts traffic with the military-grade 256-bit AES algorithm.- Site-to-Site VPN is available with the Peplink Balance 210, 310, 380, 580, 710, and1350.- The Peplink Balance 380/580/710/1350 supports multiple Site-to-Site VPN connectionsamong twenty or more locations, is designed for Headquarters/Regional Offices.- The Peplink Balance 210/310 supports two Site-to-Site VPN connections; ideal forBranch Offices.- Site-to-Site VPN connections can be established for all Dynamic IP/Static IP scenarios.Please refer to the Requirement section for more information.

Being able to establish multiple VPN connections provides variety and flexibility indeploying your network. You may choose to create a network ina Mesh or Star topology, or you may even combine the two setups to create a morecomplex network.


Peplink 46

System Requirement for Site-to-Site VPN ConfigurationWhen configuring a VPN connection, there are two aspects to consider:• Whether the WAN connection has a Dynamic IP or Static IP.• Whether the Peplink Balance unit has Public IP or is behind NAT.

This creates four WAN possible types you use to establish the VPN connection. PeplinkBalance supports all four types. However, to establish VPN connection using a DynamicIP WAN connections, you have to configure at least one Dynamic DNS.• WAN has Dynamic IP with Peplink Balance has Public IP.• WAN has Static IP with Peplink Balance has Public IP.• WAN has Dynamic IP with Peplink Balance is behind NAT.• WAN has Static IP with Peplink Balance is behind NAT.

The table above illustrates the system requirement for configuring Peplink Site-to-SiteVPN connection.

For users who have placed a firewall in front of the Balance:In Firmware 5.1.x, Peplink proprietary Site-to-Site VPN used TCP port 32015, IPProtocol 47 and IP Protocol 99 for establishing VPN connections. if you have a firewall infront of the Peplink Balance devices, you will need to add firewall rules for these portsand protocols. This will allow inbound and outbound traffic pass-through the firewall.

Another point to note, if both sides of the SpeedFusion VPN having the same LANsubnet, it will prevent the SpeedFusion tunnel to establish, just like any other 3rd partyVPN technologies.


Peplink 47

SpeedFusion Configuration GuidelinesWhen configuring SpeedFusion VPN connection, there are few items to be aware:• LAN Subnet – Avoid having same LAN subnet on either end of the SpeedFusion

tunnel, this will prevent the tunnel from establish a successful connection. Try tochange either side of the LAN subnet to different IP Addresses. You can alsoconsider putting a NAT device can be considered as well.

• WAN Connection Priority - You can specify the priority of the WAN connections tobe used in making VPN bonding connections. A Wan connection will never be usedwhen OFF is selected. Only available WAN connections with the highest priority willbe utilized. Grouping WAN with similar characteristics like latency, packet loss tosame priority can help bonding performance.

• SpeedFusion Bonding Efficiency – To establish an reliable SpeedFusion BondingVPN, there are few parameters need to be considered, eg. good cellular signalstrength, low latency WAN, low packet loss, and buffer bloat in ISP will help to buildan effective bonding VPN tunnel.

• Cellular Bandwidth Availability – It is always good to subscribe to two differentISP/carriers when you want to establish SpeedFusion 3G/4G Bonding with MAXrouter. Take for example, when all modems connect to same cell (RF tower), totalbandwidth is limited by the cell tower backhaul's bandwidth. If the modems connect todifferent cells (RF tower) from different carriers, theoretically this can provide you thedouble bandwidth as compare to one ISP.


Peplink 48

With our new three-tier structure, it’s never been easier to migrate toSpeedFusion. Once you use it, you will see why customers around theworld have replaced IPsec and other conventional VPN technologies.

Note:1 With other VPN technologies, WAN failover terminates existing VPN connections, creating costly downtime. SpeedFusion Hot Failover is completely automatic and invisible, so you won’t miss a beat when switching between connections.


Peplink 49

Possibly the World’s Easiest VPN.PepVPN is our core VPN engine. It is ideal for establishing a secure tunnelover any WAN link. On top of all the benefits of IPsec and otherconventional VPN technologies, the PepVPN engine also offers:

Long-distance Ethernet cable − With PepVPN, you can build secure andseamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). Itvirtually provides a long-distance Ethernet cable over any WAN link.

Seamless transition − PepVPN and SpeedFusion share the same coreVPN engine. It means all your PepVPN and SpeedFusion devices will workflawlessly together. It also allows you easily upgrade a PepVPN endpointto SpeedFusion, taking advantage of the added benefits without having toworry about compatibility.

Works in any dynamic IP environment − PepVPN is fully compatiblewith any dynamic IP environment and NAT, allowing you to establish aVPN behind a NAT gateway or firewall without worrying about static IPaddresses.

Requirement:The portrayed scenario shows a typical remote-to-HQ VPN connection, where


Peplink 50

SpeedFusion PepVPN allows site-to-site VPN connections with auto-failover capability.WiFi WAN is primary link for the VPN, when WiFi WAN down, WAN 5 (Wired WAN) willtake-over the VPN connection automatically. Users are transparent to this changes.

To create a SpeedFusion VPN tunnel, follow the steps below:

1) Go To Network > SpeedFusion, a SpeedFusion window appear to ask for Local ID, if this is the first time creating SpeedFusion VPN.

2) Enter a Local ID, the remote VPN peer will use this ID to identify this unit during VPN establishment.

3) Click Save button, then will click on the New Profile button to proceed.

Above steps apply to both remote and HQ Balance router configurations.


Peplink 51

Above shown the VPN profiles at both HQ and Remote sites.

HQ VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. MY-MOTG.2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.3) At the WAN Connection Priority window, choose the WAN links that should be

included in the SpeedFusion VPN tunnel, in this case WAN 1 & 2 are bond together.4) Save and apply the changes.

Remote Site VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. MY-MOTG.2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.3) For remote site, you need to enter at least one Public IP (or DNS/DDNS) of the HQ

router WAN link, if HQ has multiple WAN links with static Public IP, you can key in allthe IPs.

4) Choose the WAN links that should be include in the PepVPN tunnel. Since this isPepVPN, so it only support normal failover. WiFi WAN will set to Priority 1, whileWAN 5 is Priority 2.

5) Save and apply the changes.

Note:It is important to ensure the Remote ID correctly (either by router ID or Serial Number),otherwise the SpeedFusion tunnel will not able established. If you see the errormessage(s) similar to “"Refused connection made from unknown peer (foobar)" or"Refused connection made from unknown peer (XXXX-1234-ABCD)“, which indicatewrong ID/Serial No. entered at any/both routers.


Peplink 52

If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still beencrypted in both directions, as the other router will trigger to turn on the encryption onboth end.

Once the VPN profile has been created on both sides, and if the WAN links areup, the routers will automatically initiate the VPN connection. If all the parametersare correct, it will take only few minutes.

As shown in the screenshots, at the Dashboard page, the status of the VPNconnection will change to “Established”, indicating a successful VPN connection.


Peplink 53

To verify which links are participating in the VPN connection, you can click on theStatus button in the SpeedFusion or PepVPN section as shown in the screencapture.

It also lists the network(s) learned from other sides, via the built-in routingprotocol. HQ will see the 192.168.0.0/24 network from Remote router, andRemote will learn 10.0.0.0/8 network from the HQ side.

In our screencaps, the HQ side router is using WAN 1 for the VPN connection, while the remote site is using WiFi WAN as VPN link.


Peplink 54

To ensure the end-to-end connectivity is up, a PING test to the other side host(LAN IP) should receive a response as shown above.

Ping Test:1) HQ side ping to Remote LAN IP: 192.168.0.11

• Passed or Failed

2) Remote side ping to HQ LAN IP: 10.0.0.10• Passed or Failed


Peplink 55

With PepVPN, the failover process is carried out automatically.

Failover Test:1) Unplug WAN 1 at HQ, and/or2) Disconnect the WiFi WAN at Remote3) Observe the changes to the routers

Failover Test Result:1) HQ side WAN 2 will take over, maintaining the VPN connectivity2) Remote site WAN 5 will resume the VPN link

Ping Test:1) Remote side ping to HQ LAN IP: 10.0.0.10



Peplink 56

SpeedFusion Hot Failover − Unbreakable VoIP and VPN.SpeedFusion Hot Failover is a premium add-on that manages multiple redundantconnections to keep VPNs and VoIP deployments up and running at all times.

Easy setup − Just add connections, you can even mix wired and wireless links ofdifferent WAN technologies.

Unbreakable VoIP and VPN − With other VPN technologies, WAN failoverterminates existing VPN connections, creating costly downtime. SpeedFusion HotFailover prevents this by maintaining secure tunnels over all available WAN links.In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlesslyswitch traffic to another available tunnel. This provides unbreakable VPNs andVoIP sessions.

Requirement:A customer with branch-to-HQ connections often run delay sensitive applications likeVoIP, so it needs a fast failover VPN connectivity to ensure the VoIP session notinterrupted if any of the WAN links break. The following set-up will fulfill this requirement:

- A MAX BR1 installed at branch level with Wired and WiFi WAN,- A Balance 380 deployed in HQ with 2 wired WAN (eg. Metro-e) with static Public IPassigned at each WAN link.


Peplink 57

The user interface is same across the MAX router series. Assuming we are takingthe same HQ setup in previous example, the VPN profile creation process is thesame except the name changed to MY-MaxBR1. Here are the steps to creating aVPN profile on the MAX BR1.

At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPNprofile.

VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name

should be same for both sides, eg. MY-MaxBR1.2) For the Remote ID, enter the SpeedFusion ID of the Balance at the

opposite side.3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the

HQ router WAN link, if HQ has multiple WAN links with static Public IP, youcan key in all the IPs.

4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN willfollow the state of the WAN link in order to maintain the VPN link, (eg. if WAN1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 asprimary link to forward VPN traffic, while keep WAN 2 in hot standby mode).



Peplink 58

Once the VPN profile is created on both sides, and if the WAN links are up, therouters will start negotiating the VPN connection. If all the parameters correct, theVPN will come up in minutes.

As shown in the screenshots, on the Dashboard page, the status of the VPNconnection will change to “Established”, indicating a successful VPN connection.

Failover Test:1) Before starting the test, at the Remote site, launch the command prompt window and

conduct a continuous ping to HQ LAN IP (10.0.0.10)2) Unplug WAN 1 at Remote (MAX BR1)3) Observe the changes at the routers

Failover Test Result:1) Remote site WiFi WAN will resume the VPN link2) Any timeout during failover? Yes or No




Peplink 59

The SpeedFusion Hot Failover recovery process should have no timeout.

Recovery Test:1) Before starting the test, at the Remote site, launch the command prompt window and

conduct a continuous ping to HQ LAN IP (10.0.0.10)2) Plug back the WAN 1 at Remote (MAX BR1)3) Observe the changes at the routers

Recovery Test Result:1) WAN 1 will resume the VPN link2) Any timeout during failover? Yes or No




Peplink 60

To monitor the SpeedFusion Hot-Failover and recovery process, you can view the SpeedFusion Status window.

1) Go to DashBoard, click on Status button at SpeedFusion section2) Click on the blue triangle beside the MY-MaxBR1 to expand the statistic3) Monitor the changes on the WAN status during the failover and fallback


Peplink 61

SpeedFusion Bonding − Packet-Level Bandwidth Bonding.Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bondingteams up all your connections to give you blazing throughput whenever you needit.

Multi-provider bandwidth bonding − SpeedFusion Bonding combines multiplelinks from multiple providers into a single, superfast tunnel.

Automatic Hot Failover handoff − SpeedFusion Bonding monitors connectionsand automatically turns control over to Hot Failover when links become unstable.

Easy, on-demand scalability − Need more speed for mission-critical VPNs?How about temporary bandwidth for a specific project? With SpeedFusionBonding, you can plug in connections from any provider and get morebandwidth instantly. And you can unplug connections at any time, keeping yourconnectivity costs under control.

RequirementSpeedFusion VPN Bonding technology is particularly useful for customers with a highervolume of VPN traffic between sites. It assures that the VPN link is aggregated as biggerpipe, and same time provide the reliability.

In this example, we will install a Balance 310 at the branch level, while HQ maintainswith Balance 380. We also configure the Balance 310 to Drop-In mode, assuming thebranch has existing infrastructure setup.


Peplink 62

We take the same HQ setup in previous example, the VPN profile creation process is thesame except the name is changed to MYKL-VPN. Here are the steps to create VPNprofile in MAX BR1.

At the branch router (Balance 310), go to Network > SpeedFusion to create the VPNprofile.

VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. MYKL-VPN.2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the HQ router

WAN link, if HQ has multiple WAN links with static Public IP, you can key in all thatIPs.

4) Balance 310 is capable of VPN Bonding, so choose the active WAN links from theWAN Connection Priority section to be bond by SpeedFusion VPN, this examplewill use WAN 1 & 2 to forward VPN traffic.



Peplink 63

Once VPN profiles have been created on both sides, and if the WAN linksare up, the routers will start negotiating the VPN connection. If all theparameters are correct, the VPN be online in a minutes time.

As shown in the screenshots, at the Dashboard page, the status of theVPN connection will change to “Established”, indicating a successful VPNconnection.

Failover Test:1) Before starting the test, at the Remote site, launch the command prompt window and

conduct a continuous ping to HQ LAN IP (10.0.0.10)2) Unplug WAN 2 at Remote router (Balance 310)3) Observe the changes at the routers

Failover Test Result:1) Any timeout during failover? Yes or No




Peplink 64

To monitor the SpeedFusion Hot-Failover and recovery process, you can view the SpeedFusion Status window.

1) Go to DashBoard, click on Status tab at the top, and the SpeedFusion tab on the side

2) Click on the blue triangle beside “MYKL-VPN” (or the name of your VPN) to expand the statistic

3) Monitor the changes on the WAN status during the failover and fallback

SpeedFusion Hot Failover recovery process should have no timeouts.

Recovery Test:1) Before sttest start, at the Remote site, launch the command prompt window and

conduct a continuous ping to HQ LAN IP (10.0.0.10)2) Plug back the WAN 2 at Remote router (Balance 310)3) Observe the changes at the routers

Recovery Test Result:1) WAN 1 resume the VPN link2) Any timeout during failover? Yes or No



Peplink 65


Ethernet-easy WANUnlike traditional WAN technologies, PepVPN works with any IPconnection, sets up in minutes, and requires almost no maintenance. Itconnects sites, regardless of the distance, with a lightning-quick 256-bitAES-encrypted tunnel. It is 100% compatible with all yourPeplink/Pepwave devices.

PepVPN is so fast and easy to use, it’s like having everyone on the sameLAN, connected by Ethernet cables. PepVPN eliminates the 100-meterlimitation. In fact, it eliminates any distance limitations, so go ahead and dobusiness anywhere you please – across town, throughout the country,around the globe.

RequirementMany companies need to mobilize a team at the project while keeping the teamconnected to the company network. However, some systems in their company don’twork well in a routed environment or a VPN (eg. NetBIOS, Mainframe base application,and even Vmware SRM). In these situations, the solution is to extend the office networkto the project site using SpeedFusion Long Distance Ethernet VPN solution.In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-The-Go (MOTG) at the remote site. The HQ’s LAN IP (192.168.125.0/24) will be extend to remote site, with DHCP enabled to assign IP to remote hosts.


Peplink 66

Extending the HQ LAN to the remote site can be done using the SpeedFusion L2 approach. These screencaps show the VPN profiles at both HQ and Remote sites.

HQ VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. SF-L2.2) To enable Layer 2, first click on the “?” at the top-right of the SpeedFusion Profile

window and click on the link to unhide the Layer 2 Bridging feature.3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default

setting).4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve

LAN Settings Upon Connected.5) Save and apply the changes.

Remote VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. SF-L2.2) To enable Layer 2, first click on the “?” at the top-right of the SpeedFusion Profile

window and click on the link to unhide the Layer 2 Bridging feature.3) Tick the checkbox of Layer 2 Bridging, select the Bridge Port to LAN (default

setting).4) As remote site to follow HQ DHCP assignment, leave the checkbox of Preserve

LAN Settings Upon Connected unchecked, a warning message will display toremind that this site (Remote) LAN will follow HQ LAN IP assignment.


Peplink 67

5) In order to manage this router (MOTG), you need to manually assign an unused HQLAN IP to this router. Once SpeedFusion is connected, you will be accessing thisrouter via this new IP (192.168.125.5).


Once both sides VPN profile created, and if the WAN links are up, therouters will start negotiating the VPN connection. If all the parameterscorrect, the VPN will come up in a minutes time. The description on theSpeedFusion will change, with the added wording “Layer 2” besideSpeedFusion. At the remote router, a warning message display at thebottom of the Device Information section.


Peplink 68

To verify the SpeedFusion tunnel, you can view the SpeedFusion Status window.

1) Go to DashBoard, click on Status button at SpeedFusion section2) Click on the blue triangle beside the SF-L2 to expand the statistic3) Notice that the Remote router IP is 192.168.125.5, as assigned in the

VPN profile

Remote Host Verification:1) Open command prompt of the remote site notebook, check the ip with ipconfig, you

will notice the host grabbed 192.168.125.11 from HQ DHCP server.




Peplink 69

SpeedFusion 3G/4G BondingAs more business takes place outside the office, telecom providers haveresponded by boosting the speed and reliability of their 3G networks. Inaddition, they are rolling out innovations like 4G, LTE, and WiMax in anincreasing number of markets.

However, no matter how quickly cellular data bandwidth and qualityimprove, mobile business always to demand more. From live videostreaming and conferencing to ever-larger file transfers and real-timecollaboration, today’s mobile applications strain even the latest andgreatest cellular technology to its limits. The result is fluctuating dataquality, unpredictable data rates, and widespread frustration, in addition tocostly overage charges

RequirementIn our previous case, the remote site area doesn’t have any WiFi or Wired Internetfacility. So, the project team needs to use Cellular WAN to establish a VPN back to theoffice. We can combine both 3G cellular lines into SpeedFusion Bonded VPN to allowgreater throughput and reliability. The remote site LAN IP is 192.168.0.0/24, and the HQLAN IP is 192.168.125.0/24.


Peplink 70

Assuming the HQ router has created the SpeedFusion profile named SF-L2, a normalLayer 3 bonded VPN. Here are steps to creating a VPN profile in MAX OTG.

At the branch router (Balance 310), go to Advanced > SpeedFusion to create the VPNprofile.

VPN Profile1) At the VPN Profile window, enter a meaningful word for the Name, this name should

be same for both sides, eg. SF-L2.2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ router

WAN link, if HQ has multiple WAN links with static Public IP, you can key in all theIPs.

4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from theWAN Connection Priority section to be bonded by SpeedFusion VPN, thisexample will use WAN 1 & 2 to forward VPN traffic.



Peplink 71

Once VPN profiles have been created on both sides, and if the WAN linksare up, the routers will start negotiating the VPN connection. If all theparameters correct, the VPN will come up in a minutes time.

As shown in the screenshots, the Dashboard shows the status of the VPN connection changing to “Established”, indicating that the VPN connection process is successful. Also notice that both WAN 1 & 2 are up and connected to the Internet.


Peplink 72

To further verify the SpeedFusion tunnel, you can view the SpeedFusionStatus window.

1) Go to DashBoard, click on the Status button at the SpeedFusionsection

2) Click on the blue triangle beside the SF-L2 to expand the statistic3) Notice that both WAN 1 & 2 are connected to the SpeedFusion VPN,

and forwarding the traffic via the VPN tunnel

Load Sharing Test via multiple Ping commands:1) Remote side launch at least 2 ping command to HQ LAN IP: 192.168.125.1

• Passed or Failed• WAN 1 & 2 links Receive (RX) and Transmit (TX) counters increase? Yes or

No• Refer to next page for the traffic statistics


Peplink 73

Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN tunnel. Inthe event if the uplink direction experiencing link interruption, the SpeedFusion graph willindicate packet loss.


Peplink 74

Using SpeedFusion Behind a FirewallIf a Peplink Balance is placed behind a firewall, simply define firewall rules and inboundport forwarding policy in order to allow VPN traffic to pass through it.By default, SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing VPNconnections and transmitting data. However, you can change the Data Port assignmentin your SpeedFusion profile to another value.


Peplink 75

SpeedFusion bonded VPN requires all transmitted data to beencapsulated in a special UDP stream. This stream contains additionalpacket headers with all the information needed to reconstruct the originaldata stream in the correct order at the remote location.

SpeedFusion adds an additional 80 bytes of data to each packet sentover a SpeedFusion connection, no matter what size the original datapacket is. This compares well to the 58 bytes of overhead required byIPsec, especially considering that SpeedFusion provides advancedrouting, load balancing, and 256 bit AES encryption within the tunnel.

As the chart on the left shows, when a SpeedFusion VPN tunnel is used totransmit IMIX data (4084 bytes), an additional 960 bytes of SpeedFusionoverhead is required.The SpeedFusion overhead is 19% of the total transmitted data (IMIX +overhead). Since it uses a fixed number of bytes per packet transmitted (anadditional 80 bytes), SpeedFusion is much more efficient when transmitting largerpacket sizes.


Peplink 76

Accounting for SpeedFusion bandwidth overhead and assuming that thetraffic passing across the links is similar to the previously mentioned IMIXstandard, we can calculate available real-world bandwidth at the remotesite:

Download: 10Mb + 10Mb = 20Mbps - 19% = 16.2MbpsUpload : 2Mb + 2Mb = 4Mbps - 19% = 3.24Mbps

It is important to explain SpeedFusion bandwidth overhead to your endusers so that they understand why they will not get full 20Mbps/4Mbpsbandwidth when using VPN bonding.

Remember, while conventional VPN technology such as IPsec has anoverhead of 14.6%. SpeedFusion provides bandwidth aggregation &WAN resilience for only an additional 4% overhead.

SpeedFusion Isn’t Just about Bandwidth AggregationThe big benefit of SpeedFusion is VPN reliability and the highly availability connection itprovides (with packet level fail-over).Customers can take advantage of this reliability and use a pair (or more) of low-cost DSLcircuits to achieve higher reliability and throughput than comparable private circuits –often at up to 80% less cost.


Peplink 77

We always recommend the use of WAN links with similar bandwidthprofiles from different ISPs to allow for the best possible SpeedFusionthroughput.

Using at least two different ISPs offers the benefit of provider diversity,which means less chance of a technical (or even accounting/billing) errorcausing a network outage. Provider diversity also lessens the impact ofbandwidth sharing, a common problem when using multiple circuits from asingle provider.

Download : 20 + 20 = 40 - 19% = 32.4MbpsUpload : 4 + 4 = 8 - 19% = 6.48Mbps

The above configuration example uses two DSL circuits from two differentISPs, each circuit having a similar bandwidth profile, as the best use casefor fixed line SpeedFusion bonding.


Peplink 78

The Effect of WAN Link Characteristics on SpeedFusion VPN ConnectionsAnother important factor to consider is the quality of the WAN links connectingSpeedFusion enabled devices. Let's consider some of the typical drivers for usingSpeedFusion in the first place:

1) Internet Connection Bandwidth Availability – SpeedFusion is often deployed bycustomers who are limited to slow DSL or cellular connections at a given location.Typically, these customers want to combine these slow links to create a fasteraggregate connections between locations.

2) Internet Connection Reliability – We often see poor physical line quality atcustomer locations, particularly DSL using old copper (and sometimes even lead)cable over a long run from the nearest exchange or POP. These connections areinherently unreliable and can sometimes be affected by rain ingress into the physicalcircuits, as well as temperature changes. We also see customers who have nophysical lines and want to use cellular connectivity. Naturally, the quality, bandwidthavailability, and reliability of cellular connections vary depending on location.

3) Flexibility – One of the benefits of SpeedFusion is that it is connection agnostic, sowe often see customers who want to use it to bond WAN links of different technologytypes, such as 3G/4G, VSAT, DSL, and leased lines. Obviously, the characteristicsof these connections are very different (VSAT has high latency, cellular connectionshave variable latency/bandwidth depending on their location/signal strength, etc.).


Peplink 79

4) ISP Diversity – This is a big driver for customers who want to make sure that even ifan ISP has a service issue, they can still connect using a WAN link from another ISP.The same DSL product from different ISPs can have quite different characteristics,with everything from variable contention, latency, and bandwidth availability beingfactors.

The Effect of WAN Link Characteristics on SpeedFusion VPN Connections, ContinuedThe two main WAN link characteristics that are important are;

Packet LossWhen the SpeedFusion engine detects excessive packet loss on a WAN link, the link willfail its health test and will not be used by SpeedFusion as an active link until it passes asubsequent health test.

LatencyWhen latency characteristics are the same across connected WAN links, it has very littleeffect on SpeedFusion bandwidth throughput. However, when the latency of WAN linksvary considerably, bandwidth throughput will be affected.

Example 1. If WAN1: 100ms, WAN2: 400ms, the resulting latency of SpeedFusionbonded link will be 400ms, which follow the higher WAN.Example 2. Or, if packets travel multiple SpeedFusion hops (site A-> site B-> site C),with 100ms per link between 2 sites, then total latency will be 200ms from site A to site C(via site B).

Any variation of these characteristics have an effect on the amount of WAN linkbandwidth that is available for use by SpeedFusion.

Packet Loss in high latency environmentsIn the example above, there is a 3G connection which is highly susceptible to packetloss. Because the latency across the SpeedFusion link is equalized to the link with thehighest latency (800ms), SpeedFusion will take longer to spot the packet loss (800ms+).


Peplink 80

In certain conditions, such as a combination of regular timed packet loss and high latencyon the above 3G link, the TCP protocol method of retransmitting lost packets can have adrastic effect on the available bandwidth over the VPN. This is another reason why werecommend that, whenever possible, high latency links be used for failover and not as anactive SpeedFusion WAN link.Recommended latency difference = Less than 150ms

Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCPwhich has restrictive flow control.

External Factors that Affect WAN Link QualityWhatever WAN connections you are using, it is always a good idea to test eachindividually and repeatedly to discover its maximum throughput in both directions.Remember, bandwidth availability can vary throughout theday, especially if using cellular or fixed lines with variable contention.

Cellular and Satellite Bandwidth AvailabilityThe amount of bandwidth available on a 3G/4G or satellite data connection is dependenton a number of factors:

• Signal Strength – Determined by the distance to the nearest cellular tower (orvisibility of the satellite) and the subsequent signal quality received.

• Backhaul Bandwidth Availability – From the cellular tower to the ISP's core networkor from the satellite ground station to the ISP's core network.

• Device Contention – At the tower or satellite you are connected to (determined bythe number of active subscribers on a tower or satellite at any given moment).

Fixed Line ContentionMost internet connections are provided as a contended service. This means thatalthough your provider has advised you will get up to 24Mbps broadband over DSL forexample, depending on how oversubscribed your DSL service is (literally how manypeople in your area are connected to the ISP’s service), the bandwidth that's actuallyavailable at any given moment could be considerably less.


Peplink 81

The Benefits of Using Multiple Verizon LTE Connections on Contended Cell TowersVerizon and other LTE providers use a process called windowing/time-slicing whenmultiple subscribers connect to their LTE services.

In the first example, the third user only gets 1/3 (33Mbps) of the available bandwidth(100Mbps) from the Cell Tower, but in second example, the third user with PepwaveMAX device (installed with 2 LTE data SIM), able to gets half (50Mbps) of the availablebandwidth from Cell Tower.

Multiple Cellular Connections Deliver a Larger Share of Available BandwidthAs the above diagrams show, adding an additional cellular connection does not alwaysmean a doubling of available bandwidth, especially if both connections are from thesame ISP.

However, an additional cellular connection can provide the end user with a larger shareof the available bandwidth at a tower.

So, if there is multiple LTE carriers available, it is always recommended to connect totwo different cellular providers to gain bigger bandwidth share of your LTE connections.


Peplink 82

Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg. Cisco andJuniper, but Peplink always recommend to establish SpeedFusion VPN wheneverpossible, if both peers are Peplink routers.

Notes:• We advise you to only use IPSec Aggressive Mode when one of your device has a

dynamic IP address. You should choose Main Mode whenever possible becauseAggressive Mode is not as secure as Main Mode, although Aggressive Mode is a littlebit faster because of fewer packets exchange.

• With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA negotiation,they will generate a new set of Phase 1 keys, so that if the security key wascompromised, the attackers will only be able to access the data protected by that key.After the new SA is negotiated, all data will be well protected and not affected by thepreviously compromised key.

• You can only select Force UDP Encapsulation if you have turned on NAT-Traversal.This option is useful when you do not want NAT-T to automatically detect a NATconnection, or if the remote peer failed to detect NAT. If enabled, it will force Balance /MAX to tell the remote peer that UDP encapsulation (Port 4500) is required (even youare connecting to internet directly without NAT).

• IPSec Tunnel will not be treat as WAN interface when configuring Outbound Policy

83

In a new setup environment, where customer subscribes 2 Internet links, andthey do not need a dedicated firewall, then the Balance model will be a goodchoice for providing Internet load balancing (outbound) while acting as thesecurity gateway (firewall)

Planning Your Network• A ISP #1 router/default gateway (210.10.10.1) connected to ISP #1.• A ISP #2 router/default gateway (20.2.2.1) connected to ISP #2.• Trusted LAN IP: 192.168.1.0/24• Peplink Balance WAN #1 IP: 210.10.10.2/24, WAN #2 IP: 22.2.2.2/24, LAN IP:

192.168.1.1/24• Peplink Balance Router Default Gateway IP: 210.10.10.1 for ISP #1, IP: 22.2.2.1 for

ISP #2• Internal host (PC/Notebook) accessing internet will be load balancing across 2

Internet links.


Peplink 84

Assumptions:1) Both ISPs are providing static Public IP ranges.2) All outgoing traffic will be load balance across both Internet links.

Part 1 – Interface Configuration steps:

1) Go to Network > Interfaces > WAN, click on WAN 1.

2) Choose Static IP from the Connection Method drop-down list.

3) If you need to implement QoS, then make sure the Upload Bandwidth and Download Bandwidth value follow the subscribed bandwidth.

4) Fill in the Static IP Settings area, with the ISP given details accordingly.

5) Go through steps 1 – 4 above for WAN 2 interface.

6) For LAN interface, if want to change to different IP range then the default (192.168.1.1/24), then go to Network > Interfaces > LAN.


Peplink 85

7) Fill in the IP address, subnet mask respectively.

8) DHCP service is enabled by default, change it if required, else can leave it as it is.

Part 2 – Configure Outbound Policy for load balance outgoing traffic:

1) Go to Network > Outbound Policy, click on Add Rule button, the Add a New Custom Rule window will appear.

2) Give a name for the Service Name, in this example is All-Traffic.

3) Choose Any for Source, Destination, and Protocol base on the assumption made above.

4) We have WAN 1 and WAN 2 active, so choose Weighted Balance from the Algorithm drop-down list. This will allow 50:50 load balance between WAN 1 and WAN 2.

5) For WAN 3 and Mobile Internet, either to leave it as it is, or drag the pointer to 0, as it will not affect the connectivity.

6) Click Save button to save the configuration.

7) At the Rules window, drag the newly created service All-Traffic to below theHTTPS_Persistence. This is to ensure the HTTPS _Persistence rule being processbefore All-Traffic, as the policy being processed from top to bottom.

8) Save to apply the changes.

Done, now the Balance router is performing outgoing Internet traffic load balancing


Peplink 86

between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to WAN 1 and WAN 2Public IP. You may proceed to configure the firewall rules if needed, else you can leave itwith the default policy.

Understanding Outbound Load Balancing Peplink's load balancing algorithms help you easily fine-tune how traffic is distributedacross connections. Each deployment has a unique setup, and Peplink's enterprisegrade load balancing features can fulfill all of your special requirements. Create yourown rule with the following algorithms and you can sit back and enjoy the highperformance routing that Peplink brings to you.

A flexible rule-based configuration design enables the fine-tuning of outbound traffic at aper-service level by allowing multiple rules to be configured. The following types ofOutbound Traffic Rules are available:• Weighted Balance• Persistence• Enforced• Priority• Overflow• Least Used• Lowest Latency

Outgoing Traffic Control via FirewallBesides Outbound Policy, A firewall is a mechanism that selectively filters data trafficbetween the WAN side (the Internet) and the LAN side of the network. It can protect thelocal network from potential hacker attacks, offensive Web sites, and/or otherinappropriate uses.The Outbound firewall policy supports the selective filtering of data traffic on LAN-to-WAN, from PPTP clients, and from SpeedFusion peers.


Peplink 87

Outbound Firewall Rules can Block the following traffic types- Traffic coming from LAN clients- Traffic coming from PPTP clients- Traffic coming from SpeedFusion peers

There are 3 types of Outbound policies can be defined:

1) High Application Compatibility• With the selection of this policy, outbound traffic from a source LAN device is

routed through the same WAN connection regardless of the destinationInternet IP address and protocol.

• This provides the highest application compatibility.

2) Normal Application Compatibility• With the selection of this policy, outbound traffic from a source LAN device to

the same destination Internet IP address will persistently be routed throughthe same WAN connection regardless of protocol.

• This provides high compatibility to most applications, and users still benefitfrom WAN link load balancing when multiple Internet servers are accessed.

3) Custom policy• With the selection of this policy, outbound traffic behavior can be managed by

defining custom rules.• Rules can be defined in a custom rule table. A default rule can be defined for

connections that cannot be matched with any one of the rules.

The default policy is Normal Application Compatibility.


Peplink Ltd. 88

"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcptraceroute packets every 10 seconds to measure link latency. Change to any algorithmother lowest latency can stop the latency measurement packet and reduce link usage.Note:HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.

Weighted Balance Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap.Set a weight on the scale for each connection and outgoing traffic will be proportionallydistributed according to the specified ratio.

The amount of matching traffic that is distributed to a WAN connection is proportional tothe weight of WAN connection relative to the total weight. Use the sliders to change eachWAN’s weight.Example: With the following weight settings on a Peplink Balance 310:• WAN1: 10• WAN2: 10• WAN3: 5Total weight is 25 = (10 + 10 + 5)Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100%Matching traffic distributed to WAN2 is 40% = (10 / 25) x 100%Matching traffic distributed to WAN3 is 20% = (5 / 25) x 100%

Note:If the LAN user is running multiple Internet session like Bittorrent or Download Manager,that user can utilize all available WAN's bandwidth at particular moment.

Persistence Eliminate session termination issue for HTTPS, E-banking, and other secure websites.Specify a traffic type and it will be routed through the same connection persistentlybased on its source and/or destination IP addresses. Traffic will keep routing on thesame connection until the session ends.

There are two Persistent Modes. One is by source and the other by destination. Thedefault Mode is By Source.

Enforced Restrict outbound traffic to a particular connection. Select a connection and the specifiedtraffic type will be routed through it at all times, whether the link is up or down. Forscenarios like accessing a server that only allows users from a specific IP.

Priority Route traffic to your preferred link as long as it's available. Arrange the connectionpriority order, and traffic will be routed through the healthy link that has the highestpriority in the list. Lower priority links will only be used if the current connection fails.

Overflow Prevent traffic flow from slowing down when the connection runs out of availablebandwidth. Drag and drop to arrange the connection overflow order and the highestpriority link will route traffic as long as it has not been congested. Once it saturates, thelower priority links will start routing traffic.

Least Used Help you choose the better connection with more free bandwidth. Traffic will be directedto the link with the most available bandwidth among the selected connections. Thisoption is useful for maximizing reliability and bandwidth utilization.

Lowest LatencyGive you the fastest response time when using applications like online gaming. Trafficwill be assigned to the link with the lowest latency time among the selected connections.Latency checking packets are issued periodically to a nearby router of each WANconnection to determine its latency value. The latency of a WAN is the packet round triptime of the WAN connection. Additional network usage may be incurred as a result.Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it willfallback to use ping

Note: The round trip time of a “6M down /640k up ”link can be higher than that of a “2Mdown /2M up” link. It is because the overall round trip time is lengthened by its slowerupload bandwidth despite of its higher downlink speed.Therefore this algorithm is good for two scenarios:• All WAN connections are symmetric; or• A latency sensitive application requires to be routed through the lowest latency WAN

regardless the WAN’s available bandwidth.

In addition to physical WAN interfaces, Peplink Balance allows you to redirect the designated traffic to VPN tunnel, eg. SpeedFusion VPN tunnel. For example, a customer with centralized Internet access can force all branch Internet traffic go thru the VPN tunnel back to HQ (and probably web content filtering/security assessment) before reaching Internet sites. Another example would be customer internal applications (email, CRM, etc) that should be redirect via a secured VPN tunnel to access servers in HQ, rather going through unsecure Internet.


Peplink Ltd. 94

Configuration Example - Restricting IPSec VPN Traffic to the WAN1LnkTo configure Peplink Balance to restrict IPSec VPN traffic to WAN1, add the followingper-service Enforced rules:

1) Rule to specify UDP Port 500 traffic:• Service Name: UDP500_on_WAN1• Source & Destination IP: Any• Protocol & Port: UDP 500• Algorithm: Enforced• Enforced Connection: WAN1

2) Rule to specify UDP Port 4500 traffic:• Service: UDP4500_on_WAN1• Source & Destination IP: Any• Protocol & Port: UDP 4500• Algorithm: Enforced• Enforced Connection: WAN1

With these rules enabled, Peplink Balance will route IPSec VPN traffic with NAT-T (thatrequire UDP ports 500 and 4500) to WAN1 regardless of its up/down status. In the eventthe WAN1 is down the specified traffic will simply be dropped rather than routed via theother WAN links.


Peplink 95

Drop-in Mode allows Peplink Balance to be deployed in a network withoutincurring any configuration changes to existing network devices. Itsimplifies the installation of a Balance to an existing network bytransparently and seamlessly working with routers and firewalls. Theprocess is done in 2 phases. In the 1st phase, you can transparently insertthe Balance into existing setup. In the 2nd phase, you will be able to addInternet links without modifying existing network equipment settings.

Phase 1 – Insert Peplink Balance into existing environmentSuppose you have a migration plan similar to the following environment.Currently, you have:• A router/default gateway (210.10.10.1) connected to ISP1.• A firewall (210.10.10.10) protecting your users on trusted LAN.

We will be installing the Peplink Balance transparently in between therouter and the firewall. Then we will add more ISP connections to thenetwork.

In this example, we assume:• Router (Default Gateway) IP: 210.10.10.1• Firewall IP: 210.10.10.10• Peplink Balance IP: 210.10.10.5 (for WAN 1 and LAN, bridge)• WAN1 Subnet Mask: 255.255.255.240


Peplink 96

First, start with setting up Drop-in Mode:1) Go to Network > Interfaces > LAN.2) Fill in the IP address, Subnet Mask as 210.10.10.5 and 255.255.255.240

respectively.3) Enable the Drop-In by click on the Enable box.4) Key in the Defauly Gateway as 210.10.10.1 (ISP router IP).5) Save and apply changes.

Then configure the DNS Servers for WAN 1:1) Go to Network > Interface > WAN, click on WAN 1.2) Fill in the DNS server IP(s). The DNS server information in the screenshot above is

used for example only.3) Save and apply changes.

Done.• You may now install the Peplink Balance to the production network.• Notice that some routers and firewalls may have problems updating their ARP tables.

Resetting these devices may be necessary.• You have just completed the Drop-in mode configuration of the Peplink Balance. You

should verify the network with single WAN before moving to the next step ofconnecting additional internet connections.


Peplink 97

Phase 2 - Connecting additional WANs to the BalanceTo install additional Internet connections:1) Go to Network > Interfaces > WAN2) Select a free WAN interface. For example, WAN 2 in this case.3) Enter information for this WAN connection.4) Save changes and activate the changes.

Your Balance should now aggregate and load balance across the twolinks. Please repeat Step 1 to 4 for more internet connections.


Peplink 98

How to set up Inbound Load Balance under Drop-in ModeOnce the Drop-in mode with multi-WAN links is successfully set up, we can proceed withInbound Load Balancing. This will allow the internal server(s) to be publicly accessible.

PrerequisiteThis task assumes that you already have a good understanding of Drop-in Mode. If not,please read the guide on Drop-in Mode before proceeding further.

ScenarioWe will use an example throughout this note. Suppose you currently have a networksimilar to the following:• Peplink Balance installed and connected to three ISPs, using Drop-in Mode• Static IP address ranges (subnets) from the ISPs• A firewall protecting your trusted LAN• Hosts and servers on the trusted LAN are using private IP addressesConceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISPA to achieve inbound load balancing.

In this example, we assume:• ISP A

• Network: 210.10.10.0/24• Router A (Default Gateway) IP: 210.10.10.1

• ISP B• Network: 22.2.2.0/24• Router B (Default Gateway) IP: 22.2.2.1

• ISP C• Network: 33.3.3.0/24• Router C (Default Gateway) IP: 33.3.3.1


Peplink 99

• Peplink Balance (Interface addresses)• WAN1 and LAN: 210.10.10.5• WAN2: 22.2.2.5• WAN3: 33.3.3.5

• Firewall IP: 210.10.10.10• Trusted LAN Network: 192.168.0.0/24• NAT Mappings (at Firewall)

• 210.10.10.20:SMTP -> 192.168.0.20:SMTP• 210.10.10.30:SMTP -> 192.168.0.30:SMTP

• Drop-in Mode already configured and working in previous scenario, so no changes on the existing router and firewall.

Our Target: We want to map IP addresses from ISP B and ISP C to “logically” point to the mail servers.

Define Additional Public IP addresses of ISP B and ISP C1) Go to Network > Interfaces > WAN > WAN2 > Additional Public IP Settings2) Add the public IP addresses assigned to you by ISP B3) You can add a series of IP addresses easily using the tool. (But remember to remove

the default gateway and Balance IP addresses from the auto-generated list by thetool.)

4) Repeat the same step for WAN3 (if applicable for you).Purpose: To tell Balance what IP addresses are available for inbound use.

Define Inbound Servers1) Go to Advanced Network > Inbound Access > Servers2) Add the two mail servers3) Notice the use of IP addresses from ISP A here. To Peplink Balance, it only “sees”

IP addresses on its LAN interface.


Peplink 100

Define Inbound Services1) Go to Network > Inbound Access > Services2) Add a new service rule, tying up IP addresses of ISP B and ISP C to existing

server(s).3) The screenshot essentially describes the following:

• Map 22.2.2.20:SMTP -> 210.10.10.20:SMTP• Map 33.3.3.20:SMTP -> 210.10.10.20:SMTP

4) Notice that no mapping is required for ISP A. (Uncheck it)5) Repeat the same step for other service(s).6) Save and apply changes.


Peplink 101

How to set up Inbound Load Balance via built-in DNS (Drop-in Mode)Peplink Balance has a built-in DNS server for inbound link load balancing. You candelegate a domain’s NS/SOA records, e.g. “www.mycompany.com”, to the PeplinkBalance’s WAN IP address(es). The Peplink Balance will return healthy WAN IPaddresses as an “A” record when a DNS query for the host name is received.

It can also act as a generic DNS server for hosting “A”, “CNAME”, “MX”, “TXT” and “NS”records. The Peplink Balance can perform this in two methods, either in Non Drop-in orDrop-in Mode.

Inbound Load Balancing is configured via: • DNS records configured within Peplink Balance • External DNS records at an Authoritative DNS Server

To illustrate this, we will use the previous example, changing the server from mail toweb, and only using single server for simplified illustration. The steps to define theserver(s) and service(s) are the same as the previous example, so we will start with theDNS settings.


Peplink 102

To define the DNS records to be hosted in Peplink Balance, go to the setup page locatedat: Network > Inbound Access > DNS Settings, as shown in above.


Peplink 103

Step 1: Configure “DNS Server”Click the Edit button to choose the IP addresses that the DNS server should be listeningon. This will result in a pop-up screen.

There, select the desired WAN link(s) and respective WAN Interface IP addresses.Multiple addresses in the list can be selected by holding the CTRL key while clicking onthe addresses. Click Save to continue.


Peplink 104

Step 2: Define the Default SOA / NSFrom Network > Inbound Access > DNS Settings, click on the Edit button, create theDefault SOA / NS record, and map the WAN 1, 2 & 3 interface IP to the Name Serverrespectively.


Peplink 105

Step 3: Select Connection PriorityFrom Network > Inbound Access > DNS Settings, click the Edit button to configureDefault Connection Priority. In the resulting pop-up, you will see a list of WAN Interfaceswith priority, please choose the desired WAN priorities and click Save to continue.

In the above example, WAN 1, 2 & 3 are the DNS query answering interface, so it shouldbe selected. And we are assuming all three WAN links are equally healthy.


Peplink 106

Step 4: Creating DNS RecordsFrom Network > Inbound Access > DNS Settings, enter a domain name in the DomainName field and click the Add New button.

Click on the New A Record button to create A Record for the web server.


Peplink 107

As the A Record window appears, enter the name of the server (eg. www) which will beauto associated with the previous defined domain name (.mypeplink.com).

Check on the IP at the respective WAN interfaces, these will be mapped towww.mypeplink.com.

Only the highlighted IP addresses in the lists receive responses to a DNSquery. (Multiple items in a list can be selected by holding CTRL andclicking on the items.) In case a WAN link is down, the corresponding setof IP addresses will not be returned. However, the IP addresses in theCustom IP field will always be returned.

Click Save and Apply the changes.


Peplink 108

Domain DelegationThis diagram is useful for users who want to delegate a sub-domain to be resolved andmanaged with the Peplink Balance (Assuming they host their domain at an ISP ordomain registrar).

In order for Internet users to look up the host name (e.g. “www.mypeplink.com”) usingthe Peplink Balance, you have to point NS records of it in the domain (e.g.“mypeplink.com”) to the Peplink Balance’s WAN IP addresses. If you are using ISCBIND 8 or 9, add these lines in the zone file of “mypeplink.com”:

www IN NS balancewan1www IN NS balancewan2www IN NS balancewan3balancewan1 IN A 210.10.10.5balancewan2 IN A 22.2.2.5balancewan3 IN A 33.3.3.5

Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the PeplinkBalance in this example. The IP values here are for illustration only and would likely bedifferent for you. In order to host the complete domain on your own DNS server with thePeplink Balance, contact the DNS registrar to have the NS records of the domain (eg.“mypeplink.com”) point to your Balance’s WAN IP addresses.


Peplink 109

Testing From a host on the Internet, use an IP address of Peplink Balance and nslookup tolookup the corresponding hostname. Check if the returned IP addresses are the desiredaddresses for the host name. Above is a sample Windows nslookup.

The IP values here are for illustration only and would likely be different for you. In the labexample, it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you queryfor www.mypeplink.com.


Peplink 110

Continuous Failover Support Using Master and Slave Setup

Background1+1 backup enables failover to happen when the master device goes out of service. Thisrequires a pair of Peplink Balance devices operating in active-standby mode. When themaster device is down, the slave device takes over and handles all the LAN traffic.

The Peplink Balance series supports failover between two Balance devices based onVirtual Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets aresent out from the master device to VRRP-specific IP multicast addresses. The slavedevice assumes the master device’s responsibilities when these messages have notbeen heard from for a pre-defined time interval.

In the above example, a VRRP Group 20 is assigned to the HA pair. The virtual IPaddress (VIP) is 210.10.10.2. However, the default gateway for the firewall shouldremain unchanged, as Internet router IP: 210.10.10.1, as this is Drop-In Mode. A uniqueVRRP group identifier is used for each HA pair subsequently set up on the same LAN.Balance devices have to be on the same subnet to support VRRP and the same VRRPgroup identifier must be used on the HA pair.

Additional Ethernet switches are required to separate each ISP connection so thatMaster and Slave Balance devices can both be connected. More than one Ethernetswitch must be used in order to prevent a single point of failure, which would otherwisedefeat the purpose of the 1+1 backup concept.

In this example, Master Peplink unit will use 210.10.10.3 as its LAN IP, Slave Peplinkunit will use 210.10.10.4 as its LAN IP. Both Master and Slave units use the same VIP210.10.10.2.


Peplink 111

The the master unit goes down, the failover will place with a typical recovery time of 10-15seconds. After the Slave unit changed its role to Master, all WAN connections will be re-established again.

VRRP for Master Configuration 1) Go to Network> Misc. Settings > High Availability of the Master unit. Select

Enable.2) Enter the following and then click Save:

A. Group Number: (use the same number for HA pair, eg. 20)B. Preferred Role: (select master or slave)C. Virtual IP: (210.10.10.2)

(Note: VIP and LAN Administration IP have to be from the same network. Devicesbehind the Balance liked firewall will need to configure their default gateway pointingtowards VIP.)3) Click Apply Changes to activate settings

VRRP for Slave Configuration – configuration sync. 1) Click and choose Slave as the Preferred Role.2) Check the box to enable the Configuration Sync. feature.3) Enter the serial number of the master unit.4) Before applying the changes, it is required to change the LAN IP address and set it

as a different one from Master unit. Go to Network > LAN of the Slave unit andchange LAN IP address.

5) Click Save and then Apply Changes to activate settings.6) Once the Configuration Sync succeeds, you will find the “successful” message in the

event log of the slave unit.

NOTE:The failover takes place with a typical recovery time of 10-15 seconds. After theSlave unit changed its role to Master, all WAN connections will be re-established


Peplink 112

again.

Two Balance units should connect to the Internet in the same mode. For example,they should be both in NAT mode or both in Drop-in mode.

NOTE:Once the slave unit is configured to automatically synchronize configuration from themaster unit, the web admin of slave unit will be locked. Changes can only be made afteryou have disabled the Configuration Sync. Function, sample captured screen above.

In HA mode, configuration synchronization only happen from Master unit to Slave unit,configuration will not be obtained from Slave unit to Master unit.


Peplink 113

VRRP for Slave Configuration – manual Alternatively, you may configure the slave unit manually. 1) Go to System > Configuration of the MASTER unit. Click Download under

Download Active Configurations and save the configuration file for the Slave unit.2) Go to System > Configuration of the SLAVE unit. Choose the configuration file

exported in step 1 under the Upload Configurations from High Availability Pairand click Upload.

3) Before applying the changes, change the LAN IP address and set it as a differentone from Master unit. Go to Network > LAN of the Slave unit and change LAN IPaddress. Click Save to save changes.

4) Go to Network > High Availability and change the Preferred Role from Master toSlave.

5) Click Save and then Apply Changes to activate settings


Peplink 114

LAN Bypass FeatureAvailable in Peplink Balance 580, 710, 1350, and 2500:• LAN Bypass is a fault-tolerant feature that protects you in the event of a power

outage.• When used with Drop-in Mode, such failure would be completely transparent to the

network.• In the above example, WAN1 and LAN1 ports are bridged together when the power

runs out.

Note:• Starting from firmware version 5.0, Drop-in mode can be configured on any WAN

ports. Please be noted that still only one WAN port can be configured in Drop-inmode.

• If you have selected the LAN Bypass port (which is currently available on WAN1 ofBalance 1350 and WAN5 of Balance 580) as the WAN for Drop-in Mode, HighAvailability feature will be DISABLED automatically.

• When the LAN Bypass feature is enabled, the High Availability feature will beautomatically DISABLED.


Peplink 115

Balance Router As Wireless LAN ControllerIn this section, we will cover the Balance router WLC configurations, all other settings ofAP will be cover in another module (Wireless Access Point).

For model 305 onwards, the Balance comes with built-in WLC. This is useful fordeploying a centrally controlled WLAN setup at significantly lower costs. The Balancecan serve as a WLAN Controller for Managing Pepwave AP Devices, as well as multipleSSIDs. The Balance and the Pepwave AP can automatically discover each other usingDNS and TFTP protocols.

RequirementThe customer has a Balance router installed and operating in their network. Recently,they have purchased two units of Pepwave AP One. The customer wants to integratethese APs into their existing LAN for their staff, while creating “Guest” access whichwould allow visitors to only access the Internet.LAN IP: 192.168.0.0/24Staff SSID: same access right as wired LAN userStaff Login Method: WPA/WPA2 PSKGuest SSID: only allow to access InternetGuest Login Method: Captive Portal with Open security

The Balance router, acting as the WLC will need to configure above settings and pushthe policy to the AP(s).


Peplink 116

Getting Started – Enable AP Management

1) Select Network from the top menu. Choose AP Management from the left menu, and then select the check box to enable the feature.

2) To manage access points located in a remote network, enable Manage Remote AP.

3) You can set up a list of recognized access points with Access Point to be Managed. Input the serial number of the AP you want to manage in the box.

4) Click Save, and then click Apply Changes.


Peplink 117

Creating Wireless Networks (SSID) – for “Staff”

1) Choose Wireless Networks from the left menu. Click the New Network buttondisplayed on the bottom of the page.

2) In the Wireless Network dialog box, enter the Network Name (SSID) used toidentify the Wi-Fi network. Enter “Staff” as the SSID, as this will be used for internalaccess.

3) Under Wireless Security Settings, select WPA/WPA2 - Personal for home or smallbusiness use. Enter an authentication password of at least 8 characters in theShared Key field. If you are managing the network of a larger company, you mayconsider using WPA/WPA 2 - Enterprise, which allows you to use a separateRADIUS server to handle the wireless network’s authentication. Assign theWPA/WPA2 PSK as “staffwlan” for this example.

4) Click OK at the bottom of the dialog box, and then click Apply Changes to save thewireless network.

5) Repeat the above steps to add more wireless networks and/or specify additionalname and network permissions for various user groups. Next we will create “Guest”SSID.


Peplink 118

Creating Wireless Networks (SSID) – for “Guest”

1) Choose Wireless Networks from the left menu. Click the New Network buttondisplayed on the bottom of the page.

2) In the Wireless Network dialog box, enter the Network Name (SSID) used toidentify the Wi-Fi network. Enter “Guest” as the SSID, as this will be used for visitorInternet access.

3) Under Wireless Security Settings, select Open (No Encryption)

4) To further customize network permissions, you can also change Guest Protect, Bandwidth Management, and Firewall Settings. As this is for visitor usage, click on the Block All Private IP checkbox to protect internal LAN (assuming the LAN IP range is using private IP range).

5) To show a splash screen for your Wi-Fi service, which is useful for Wi-Fi service offered to guests in restaurant, hospitality, and other settings,enable Captive Portal. We will configure the Captive Portal in another page.

6) Click OK at the bottom of the dialog box, and then click Apply Changes to save thewireless network.


Peplink 119

Creating AP Profiles

1) Choose AP Profiles from the left menu. Click the New AP Profile button displayedon the bottom of the page.

2) In the AP Profile dialog box, enter a name for the device configuration profile, eg.“Office”.

3) Select up to four wireless networks to include in the AP profile, check on the “Guess”and “Staff” SSIDs to be included in this profile.

4) Optimize your device’s radio performance by adjusting the options in AP AdvancedSettings. For example, you can select a different 2.4 GHz Wi-Fi radio channel inorder to ensure the best signal strength and eliminate potential channel conflicts.

5) Change your AP One’s device security settings, such as passwords, under WebAdministration Settings. Set the password to “public, which is default for AP One.

6) Click Save at the bottom of the dialog box, and then click Apply Changes to storethe AP profile.

Note:You can select up to maximum of 16 “Wireless Networks” in an AP Profile when usingBalance router as WLC.


Peplink 120

Managed AP Status in Dashboard

1) AP One devices in the network will be automatically discovered. The number of APsdetected will be shown on the Dashboard and Access Point section of Status.

2) To manage access points located in a remote network, enable Manage Remote AP.

3) You can set up a list of recognized access points with Access Point to beManaged. In this case, one unit has been connected.


Peplink 121

Verify From AP Web Console1) You can verify the AP management by accessing the AP web console page using

web browser. The AP login details as follows:• IP Address: 192.168.0.11• Username: admin (set by WLC)• Password: public (set by WLC)

2) In the System view of the AP, the real time status shows that the AP is connected toWLC (IP: 192.168.0.1).


Peplink 122

Applying AP Profiles

1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel.

2) Select the check box for the AP One device you wish to configure.

3) Select AP Profile from the drop-down menu located in the lower right corner.

4) In the AP Profile dialog box, select a previously created AP profile (eg. “Office” forthis case) and Click OK.

5) The selected AP profile will be sent to your AP One devices automatically.


Peplink 123

Creating a Captive PortalA captive portal is a great opportunity to build your brand while providingWi-Fi service to hotel guests, coffee shop patrons, students, and otherusers. You can create a customized portal start page using one of twocaptiveportal modes, in this example we will use the Open Access mode.

1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel.

2) In the Access Point Control Panel dialog box, click Captive Portal Settings,located on the lower left.

3) Click the General tab and choose a Captive Portal Mode:• Open Access Mode -- No user name or password will be required on the

portal page. To limit the amount of time a guest can use the network, enterthe allowed time in Free Access Quota. Click Save to store your changes.

• Guest Account Mode -- The portal page will be displayed with a login box,and a user name and password will be required. After selecting Guestaccount mode, click Save. Click Guest Accounts to create accounts.

4) Click the Portal Page Customization tab.

5) To upload an image for the portal page, first click Choose File. Select the desiredimage from your system and click Upload. If no image is select, then the defaultimage of the AP One will be used.


Peplink 124

6) Customize your portal page with a Message and Terms & Conditions.

7) Specify where the customer will be redirected after successful authentication with aCustom Landing Page if desired.

8) Click Preview to review your design, and click Publish to save your portal page andmake it available to guests.

Testing Guest AccessThe “Guest” SSID is meant for visitors, so it only allows access toresources outside of the company network.

1) On your notebook, try to connect to the Guest SSID broadcasted from the AP One. Itshould have Open security without any WPA/WPA2 key required.

2) Once connected, open the command prompt and use ipconfig to check yournotebook IP address.

Ping Test:1) Ping to Gateway IP: 192.168.0.1

• Passed or Failed2) Ping to AP One IP: 192.168.0.11

• Passed or Failed3) Ping to Google DNS IP: 8.8.8.8



Peplink 125

Testing Guest Access to Internet

1) On your notebook, open your web browser and enter “www.google.com” in the URL.

2) You will be redirected to the Captive Portal page, where you will need to review theT&C and click Agree to proceed.

3) This will depend on how you configure the Custom Landing Page. If you have noneconfigured, then you will be redirected to your designated page, www.google.com.


Peplink 126

Once the wireless client access is granted, you will able to access Internet sites.However the “Guest” SSID access will not be allowed to access to internal LAN hosts.






Peplink 127

Testing Staff AccessThe “Staff” SSID is equivalent to internal LAN access, thus it has the sameaccess rights as wired LAN users.

1) At your notebook, try to connect to the Staff SSID broadcasting from the AP One.Key in staffwlan when Windows prompts you for your WPA/WPA2 key.

2) Once connected, open the command prompt, use ipconfig to check your notebook IPaddress.





Web Browsing Test:1) At your notebook, open your web browser, enter “www.google.com” in the URL. The

page can load? Yes or No


Peplink 128

Balance Router – Other ConfigurationsIn addition to the key features mentioned in previous sections, the Balance Router offersother useful features:- QoS- Service Passthrough- Service Forwarding- System settings.

The following tasks will be based on this diagram.


Peplink 129

The Balance router has built-in standard firewall functionality, thus it can beused as firewall in the environment that doesn’t has any firewall. Assuming thecompany wants to prevent their staff from accessing social websites, egfacebook.com, the Balance firewall rule by domain name can beconfigured.

The steps as follow, with “foobar.com” as the example domain name:1) Go to Network > Firewall > Access Rules, Select Domain Name in the

Destination field.2) Enter “foobar.com” in the empty field.3) Click Save and apply the changes.

After a firewall rule by domain name is created, all traffic from that domain will be allowedor denied according to your settings.

TIP: If you are trying to block outgoing HTTP access to a website using a domain name,consider using the Web Blocking feature.


Peplink 130

String Matching Example

foobar.com *.foobar.comfoobar.comwww.foobar.commail.foobar.com

foobar.* *.foobar.*foobar.comfoobar.co.ukwww.foobar.co.uk

Example:

The Balance router has QoS features, allowing you to control the trafficbased on its user group (predefined 3 groups), as well as by application. Inthis scenario, we have implemented an IP Telephony system in the branchoffice, and we have deployed an IP Telephony server reside in HQ. Tooptimize the voice quality over the Internet links, QoS is essential forensure the VoIP traffic can be smoothly delivered across sites.

To assign the user group:1) Go to Network > User Groups under QoS, either click on existing Subnet or Add

button to create a new subnet/IP range.2) From the Group drop down list, select the desired group (Manager, Staff, Guest),

click Save.

To enable QoS based on application:1) Go to Network > Application under QoS, click Add button in the Application

section to define the application requiring QoS.2) At the Add / Edit Application window, choose the appropriate Category and

Application from the drop down list, eg. VoIP, click OK to save.3) Once application defined, it will appear in the Application section, assign the

Priority to this application (High, Normal, Low).4) Click Save and apply the changes.


Peplink 131

Assuming your business partner is running systems that only allow access from IPSecClients in your office environment. In such a situation, you would need to enable ServicePassthrough Support in your Balance router. By default, the router has enabled IPSecNAT-T, if the IPSec is running on custom ports, then you can define the portsaccordingly.

Step to enable IPSec passthrough:1) Go to Network > Service Passthrough under Misc. Settings, check the Enable box under IPSec

NAT-T.2) Check the Define box if it’s running custom ports, and fill in the ports accordingly.3) Click Save and apply the changes.

Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in thispage as well.


Peplink 132

Enable SMTP ForwardingThere are situations where the ISP will block SMTP forwarding fromdifferent ISPs. Thus, the Balance router allows you to control the right ISPlinks to forward your SMTP service.

When this option is enabled, all outgoing SMTP connections destined for anyhost at TCP port 25 will be intercepted. These connections will then be redirectedto a specified SMTP server and port number. SMTP server settings for eachWAN can be specified after selecting Enable.

Step to enable SMTP Service Forwarding:1) Go to Network > Service Forwarding under Misc. Settings, check the Enable box

under SMTP Forwarding.2) A window appear with listed WAN connection, check to Enable the respective WAN

and enter the associated SMTP Server name/IP.3) Click Save and apply the changes.

Enable DNS ForwardingWhen this option is enabled, all outgoing DNS lookups will be intercepted and redirectedto the built-in DNS name server.

If any LAN device is using DNS name servers of a WAN connection, you may want toenable this option to enhance the DNS availability without modifying the DNS serversetting of the clients. The built-in DNS name server will distribute DNS lookups tocorresponding DNS servers of all available WAN connections. In this case, DNS service


Peplink 133

will not be interrupted even if any WAN connection is down.

Some of the System settings are crucial to the operation, eg. InControl,Remote Assistance, and Email Notification.

InControl – Cloud ManagementWhen this check box is checked, the device's status information, usage data, andconfiguration will be sent to Peplink’s InControl system. You can sign up for an InControlaccount at https://incontrol.peplink.com/. You can register devices under your account,monitor device status and usage reports, as well as download backed up configurationfiles.

Default: Enabled(Post usage data): Disabled

Email NotificationThe feature Email Notification allows email to be sent to the listed recipient emailaddresses when the following events take place:• Email notification test• A new firmware version is available• Health status changes for any WAN connection• VPN status changes• Bandwidth usage has reached 75% of the allowance


Peplink 134

• Bandwidth usage has reached 95% of the allowance

Click the button Test Email Notification and click Send Test Notification to send a testingemail.

Remote AssistanceWhen you face some serious technical issue with the Balance router, where you needPeplink Technical Support to check on the device, you can turn on this feature, go toStatus > Remote Assistance under System Information window.

Diagnostic ReportNormally when you report problem related to the Balance router to Peplink TechnicalSupport, it is good to attach the Diagnostic Report together so the support team cananalyze the report to understand the router condition. To generate the report, go toStatus > Diagnostic Report under System Information. Click on the Download buttonto save the file.

The report filename usually carry the format as below:YYYYMMDD_Model No._SSSSSSSSSSSS_diag.report

with:YYYY – 4 digits represent yearMM – 2 digits represent monthDD – 2 digits represent dayModel No. – The Balance Model, eg. B380SSSSSSSSSSSS – 12 digits serial number

Support Information pageAnother way to turn on the Remote Assistance will be through the Web Admin URL,which shown above, “http://<your peplink ip>/cgi-bin/MANGA/support.cgi”.

Diagnostics Report also can be obtain in this page, besides from Status page.

In this page, the router Ethernet connections negotiated speed and duplex status wasshown, in which it aids in troubleshooting tasks, like debugging connectivity issues.

Additional Support Resources1) If you need to access the products user manual or firmware, please visit

http://www.peplink.com/support/downloads/.

2) To access our knowledge base, please visit http://www.peplink.com/knowledgebase/to find out more about our product deployment scenario in various environment andrequirement.

3) To log case with Peplink support, you can send your case [email protected].


Peplink 135

Out of the box, the Pepwave MAX router comes with the following defaultsettings:• IP: 192.168.50.1/24• Username: admin• Password: admin• LAN DHCP: Enabled• DHCP IP Range: 192.168.50.10 – 192.168.50.250

In the diagram, the switch is optional as a console into the Pepwave MAXRouters. You can plug the UTP cable directly from PC/Notebook into MAXRouter LAN port for the same purpose.

Generally, the Web Admin UI is similar to Balance router, making to easierfor users who have experience with the Balance router UI.


Peplink 136

After entering the parameters correctly, you will be able to login to the WedAdmin page.

The Dashboard provides a status overview of the MAX Router:• WAN interfaces connectivity status• LAN interface connectivity status• System Uptime• System CPU Load, in %• Device Throughput, in Mbps• Depends on the model, BR1 & HD2 provide the GPS map status too

A unique feature on the MAX router interface is that you can configure the WANinterfaces on the Wan Connection Status page. You can do so by clicking the Detailsbutton of each of the WAN interface bar. Alternately, you can go to Network > WAN toreach to same setting page.

In this page, you can also assign different priority levels to the WAN interfaces bydragging the interface bar up or down. If all WAN interfaces are assigned with samepriority, then it will perform load balancing for the WAN traffic.

Note:


Peplink 137

Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 &U4-SF) will allow WAN load balancing, the other models will allow WAN failover.

Cellular Interface SettingsThe settings are similar across different interfaces. However, for cellular interface, thereis extra feature you need to take note of.

When you click on the Details button of any of the active Cellular WAN interfaces, youwill reach the Connection Details setting page shown above. If the mobile broadbandprovider or the data plan has a quota limit (eg. 2GB/month), then you need to enableBandwidth Allowance Monitor and set the data limit on this WAN to 2GB. At the sametime in the Action section, you can set the MAX router to notify you via email if theusage hits 75% of quota. Lastly, you can further control the WAN condition to eithercontinue or disconnect this particular WAN link if usage hits to 100% of that month.

Health Check Method – SmartCheckSmartCheck will trigger DNS lookup health check if there is no return packet after anoutbound packet was sent for 10 seconds. Since it is not an active algorithm (send hcpacket in constant interval), it saves bandwidth.

If the Cellular WAN has limited data usage/quota, and you want to reduce the CellularWAN utilization, you can:1) Choose SmartCheck as Health Check Method2) Set Standby State of Cellular WAN to "Disconnected" instead of "Remain

Connected“3) Increase the value of Health Check Interval


Peplink 138

Saving Bandwidth with Smart CheckSmart check will trigger a DNS lookup health check if there is no returnpacket after an outbound packet was sent for 10 seconds. Since it is not anactive algorithm (it does not send hc packet in constant interval), it savesbandwidth.

MAX routers come with various connectivity options, allowing you to set itup in different ways to suit customer requirements. In the followingscenarios, we will exploring three most common MAX routers deploymentsetups.

1) Branch Network Connections• 3 WAN + 2 LAN

2) Mobile Command• 2 WAN + 2 LAN

3) Public Transport• 1 WAN + 2 LAN

Let’s take a look at each of these scenarios in detail, and whatconfigurations need to be done to achieve the objective.


Peplink 139

Branch Network ConnectionsIn this environment, we have a fast food businesses with many outlets throughout thecountry. Each of these outlets need to connect back HQ in order to update businesstransactions data. At the same time, the outlet also needs to provide WiFi to theircustomer.

Requirements1) WAN

• The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and aCellular WAN.

2) LAN• The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal

staff as well as their guest.


Peplink 140

Configuration for the WAN/LAN interfaces are the same as for the Balancerouters, please refer to previous section if you need instructions.

This screenshot shows the MAX BR1 router configured with a wired WANas primary link, followed by a WiFi WAN as first standby, and Cellular assecondary standby WAN link.


Peplink 141

WAN Failover #1 – Wired WAN FailedThe MAX router has built-in intelligent and link health checks to enable afast failover process. All the standby link(s) are in “hot-standby” state.That is, if the primary link fails, the MAX router will redirect the traffic to thestandby WAN links.

Failover Test:1) Before starting the test, take a Windows machine, launch a command prompt

window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8).2) Unplug the wired WAN of MAX router (BR1)3) Observe the changes of WAN Connection Status4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN5) Any timeout during failover? Yes or No6) How many timeout during failover?


Peplink 142

WAN Failover #2 – Wired WAN & WiFi WAN FailedAssuming a worse scenario where the first two WAN links are faulty, theMAX router still can operate with the 3rd WAN Celllular broadband link.

Failover Test:1) Before starting the test, take a Windows machine, launch a command

prompt window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8).

2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN WPA/WPA2 Key to simulate 2 WAN links failed

3) Observe the changes of WAN Connection Status4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular

WAN5) Any timeout during failover? Yes or No6) How long was the timeout during failover?


Peplink 143

WAN Link RecoveryMAX router has fast and smooth recovery mechanism that no timeoutwhen the primary WAN link(s) service restored.

Recovery Test:1) Before starting the test, at the Remote site, launch the command prompt window and

conduct a continuous ping to HQ LAN IP (10.0.0.10)2) Plug back the Wired WAN & enter the correct WiFi WAN WPA/WPA2 Key for the

MAX BR1 router3) Observe the changes at the routers WAN Connection Status4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN5) Any timeout during failover? Yes or No6) How long was the timeout during failover?


Peplink 144

Mobile CommandIn this example, we have a police patrol driving in an urban area. The MAX BR1 routercan be installed in these vehicles, allowing them stay connected to their control centerwhile they are on the move. This is accomplished with 2 different WAN options.

Requirement1) WAN

• The police vehicle can use WiFi WANas primary WAN link, backed up by aCellular WAN.

2) LAN• The wired LAN will be used for fixed machines, while the WiFi AP can serve

the policemen any handheld devices.


Peplink 145

We have gone through the configuration steps of the WAN/LAN interfacesin the Balance router section, so we will skip that step.

The screenshot shows the MAX BR1 router configured with WiFi WAN asthe primary link, followed by Cellular as the standby WAN link.


Peplink 146

Public TransportPublic transport systems often travel long distances, so WiFi WAN may not able to coverthe entire path. The only available WAN option would be Cellular broadband. If buscompanies want WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem sothey can put in second SIM card for Cellular failover purposes.

Requirement1) WAN

• The bus needs to be equipped with Cellular WAN.2) LAN

• The wired LAN will be used for machine in the bus, and the WiFi AP canserve the passengers handheld devices.


Peplink 147

We have gone through WAN/LAN configuration in the Balance routersection, so we will skip the explanation there.

Above screenshot shows the MAX BR1 router configured with Cellular asthe primary and the only WAN link.


Peplink 148

As mentioned earlier, the LAN/WAN interface settings are similar toBalance router.


Peplink 149

The difference between Balance and MAX router is that non-interfacerelated settings are placed in the Advanced section. You can configureWiFi Settings, SpeedFusion VPN, Port Forwarding, etc in this panel.


Peplink 150

The System and Status menus are identical to those for the Balancerouter.

For further details on these settings, please refer to the relevant firmwareuser manual.


Peplink 151

This module will examine different real life deployment scenarios, and howto configure the access points to achieve the desired results.


Peplink 152

Course Agenda

• Module 4: Wireless Access Point Configurations- To study how Pepwave Access Points can be implemented into various deployment scenarios.- To explain the steps to configure APs to achieve the desired effect.


Peplink 153

Hardware Overview


Peplink 154

Setting up the AP One for the 1st time:1) Default settings

• IP: 192.168.0.3/24• Username: admin• Password: public• LAN DHCP: Disabled

2) Connect a PC to the backbone network. Configure the IP address of the PC to bebetween 192.168.0.4 and 192.168.0.254, with a subnet mask of 255.255.255.0.

3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or GoogleChrome 2.0 or above, connect to https://192.168.0.3.

4) Enter the default admin login ID and password, admin and public respectively.

After logging in, the following information main page will appear. Click System, locatedunder Configure on the left, to begin setting up your access point.


Peplink 155

After enter the parameters correctly, you will be able to login to the WedAdmin page.

At the System Information, provide overview of system conditions:• Model• Firmware Version• AP Name• Location (user define for the AP physical location)• Serial Number• MAC Address• Network IP Information (details will be display if default settings changed)• System Time• Up Time


Peplink 156

First, we will be defining some system settings (eg. Name, IP information,etc).

Steps to configure system settings:1) Go to Configure > System

2) Click on Basic tab

3) Enter the necessary information

4) If you want the AP to keep the default Management IP after reboot, click thecheckbox to enable Keep Default IP, else uncheck the box.

5) If this AP is manage as standalone and using static IP, select Manual on the IPAddress Mode, then enter Static IP Address.

6) To save the changes and activate later, click Save button, to apply the changesimmediately click Save to flash and activate button.


Peplink 157

Pepwave AP One series has an unique feature: it can operate in either Layer 2 (Bridge) or Layer 3 (Router) mode.

A. Router Mode- When using Router mode, your Pepwave access point can be used as a DHCP

server for devices located behind it in the network, and provide routing between thewired and wireless networks

- In this example, putting AP One in router mode would be separate the wireless LANfrom wired LAN segment, either for security control & enforcement, or broadcastisolation purpose.

B. Bridge Mode- This would be typical WLAN deployment, where the AP bridge between the wired and

wireless networks in the same broadcast domain.

To select the AP role;1) Go to Configure > System2) Click on Advanced tab3) Select Bridge or Router in AP Mode field4) Once the selection is made, it will toggle LAN settings page

configuration mode.


Peplink 158

LAN SettingsManual Router Settings are available only when AP Mode in Advanced System Settings is set to Router.

1) Go to Configure > LAN to access the LAN settings page.

2) Assign the IP details for the wireless segment, where this segment of IP will be assigned to wireless client. The AP IP will be the default gateway for the wireless clients.


Peplink 159

LAN Settings disabled when AP One set to bridge mode, and all the fieldswill be grey out. The wireless client will get IP assigned from DHCP serversit in the wired LAN, and the packets will passthrough AP One to reach tothe wired LAN.


Peplink 160

In a normal office WLAN deployment scenario, the AP will host at least 2 different sets of users, namely internal and external.

RequirementThe customer has purchased one unit of Pepwave AP One recently. They want toenable wireless access for their staff and visitors. Staff will have full access to internalnetworks and the Internet, and visitors only have Internet access.

LAN IP: 192.168.0.0/24Staff SSID: same access right as wired LAN userStaff Login Method: WPA/WPA2 PSKGuest SSID: only allow to access InternetGuest Login Method: Open Authentication with no security

Let’s look at the tasks needed to accomplish the objective.


Peplink 161

To create the SSID:

1) Go to Configure > Wireless Networks, click on the Add button on the WirelessNetworks tab.

2) It will open the Wireless Network Details page, click the Yes button to enable theSSID you want to create.

3) In Wireless Network SSID field, define the SSID, eg. Guest.

4) Broadcast SSID checked box enabled by default.

5) Assign the Security Level from choices of “Open”, “Static WEP”, “802.1X”, “WPA”,“WPA2”, and “WPA and WPA2”. For “Guest” SSID, choose “Open”.

6) Click Save to flash and activate to apply the changes.

Next two slides show you the advance settings for the SSID configurations.


Peplink 162

As mentioned earlier, visitors are only allowed to access the Internet, sowe need to place measurements to prevent them from reaching internalnetworks:

1) Click on the Guest Protect tab under Wireless Network Details for “Guest” SSID.

2) Select the Block All Private IPs tab, then tick on the checkbox for Block LANAccess to turn on the feature.

3) If this AP One has established a SpeedFusion VPN tunnel, and you don’t want the“Guest” traffic through it, tick on the checkbox for Block SpeedFusion as well.

You can also block custom subnets using the Custom Subnet tab, orprevent all with exception via Block Exception tab.

One more step to complete the “Guest” SSID configuration, as shown innext page.


Peplink 163

It is normal to have different groups of visitors needing to access Internetat the same time, so you may want to prevent them seeing each other forvisitor privacy purposes:

1) Click on the Advanced tab under Wireless Network Details for “Guest” SSID.

2) Leave other settings as it is, select the checkbox for Layer 2 Isolation to turn on thefeature.


Once this feature turned on, each of the wireless client in “Guest” networkwill not able to access each other.

Next, get a machine to test the configuration.


Peplink 164

Testing Guest Access1) At your notebook, try to connect to Guest SSID that broadcast from AP One. It

should be Open security without any WPA/WPA2 key required.2) Once connected, open the command prompt, use ipconfig to check your notebook IP

address, or you verify via the Windows Wireless Network Connection Status.

Ping and Access Tests:1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8

• Passed or Failed2) Open web browser and access Internet web sites (eg. www.google.com)



Peplink 165

To create the “Staff” SSID:1) Go to Configure > Wireless Networks, click on the Add button on the

Wireless Networks tab.

2) It will open the Wireless Network Details page, click the Yes button toenable the SSID you want to create.

3) In Wireless Network SSID field, define staff SSID as “Staff”, assign theSecurity Level to “WPA and WPA2”, the key is “staffwlan”.


Next, at the Guest Protect tab, ensure to guestprotect features unchecked:

1) Click on the Guest Protect tab under Wireless Network Details for “Staff” SSID.

2) Select the Block All Private IPs tab, then uncheck the checkbox for Block LANAccess to turn off the feature.

3) If this AP One has established SpeedFusion VPN tunnel, and you want to include


Peplink 166

“Staff” traffic forward to the tunnel, uncheck the checkbox for Block SpeedFusion.

One more step to complete the “Staff” SSID configuration, as shown in nextpage.

For internal staff access, layer 2 security need not be apply, to ensure it isnot enable:

1) Click on the Advanced tab under Wireless Network Details for “Staff” SSID.

2) Leave other settings as it is, make sure the checkbox clear for Layer 2 Isolation.


Next, get a machine to test the new testing.


Peplink 167

Testing Staff Access1) At your notebook, try to connect to Staff SSID that broadcast from AP One. It should

be WPA/WPA2 security, the key is “staffwlan”.2) Once connected, open the command prompt, use ipconfig to check your notebook IP



• Passed or Failed2) Open web browser and access Internet web sites (eg. www.google.com) & internal

website (eg. Gateway web console, http://192.168.0.1)• Passed or Failed


Peplink 168

Wireless distribution system (WDS) are useful to for deployment siteswhere area cables cannot reach, and for temporary deployments. UsingWDS, it is possible to wirelessly connect Access Points, and in doing soextend a wired infrastructure to locations where cabling is impossible orinefficient to implement.

Note:WDS may also be considered a repeater mode because it appears to bridge and acceptwireless clients at the same time (unlike traditional bridging). However, with this method,throughput is halved for all clients connected wirelessly.

RequirementThe customer is expanding their head office, and the cabling work can only becompleted in a month’s time. Staff need to move in to the new office area immediately. Inresponse, the IT manager will setup a WDS using additional AP One (AP #2), towirelessly connect back to existing the AP One (AP #1).

Information needed to setup WDS• Both AP MAC Address• Encryption type: None or AES• Passphrase• Encryption Key

Let’s look at the tasks needed to accomplish the objective.


Peplink 169

To set up the WDS on both APs:1) Go to Configure > WDS, the WDS Details window tab will appear.2) Select the Yes radio button to enable the function.3) Key in the MAC Address of the peer AP.4) Enter any wording for the Passphrase, eg. wdskey, click the Generate Key button

to create the Encryption Key5) Click Save to flash and activate to apply the changes.

Once the settings are saved, it will take a moment for both APs torecognize each other, initiate and negotiate the WDS connection. Go tostatus page to verify the WDS status.


Peplink 170

To verify the WDS status on both AP:1) Go to Information > Wireless > WDS Info tab.2) If WDS established, you will able to see the peer AP details in this window, the

information includes:• Manufacturer• Peer MAC Address• Encryption• Type• Signal• TX/RX Bytes (Packets)


Peplink 171

Testing Access Through WDS1) At your notebook, try to connect to configured on the AP #2, eg. Pismo Research for

this case.2) Once connected, open the command prompt, use ipconfig to check your notebook IP



• Passed or Failed2) Open web browser and access Internet web sites (eg. www.google.com) & internal

website (eg. Gateway web console, http://192.168.0.1)• Passed or Failed

To verify clients connection at AP #2:1) Go to Information > Wireless > Connected Clients tab.2) If clients associated, you will able to see the their details in this window in

accordance to SSID, the information includes:• MAC Address• Manufacturer• IP Address• Type• Signal• Duration• TX/RX Rate• TX/RX Bytes (Packets)• TX Errs• RX Errs


Peplink 172

RequirementA company wishes to install AP in their office, but they aware that other tenants in thesame floor have already installed a WLAN infrastructure. They want to know whichwireless spectrum (channel) will have the least interference.

The AP One series is capable of discovering nearby wireless networks and listing downall the wireless network information. That way, you can choose the least affectedchannel (if no available channel) for your AP.


Peplink 173

To enable the nearby network discovery:1) Go to Configure > Advanced Wireless > Advanced Features tab.2) Click on Discover Nearby Networks checked box to enable the feature.3) Click Save to flash and activate to apply the changes.

To view the nearby networks discovered:1) Go to Information > Wireless > Nearby Networks tab.2) If detected, there will be list of AP shown, with following details:

• Manufacturer• SSID• Security• MAC Address• Channel• Signal• Last Seen• Status


Peplink 174

In the event if the AP need to provide higher power output to cover biggerarea wirelessly, you can enable the Power Boost feature by:1) Go to Configure > Advanced Wireless > Radio Settings tab.2) Click on Power Boost checked box to enable the feature.3) Click Save to flash and activate to apply the changes.

Note:Enables the power boost feature, will increase the output power from 400mW to 2W,which maximizes your access point’s Wi-Fi capacity. Please enable only if localregulations permit.

175

There are other settings like SpeedFusion, SNMP, Web Administrationin Configure menu, Tools and Commands, which will not be discussed.

For further details on these settings, please refer to the relevant firmwareuser manual.


Peplink 176

This module will examine different real life deployment scenarios, andprovide detailed instructions on how to utilize the major features of the SurfOn-The-go.


Peplink 177


Peplink 178

1st time setup steps on Surf On-The-Go:

1) Default settings• LAN IP: 192.168.20.1/24• Admin ID: (No ID by default)• Admin PW: (No password by default)• DHCP Enabled• DHCP Range: 192.168.20.10 – 192.168.20.250• WLAN AP: Enabled• SSID: PEPWAVE_#### (where #### is the suffix of MAC Address of

SOTG)

2) Connect a PC to SOTG Ethernet port, it will be assigned with IP address between192.168.20.1 to 192.168.0.20, with a subnet mask of 255.255.255.0.

3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or GoogleChrome 2.0 or above, connect to https://192.168.20.1.

4) As there is no login security enabled by default, you will be redirect to Dashboardpage.


Peplink 179

Dashboard PageAt the Dashboard page, you will see the device’s current WAN connection status. It alsodisplays a real-time graph displaying Network Data Usage and Signal Timeline (if WiFior Cellular is active).

You can change the WAN connection type by clicking the Switch WAN Mode icons(WiFi, Cellular, Wired)

Status PageYou can view the device status in this page, detail information included:• Firmware version• Hardware version• Model• Serial Number• Supported Mode (operating radio frequency, a/b/g/n)• etc

If WAN link is active, you will see the relevant information like IP Address, Subnet Mask, Gateway, etc.


Peplink 180

Your Surf On-The-Go supports three WAN connection modes, giving youmaximum connectivity on the road, at the office, or at home.

Wi-Fi ModeConnect to the Internet via Wi-Fi Hotspot (and backup by Cellular), and provide a LocalAccess Point and Ethernet Connection. e.g. Wi-Fi Services from ISP, Hotel, RV Park,Marina.

Cellular ModeConnect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem, and provide a Local Access Point and Ethernet Connection. e.g. Traveler, Remote Area.

Wired ModeConnect to the Internet via an Ethernet cable (and backup by Cellular), through a DSL/Cable Modem, or Router, and provide a Local Access Point. e.g. Home, Hotel


Peplink 181

Wi-Fi ModeWi-Fi Mode makes it easy to share Wi-Fi service provided by hotels,restaurants, marinas, RV parks, and more. Once connected to Wi-Fi, yourSurf can serve as a local access point for an unlimited number of devices.You can also connect printers, game consoles, and other wired devices tothe Surf using its Ethernet port.


Peplink 182

WiFi Mode Configuration Steps1) Connect to the Web Admin Interface. Click Wi-Fi, and then Settings.

2) In the Wireless Settings section, change Wireless Network Name (SSID) from thedefault value of MySSID to the SSID specified by your wireless Internet serviceprovider. Otherwise, you may change this field to a blank value, and then select anSSID from the resulting list, which also includes corresponding encryption types andsignal strengths. With the MAC Clone function, you can use the Ethernet clientMAC address as Surf's WAN MAC address.

3) From the Authentication drop-down menu, select the authentication type requiredby your Wi-Fi Internet service provider. Then, if applicable, enter the Encryption Keyvalue provided by your ISP.

4) In the AP Settings section, select Configure Manually. In the AP SSID field, enterthe network name used to identify the home Wi-Fi network. The default AP SSIDvalue is PEPWAVE_####, change to “MY-MOTG”.

5) From the Authentication drop-down menu, select WPA/WPA2-Personal. In theEncryption Key field, enter an authentication password of at least 8 characters, eg.“motgwlan”. To store your settings, click the Save button that appears on the lowerright.

6) Navigate to the Dashboard page, which displays connection details and signalstrength level.


Peplink 183

7) Upon successful connection, all of the LEDs on the Surf should be lit as follows:• PWR – Solid Green• RDY– Yellow• ENET– Solid Green• Wi-Fi – Displays a varying number of lit signal bars depending on the strength

of the received signal

If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable theConnect to Any Open Mode AP feature, which it will connect to these Hotspotautomatically.When needed, you can use the Ethernet client MAC address as Surf's WAN MACaddress by enabling the "MAC Clone" under Wi-Fi WAN Settings.

Testing Client Access1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It

should be WPA/WPA2 security, the key is “motgwlan”.2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP

cable from notebook to switch.3) Once connected, open the command prompt, use ipconfig to check your notebook IP

addresses obtain IP on both Wireless and Ethernet adapters.





Peplink 184

Cellular ModeThis mode allows you to connect your Surf to a 3G or 4G(WiMAX/LTE)USB modem and share the connection with all your devices wirelesslyand/or using the Surf’s Ethernet port. Cellular Mode is an ideal choice fortravelersor those living/working in remote areas without broadband service.


Peplink 185

Cellular Mode Configuration Steps

1) Connect to the Web Admin Interface. Click Cellular, and then Settings.

2) Click Cellular Settings on the left. In general, selecting Auto Operator Settings issufficient to connect to the Internet. If not, select Custom Operator Settings tomanually enter settings specified by your cellular service provider (typically APN andDial Number). When nished, click Save on the lower right.

3) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” andWPA/WPA2 key is “motgwlan”.

4) Navigate to the Dashboard page, which displays connection details and signalstrength

5) Upon successful connection, all of the LEDs on the Surf should be lit as follows:• PWR – Solid Green• RDY– Yellow• ENET– Solid Green• Wi-Fi – Displays a varying number of lit signal bars depending on the

strength of the received signal


Peplink 186


should be WPA/WPA2 security, the key is “motgwlan”.2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP

cable from notebook to switch.3) Once connected, open the command prompt, use ipconfig to check your notebook IP

addresses obtain IP on both Wireless and Ethernet adapters.





Peplink 187

Wired ModeWired Mode lets you connect the Surf to a DSL/cable modem or router. You can also connect the Surf to a multi-port switch for use with multiple wired and wireless devices.


Peplink 188

Wired Mode Configuration Steps

1) Connect one end of an Ethernet cable to the Surf On-The-Go and the other end toyour Internet source.

2) Refer to previous example for WLAN AP settings, SSID is “MY-MOTG” andWPA/WPA2 key is “motgwlan”.

3) Connect to the Web Admin Interface. Click Wired, and then Settings.

4) In the WAN IP Settings section, select a method the Surf will use to obtain IPaddress:

• Congure Manually - After selecting this option, manually enter a static IPaddress.

• Obtain an IP Address using DHCP - Obtain an IP address automatically.• Obtain an IP Address using PPPOE – Connect to Internet service using

PPPoE.

5) Navigate to the Dashboard page, which displays connection details and signalstrength level.

6) Upon successful connection, all of the LEDs on the Surf should be lit as follows:• PWR – Solid Green• RDY– Yellow• ENET– Solid Green• Wi-Fi – Displays a varying number of lit signal bars depending on the strength


Peplink 189

of the received signal


should be WPA/WPA2 security, the key is “motgwlan”.2) Since the Surf OTG operating in Wired Mode, the Ethernet port has become WAN

interface, thus no DHCP Server service available through this interface.3) Once connected, open the command prompt, use ipconfig to check your notebook IP

addresses obtain IP on Wireless adapters.





Peplink 190

WAN Connection FailoverThe Surf OTG provides WAN failover if it’s running in WiFi and WiredMode, with Cellular as the standby WAN link. This feature adds WANreliability that would normally be available only in enterprise setups.


Peplink 191

WAN Failover Configuration Steps (Wired WAN Mode)1) Connect to the Web Admin Interface. Click Wired, and then Settings.2) Ensure the Wired radio button selected in the WAN Mode.3) At the Fail Over Settings section, click on the Enable radio button to turn the

Cellular WAN as backup link for Wired (or WiFi) WAN Mode.4) Click Save button at the bottom of the page to save and apply the changes.

At the Dashboard, Cellular 1 icon will appear below the Wired WAN,depending on the Cellular settings, if you choose disconnect then it willbe remained disconnected (icon dimmed) when primary WAN link active. Ifyou select remained connected in the Cellular settings, the cellular willestablish connection and remain in hot-standby mode (icon turned green).


Peplink 192

Wired Failed, Cellular WAN Take-over1) Unplug the UTP from Surf OTG Ethernet port2) Notice the Dashboard WAN link status.

Surf OTG detected Wired WAN failed, it will automatically bring up theCellular WAN. As shown in the screen capture, Cellular 1 is active (greenicon) with signal strength status display.


Peplink 193

Testing Client Access After Wired WAN Failover1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It

should be WPA/WPA2 security, the key is “motgwlan”.2) Once connected, open the command prompt, use ipconfig to check your notebook IP

addresses obtain IP on Wireless adapters.

Ping & Traceroute Tests:1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia “www.google.com.my”

• Passed or Failed2) Traceroute Internet web sites (eg. www.google.com.my)

• Note down the path taken


Peplink 194

Testing Client Access After Wired WAN Service Restored1) Plug back the UTP cable to Surf OTG Ethernet Port.2) Notice the Dashboard WAN link status.

Surf OTG detected Wired WAN restored, it will forward traffic on theEthernet port again, at same time put Cellular WAN in standby mode bydisconnecting from cellular connection.

Ping & Traceroute Tests:1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia “www.google.com.my”

• Passed or Failed2) Traceroute Internet web sites (eg. www.google.com.my)

• Note down the path taken and compare when Wired WAN failed


Peplink 195

Surf OTG Other SettingsThere is other settings available on the Surf OTG, such as Cellular Settings, WiFi WANProfile Settings, PepVPN, Web Administration (turn on login ID and password), PortForwarding, QoS, Firmware upgrade, and System settings.

For further details on these settings, please refer to the relevant firmware user manual.


Peplink 196

Documents

Peplink Certified Engineer Training Program