Peplink Certified Engineer Training Program

Training Materials
Last updated: 26-09-2013

2013 Peplink / Pepwave
All rights reserved. No part of this manual may be reproduced, transcribed, stored in a retrieval system,
translated into any language or computer language or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior written permission of the copyright
owner.
The copyright owner gives no warranties and makes no representations about the contents of this manual
and specifically disclaims any implied warranties or merchantability or fitness for any purpose.
The copyright owner reserves the right to revise this manual and to make changes from time to time in its
contents without notifying any person of such revisions or changes.
Peplink Balance Series
Enterprise-class Multi-WAN Router
Course Agenda
Module 1: Understanding Multi-WAN and SpeedFusion
Brief description of Peplink/Pepwaves most important technologies
Module 2: Peplink and Pepwave Products Overview
Introduction of Peplink and Pepwave products.
Module 3: Balance and MAX Routers
Exploring different configuration scenarios with Balance and MAX
routers.
Module 4: Wireless Access Point
In-depth configuration guide for Wireless Access Points.
Module 5: Surf Series
Explanation and setup instructions for the Surf Series.
Peplink
In this chapter, we will focus on how SpeedFusion functions, its

distinguishing features/benefits, and its implementation scenarios.
Peplink
Course Agenda
Module 1: Understanding Multi-WAN and SpeedFusion
Brief description of Peplink/Pepwaves most important technologies
Introduction of Peplink and Pepwave products.
Module 3: Balance and MAX Routers
Exploring different configuration scenarios with Balance and MAX
routers.
Module 4: Wireless Access Point
In-depth configuration guide for Wireless Access Points.
Module 5: Surf Series
Explanation and setup instructions for the Surf Series.
Peplink
A well-designed VPN provides a business with the following benefits:

- Extended connectivity across multiple geographic locations without using
a leased line
- Improved security for exchanging data
- Ability for remote offices and employees to use business intranet over an
existing Internet connection as if they were directly connected to the
network
- Savings in time and expense for employees to commute if they work
from virtual workplaces
- Improved productivity for remote employees
Examples of VPN usage, accessing resources only available in HQ (File or
Print sharing), and some restricted internal applications require VPN to be
established.
Peplink
Peplinks Unbreakable VPN uses multiple WAN connections to keep VPNs up

and running when a connection fails. Powered by our patent-pending
SpeedFusion technology, Unbreakable VPN automatically and seamlessly
moves VPN sessions to standby WAN links when active links drop out. All this is
transparent to users, making all VoIP calls and video streams run flawlessly.
Your business continues, uninterrupted.
SpeedFusion VPN is useful for Public Transport, Video Streaming, Mobile
Command, Branch-to-HQ, and Rural Areas. It is applicable anywhere you need a
reliable VPN connections.
Peplink
Introducing the Worlds Easiest VPN

PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over
any WAN link. On top of all the benefits of IPsec and other conventional VPN
technologies, the PepVPN engine also offers:
Long-distance Ethernet cable You can easily build a secure and seamless
Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It virtually
provides a long-distance Ethernet cable over any WAN link.
Seamless transition PepVPN and SpeedFusion share the same core VPN
engine, meaning that all your PepVPN and SpeedFusion-enabled devices will
work flawlessly together. It also allows you to easily upgrade a PepVPN endpoint
to SpeedFusion, taking advantage of the added benefits without worrying about
compatibility.
Works in any dynamic IP environment PepVPN is fully compatible with any
dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT
gateway or firewall without worrying about static IP addresses.
This technology can be applied to SOHO and Mobile Office; any environment that
Peplink
requires reliable connectivity, without using multiple low cost Internet links for their
business operations via VPN. Even if you have one encrypted peer and another
not encrypted, PepVPN will still create an encrypted tunnel. As PepVPN is easy to
setup, hence no technical assistance needed on-site.
SpeedFusion Hot Failover Unbreakable VoIP and VPN

SpeedFusion Hot Failover is a premium add-on that manages multiple redundant
connections to keep VPNs and VoIP deployments up and running at all times.
Easy setup Just add connections, you can even mix wired and wireless
technologies.
Unbreakable VoIP and VPN With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion Hot
Failover prevents this by maintaining secure tunnels over all available WAN links.
In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly
switch traffic to another available tunnel. This creates unbreakable VPNs and
VoIP sessions.
For scenarios that require uninterruptable connections (like Mobile Command,
POS, ATM, and VoIP deployments), SpeedFusion Hot Failover provides an
always-on VPN link that helps these application run smoothly. The make-beforebreak mechanism built-into SpeedFusion Hot Failover VPN. This provides a
transparent switch-over: if there is any link failover or link recovery, the user will
not notice any interruptions. This cannot be accomplished with any other VPN
solution in the market.
Peplink
SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding
builds a fat tunnel using all your connections, giving you blazing throughput
whenever you need it.
Multi-WAN bandwidth bonding SpeedFusion Bonding combines multiple links
from multiple providers into a single, superfast tunnel.
VPN Bonding SpeedFusion Bonding can create high speed VPNs by bonding
multiple WAN links together.
Unbreakable Session Hot Failover SpeedFusion Bonding monitors
connections and automatically turns control over to Hot Failover when links
become unstable.
Packet Level Bandwidth bonding The packets of your session are distributed
across all your available links.
Layer 2 Tunneling SpeedFusion operates on Layer 2, bonding your available
links at the data link layer.
Peplink
Easy, on-demand scalability Need more speed for mission-critical VPNs? How
about temporary bandwidth for a specific projects? With SpeedFusion Bonding,
you can plug in connections from any provider and get more speed, whenever
you need it.
Instant Bandwidth Control And you can unplug connections at any time,
keeping your costs under control.
HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport
(eg. train): all of these applications need high bandwidth and reliable links to push
high volumes of data back to their HQ/Media Center/Control Center for
processing. SpeedFusion Bonding is able to combine multiple Internet lines into
one logical big pipe to carry the information over.
This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover
and SpeedFusion Bonding
Peplink
10
We will now explore the application of SpeedFusion, with various case studies.
1) MPLS Replacement
2) Branch Network Connection
3) SpeedFusion 3G/4G Bonding
4) Video Transmission in the Air
5) Data Transmission over Water
6) Replace Expensive Satellite Connection
7) Mission Critical Video Surveillance
8) 100% Uptime for First Responders
9) Money Saving on Branch Network Connections
10) Flawless Connections in Remote Areas
Peplink
11
Peplink
12
Peplink
13
14
15
Peplink
16
Peplink
17
Peplink
18
Peplink
19
Peplink
20
Peplink is the leader in Internet load balancing and VPN bonding

solutions. Peplink Balance Multi-WAN Routers have been deployed around
the world, helping thousands of customers increase their bandwidth,
enhance their internet reliability, and reduce their costs. Our complete
product line accommodates business of all sizes, providing an award
winning Internet experience for customers.
Pepwave is the proven market leader in delivering specialized wireless
solutions for industrial networking services, wireless mobility services,
internet service providers, and professional hotspot providers. As an
innovator in wireless technology solutions, Pepwave operates in global
cooperation with distributors, system integrators, ODM partners, and
strategic allies.
Peplink
21
Course Agenda
Introduce Peplink and Pepwave product suite.
Peplink
22
We offer five major categories of products:

1. Multi WAN Router
2. Cellular Router
3. Enterprise Access Point
4. Carrier Grade Access Point
5. SOHO Router
6. Router Utility
Peplink and Pepwave solutions cover different market segments, ranging

from SOHO, Mobile Office, Small Office, Branch Office, Regional Office,
and HQ-level Data Centers.
Peplink
23
Target Market Segments for Balance Products

1) Power User and Home User
- Balance 20 & 30
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 25 max users recommended
2) Small Business
- Balance 210 & 310
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 50 max users recommended
- Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max
3) Mid-Size Business
- Balance 305, 380 & 580
- 19 Rack mount form factor
- Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000
users max
- Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support
50 SF peers max
- Default can act as WLAN Controller, support 10 Access Points default
- Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate
license purchased
4) Large Enterprise
- Balance 710 & 1350
Peplink
24
- 19 Rack mount form factor

- 710 can support 2,000 users max while 1350 can support up to 5,000 users max
- Model 710 support 300 SF peers max, while 1350 support 800 SF peers max
- Default can act as WLAN Controller, support 20 Access Points by default
- Can manage up to 250 (Model 710), and 500 (Model 1350) AP with separate license
purchased
A. Internet Load Balancing

By balancing Internet traffic over active links, Peplink Balance gives you extra reliability.
Peplink gives you seven Load Balancing Algorithms to fine-tune your network traffic.
The following types of Outbound Traffic Rules are available:
Weighted Balance
Persistence
Enforced
Priority
Overflow
Least Used
Lowest Latency
B. Inbound Load Balancing

Inbound Load Balancing distributes inbound data traffic over multiple WAN links to
computers behind Peplink Balance. Peplink Balance 210, 310, 380, 390, 580, 710, and
1350 have a built-in DNS server that enables this functionality.
Authoritative DNS functionality is not available on Peplink Balance 20 and 30.
Inbound Load Balancing is configured via both of the following:
DNS records configured within Peplink Balance
External DNS records at an Authoritative DNS Server
Peplink
25
Site-to-Site VPN Bonding in Mesh Scenario

All offices are connected to each other
Highly reliable network with bonded links and encrypted traffic
Communication between offices has never been faster
All offices deployed with Balance 380 model
Peplink
26
Site-to-Site VPN Bonding in Star Scenario

Headquarters serve as central site
Bonded VPN for reliable and uninterrupted VPN services
Fast and convenient way to securely transfer data to transaction server
HQ installed with Balance 1350
Supermarket POS deployed Balance 380
ATM in Subway station equipped with Balance 210
Shopping Mall POS will need Balance 310
ATM in branch can installed with MAX Mobile Router
Peplink
27
For existing Balance customers who wish to implement a WLAN solution, Peplink
can help save significant money and effort. From the model 305, 580 and
onwards, the Balance comes with built-in AP management. This makes deploying
Pepwave AP much easier and affordable.
In this example, the Balance Multi-WAN router can serves three roles: it is a WAN
load balancer, a Wireless LAN Controller, and when needed, a site-to-site VPN
termination point as well.
Peplink
28
Product Market Positioning

1) MAX On-The-Go
Comes with 3 SKUs:
- the lowest SKU connects a single USB modem
- the second SKU allows 4 USB modems with Hot Failover
- the highest SKU allows SpeedFusion Bonding in addition to the 4 USB modems.
- This product is good for mobile offices that reside in rural areas without access to cable
internet
2) MAX BR1
- Rugged metal case is suitable for industrial-grade usage
- Comes with 2 SKU, 3G WAN and 4G-LTE modems built-in
- Supports a redundant SIM with dual SIM slots, providing failover functionality between
them.*
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power
supply to be deploy in mobile vehicle
- Ideal for mobile command, high speed public transport, and harsh environment
deployment
- Advanced Car-Fi Roaming + IPsec X.509 Certificate Support (only available for BR1 as
add-on feature)
29
3) MAX 700
- Support up to 7 WAN links (2 Wired, 4 USB, 1 WiFi)
- Ideal for on-the-field media streaming and live broadcasting deployment, that require
bigger bandwidth
4) MAX HD2
- Come with 2 variants, built-in 3G and built in 4G-LTE modems
- Supports up to 6 WAN links (2 Wired, 2 Cellurar, 1 USB, 1 WiFi)
- Ideal for on-the-field media streaming and live broadcasting deployment, that require a
bigger bandwidth
- If GPS enabled, both (or any one of its) SMA antenna ports can be use to locate GPS
signal and position
5) MAX HD2 IP67

- IP67 waterproof enclosure ideal for outdoor applications
- 2x embedded cellular modems, each with redundant SIM slots, securely installed inside
the unit
- Come with 2 variants, 3G and 4G-LTE modems built-in, with options of Verizon and
AT&T, AT&T/Telcel/Rogers, and Worldwide carrier
- Using 10V-30V DC power supply
- Ideal for machine-to-machine communication, surveillance, military and other missioncritical applications outdoor, the MAX HD2 IP67 is as comfortable on a construction site,
oil platform, disaster scene, or factory floor as it is on a battlefield
MAX Routers power redundancy

For models which come with dual power sources (DC Jack & Terminal Block), it serves as
input power redundancy. If any of the power source is interrupted while the other is active,
the MAX router will continue to operate without being affected by the power disruption.
*Please note that redundant SIM does not equal two cellular modems. That is, only one
SIM can be active at any time; you will not be able to get better throughput or load
balancing by filling both SIM slots.
MAX Router Deployment Scenarios

SpeedFusion Bonding (on MAX HD2)
- Deploy multiple low cost 3G connections
- Save money, enjoy higher bandwidth, avoid dead spots
- Seamless failover ensures reliable video stream from mobile sites to HQ
Hot Failover (MAX BR1 or HD2)

- Everywhere LTE
- Ensures optimal performance by choosing the carrier with the best signal
- Saves money by using only one carrier at a time
-Hot failover ensure flawless video stream from mobile sites to HQ
GPS Fleet Tracking (MAX BR1 or HD2)

- Homeland security
- Monitor and coordinate fleet vehicles wherever they may be
- Hot failover ensure flawless video stream from mobile sites to HQ
Peplink
30
Features At A Glance
Network
- Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for
PPPoE, Static IP, DHCP, Management VLAN (802.1p), Spanning Tree Protocol (802.1d)
- Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4
SSIDs concurrently
Client Management
Per SSID
VLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2
Client Isolation, Limit on Max. Number of Client
Per Client
VLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP
Snooping/Multicast Enhancement
AP Security
Open, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Complete VPN Solution

PepVPN, Site-to-Site VPN, 256-bit AES Encryption, Pre-shared Key Authentication,
Dynamic Routing
Peplink
31
Captive Portal
Device Management
Web Administrative Interface, InControl Cloud Management, Peplink Balance WLAN
Controller, SNMP v1, v2c and v3
Pepwave AP One access points offer fast, affordable, and dependable wireless
networking without administration headaches. Ready for anything and built to go
anywhere, AP One access points deliver enterprise-grade Wi-Fi that drops in
quickly and immediately gets to work -- so you can get back to your work.
Minimize Wi-Fi management hassles with the AP One series and the Peplink
Balance with WLAN Controller. Fully integrated with the Peplink Balance, our
WLAN Controller makes it easy to configure, manage, update, and report on up
to 500 AP One devices from a single intuitive interface. Prefer the flexibility of
cloud-based administration? Our InControl remote management system gives
you complete control over every device on your network and in-depth reporting
with just a few clicks, all from a simple, yet powerful, web-based tool thats
available anywhere you have online access and a supported browser.
Peplink
32
Here are four different deployment scenarios for the AP One wireless solution.
Professional Hotspots coupled with Balance WLAN Controller (or InControl
cloud management) feature, the AP One and AP One X can be deployed
effectively as a professional hotspot solution. No expensive controllers required.
Wireless Mobility Pepwave wireless solutions make wireless application in
high speed environments a budget friendly reality.
Service Provider Wi-Fi the AP One can help you deploy a carrier grade
wireless solution, install many for citywide Wi-Fi CPEs. The range of these
devices leads the industry.
Industrial Networking AP One series allow the IP devices stay connected
wirelessly over long distances. It provides reliable wireless for data devices.
Peplink
33
Highlights of Flex AP Features
Worlds First AP with Software Selectable, Embedded Directional and

Omni Antennas
Power up to two Devices from a Single Source
Central Management, Anytime, Anywhere
Reliability in Extreme Environments
Connect Worldwide without External Modems
Peplink
34
Flex AP Operating Mode and Antenna

Flex AP can operate in Routing or Bridge mode
Flex AP built-in with 2x2 MIMO 802.11n, switchable omni- or uni-directional

WiFi antenna
For 3G and Dual 3G, it comes with a cellular antenna, as for LTE models,
2 antennas needed to operate
It can operate up to 4 antennas simultaneously on the Dual 3G model, to allow
maximum signal coverage and bandwidth
35
The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for home
office, small business, and power users. With its support for 4G LTE/3G, cable,
DSL, and other broadband connections, the Surf SOHO makes it possible to
deploy fast and secure 802.11abgn Wi-Fi hotspots anywhere.
The Surf SOHO also features built-in a long-range antenna, optional external
antennas, business-class VPN, cellular usage monitoring, and URL blocking. This
makes it an ideal networking solution for a wide range of mobile and office uses.
Peplink
36
Unlimited Wi-Fi. Anytime, Anywhere Connectivity for Every Device.

Pepwave Surf combines enterprise-level performance and features with outstanding
durability and versatility. The Surf Pro, our carrier-grade outdoor client solution, is
ruggedized and features a high-gain, extended-range antenna, making it ideal for video
surveillance, traffic signal control, meter reading, and other outdoor applications.
For indoor wired/wireless connectivity, there's our Surf On-The-Go, the ultimate travel
router. The Surf On-The-Go's Wi-Fi radio lets you connect an unlimited number of
wireless devices at once. Built-in Ethernet port ensures that no printer, scanner, or other
wired device gets left behind, and multiple connection profiles make device management
a snap.
4 Operating Modes
4G/3G USB Wi-Fi Router

Cable / DSL / Ethernet Wi-Fi Router
Wi-Fi Repeater
Wi-Fi Adapter for Wired Devices
3 WAN Modes
WiFi WAN
USB Cellular WAN
Wired WAN
Peplink
37
True Enterprise AP. Powerful, Affordable, Elegantly Simple.

Pepwave AP One access points sets up quickly and deliver fast, affordable, and reliable
enterprise networking without administration headaches. TruePower RF Technology
eliminates dead spots and provides wider signal coverage with less equipment and
maintenance. Secure Captive Portals reinforce your brand and ensure the best possible
online experience for employees and visitors alike.
Management is easy, too: just add a Peplink Balance router and use the Balance's
integrated WLAN Controller to manage up to 500 indoor (AP One/AP One 300M) and
outdoor (AP One X) access points from a single intuitive interface. With this powerful
combo, you get instant access to all devices across your headquarters, district offices,
and branches.
Industrial-Grade Reliability. Unmatched Peace-of-Mind.

No matter what your industry, Pepwave offers a durable, rock-solid networking solution
to help you get the job done. Ruggedized and certified for harsh environments, the MAX
series handles temperatures of -40 to 65C and resists shock and vibration on factory
floors, remote job sites, and anywhere you need tough, ready-for-anything connectivity.
Add the compact and capable outdoor Flex AP to stay connected at all times with built-in
high-gain Wi-Fi antenna, embedded 3G/4G LTE, and dual Ethernet ports. Stepping up to
the AP Pro, will offer enhanced signal coverage, extreme environment tolerance, and
lightning/surge protection.
Peplink
38
Complete WAN, VPN and Wireless Integration

This deployment scenario illustrates how Peplink MAX routers, AP One and Flex AP work
together to enable wired and wireless connectivity in reliable and cost effective way.
Adding the Balance will also provide robust and high bandwidth VPN connectivity to the
wireless mobility devices. In addition, the AP One access point can be managed centrally
either through the WLAN Controller built-into the Balance, or the InControl cloud
management tool.
Router Utility - Peplink Mobile Application

The RU (Router Utility) helps to monitor and control all your Balance and MAX routers*
from any iOS or Android device. It is ready when you are, wherever you are, the Router
Utility app gives you instant insight into device status, events, bandwidth usage, and
more. With full support for push notifications, youll know immediately whenever theres
an important status change or performance issue, helping you to keep small glitches
from becoming major problems.
Keep Traffic Moving with Anywhere, Anytime Green Light Checks.
Check the status of all your Balance and MAX routers with the Router Utilitys dashboard
and traffic light indicators. With just a quick glance, you get the peace of mind of knowing
that your networks healthy. And if there is a problem, its easy to drill down and inspect
SpeedFusion VPN parameters, bandwidth statistics, CPU load, and more from any iOS
or Android device.
Monitor and Control from the Palm of Your Hand.
Check Device Status - Monitor WAN Status, External IP Addresses, and SpeedFusion
VPN Links.
Inspect Event Logs - Keep an eye on router event logs using any iOS or Android
device.
View Bandwidth Statistics - Get up-to-the minute insight on bandwidth usage and
throughput across your WAN.
Maximum Mobile Control at Your Fingertips.
Our Router Utility gives you new ways to monitor and control your MAX mobile router
anywhere you can use your device.
See How Youre Connected - Just check the Router Utilitys dashboard on your device
to instantly see which SIM and cellular provider your MAX mobile router is using.
Peplink
Adjust Connection Priorities on the Fly - Simply tap and swipe to connect your MAX
39
to a Wi-Fi hotspot or change 4G LTE/3G connection priorities.

Automatic Cellular WAN Status and SpeedFusion Alerts - Keep tabs on cellular WAN
and SpeedFusion status with push notifications on your iOS or Android device.
This module will examine different real life deployment scenarios, and
describe how to configure the routers to achieve the desired result.
Peplink
40
Course Agenda
Module 3: Peplink Balance and MAX Routers Configurations
Study how Balance and MAX routers implement into the various deployment scenario,
and explain the steps to configure these routers.
Peplink
41
Physical hardware layout and control panel for Balance high-end model.
Below show some of the frequently used functions in Control Panel Navigation
(base on Balance 380 model):
HA State: Master/Slave
> LAN IP
> VIP
System Status
> System
-> Firmware ver. (shows firmware version)
-> Serial number (shows serial number)
-> CPU load (shows current CPU loading, 0-100%)
-> LAN
---> Status (shows LAN port physical status)
---> IP address (shows LAN IP address)
---> Subnet mask (shows LAN subnet mask)
> Link status (shows Connected/Disconnected, IP address list)
-> WAN1
-> WAN2
-> WAN3
> Link usage
-> Throughput in (shows transfer rate in Kbps)
--->WAN1
--->WAN2
--->WAN3
Peplink
42
-> Throughput out (shows transfer rate in Kbps)

---> WAN1
---> WAN2
---> WAN3
Maintenance
> Reboot > Reboot? (Yes/No) (to reboot the unit)
> Reset Admin Password? (Yes/No)
> Factory default > Factory default? (Yes/No) (to restore factory defaults)
> Remote Assistance
NOTE:
For model below 310, there is no feature to reset admin password through the Control
Panel, it only available for models from 310 and above.
Out of the box, Peplink Balance come with below default settings:
IP: 192.168.1.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.1.10 192.168.1.250
In diagram above, the switch is optional for console into Peplink Balance.
You can plug the UTP cable directly from PC/Notebook into Balance LAN
port for the same purpose.
Peplink
43
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard provides an overview of the condition on several key
parameters:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Peplink
44
In Status page, there are a few items to take note of:

Router Name
Model
Hardware Revision
Serial Number
Firmware
Diagnostic Report Download
You can download a copy of the diagnostic report for your reference on the status page
Bandwidth Statistic Display
In status page, you can view the following information:
Bandwidth usage on who consumed the most traffic
Top user running most number of sessions
Which user is running active Bittorrent traffic
Who is currently consuming most bandwidth on individual WAN.
Peplink
45
Understanding Peplink Site-to-Site VPN

The proprietary Site-to-Site VPN of Peplink Balance (a.k.a VPN Bonding), is specifically
designed for a multi-WAN environment. The Peplink Balance can aggregate the
bandwidth of all WAN connections available for routing VPN traffic. Unless all the WAN
connections of one site are down, the Peplink Balance can still keep the VPN up and
running.
- Peplink Site-to-Site VPN encrypts traffic with the military-grade 256-bit AES algorithm.
- Site-to-Site VPN is available with the Peplink Balance 210, 310, 380, 580, 710, and
1350.
- The Peplink Balance 380/580/710/1350 supports multiple Site-to-Site VPN connections
among twenty or more locations, is designed for Headquarters/Regional Offices.
- The Peplink Balance 210/310 supports two Site-to-Site VPN connections; ideal for
Branch Offices.
- Site-to-Site VPN connections can be established for all Dynamic IP/Static IP scenarios.
Please refer to the Requirement section for more information.
Being able to establish multiple VPN connections provides variety and flexibility in
deploying your network. You may choose to create a network in
a Mesh or Star topology, or you may even combine the two setups to create a more
complex network.
Peplink
46
System Requirement for Site-to-Site VPN Configuration

When configuring a VPN connection, there are two aspects to consider:
Whether the WAN connection has a Dynamic IP or Static IP.
Whether the Peplink Balance unit has Public IP or is behind NAT.
This creates four WAN possible types you use to establish the VPN connection. Peplink
Balance supports all four types. However, to establish VPN connection using a Dynamic
IP WAN connections, you have to configure at least one Dynamic DNS.
WAN has Dynamic IP with Peplink Balance has Public IP.
WAN has Static IP with Peplink Balance has Public IP.
WAN has Dynamic IP with Peplink Balance is behind NAT.
WAN has Static IP with Peplink Balance is behind NAT.
The table above illustrates the system requirement for configuring Peplink Site-to-Site
VPN connection.
For users who have placed a firewall in front of the Balance:
In Firmware 5.1.x, Peplink proprietary Site-to-Site VPN used TCP port 32015, IP
Protocol 47 and IP Protocol 99 for establishing VPN connections. if you have a firewall in
front of the Peplink Balance devices, you will need to add firewall rules for these ports
and protocols. This will allow inbound and outbound traffic pass-through the firewall.
Another point to note, if both sides of the SpeedFusion VPN having the same LAN
subnet, it will prevent the SpeedFusion tunnel to establish, just like any other 3rd party
VPN technologies.
Peplink
47
SpeedFusion Configuration Guidelines

When configuring SpeedFusion VPN connection, there are few items to be aware:
LAN Subnet Avoid having same LAN subnet on either end of the SpeedFusion
tunnel, this will prevent the tunnel from establish a successful connection. Try to
change either side of the LAN subnet to different IP Addresses. You can also
consider putting a NAT device can be considered as well.
WAN Connection Priority - You can specify the priority of the WAN connections to
be used in making VPN bonding connections. A Wan connection will never be used
when OFF is selected. Only available WAN connections with the highest priority will
be utilized. Grouping WAN with similar characteristics like latency, packet loss to
same priority can help bonding performance.
SpeedFusion Bonding Efficiency To establish an reliable SpeedFusion Bonding
VPN, there are few parameters need to be considered, eg. good cellular signal
strength, low latency WAN, low packet loss, and buffer bloat in ISP will help to build
an effective bonding VPN tunnel.
Cellular Bandwidth Availability It is always good to subscribe to two different
ISP/carriers when you want to establish SpeedFusion 3G/4G Bonding with MAX
router. Take for example, when all modems connect to same cell (RF tower), total
bandwidth is limited by the cell tower backhaul's bandwidth. If the modems connect to
different cells (RF tower) from different carriers, theoretically this can provide you the
double bandwidth as compare to one ISP.
Peplink
48
With our new three-tier structure, its never been easier to migrate to
SpeedFusion. Once you use it, you will see why customers around the
world have replaced IPsec and other conventional VPN technologies.
Note:
1
With other VPN technologies, WAN failover terminates existing VPN

connections, creating costly downtime. SpeedFusion Hot Failover is
completely automatic and invisible, so you wont miss a beat when
switching between connections.
Peplink
49
Possibly the Worlds Easiest VPN.

PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel
over any WAN link. On top of all the benefits of IPsec and other
conventional VPN technologies, the PepVPN engine also offers:
Long-distance Ethernet cable With PepVPN, you can build secure and
seamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It
virtually provides a long-distance Ethernet cable over any WAN link.
Seamless transition PepVPN and SpeedFusion share the same core
VPN engine. It means all your PepVPN and SpeedFusion devices will work
flawlessly together. It also allows you easily upgrade a PepVPN endpoint
to SpeedFusion, taking advantage of the added benefits without having to
worry about compatibility.
Works in any dynamic IP environment PepVPN is fully compatible
with any dynamic IP environment and NAT, allowing you to establish a
VPN behind a NAT gateway or firewall without worrying about static IP
addresses.
Requirement:
The portrayed scenario shows a typical remote-to-HQ VPN connection, where
Peplink
50
SpeedFusion PepVPN allows site-to-site VPN connections with auto-failover capability.

WiFi WAN is primary link for the VPN, when WiFi WAN down, WAN 5 (Wired WAN) will
take-over the VPN connection automatically. Users are transparent to this changes.
To create a SpeedFusion VPN tunnel, follow the steps below:

1) Go To Network > SpeedFusion, a SpeedFusion window appear to ask for Local ID,
if this is the first time creating SpeedFusion VPN.
2) Enter a Local ID, the remote VPN peer will use this ID to identify this unit during VPN
establishment.
3) Click Save button, then will click on the New Profile button to proceed.
Above steps apply to both remote and HQ Balance router configurations.
Peplink
51
Above shown the VPN profiles at both HQ and Remote sites.

HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should
be same for both sides, eg. MY-MOTG.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) At the WAN Connection Priority window, choose the WAN links that should be
included in the SpeedFusion VPN tunnel, in this case WAN 1 & 2 are bond together.
4) Save and apply the changes.
Remote Site VPN Profile

be same for both sides, eg. MY-MOTG.
3) For remote site, you need to enter at least one Public IP (or DNS/DDNS) of the HQ
router WAN link, if HQ has multiple WAN links with static Public IP, you can key in all
the IPs.
4) Choose the WAN links that should be include in the PepVPN tunnel. Since this is
PepVPN, so it only support normal failover. WiFi WAN will set to Priority 1, while
WAN 5 is Priority 2.
Note:
It is important to ensure the Remote ID correctly (either by router ID or Serial Number),
otherwise the SpeedFusion tunnel will not able established. If you see the error
message(s) similar to "Refused connection made from unknown peer (foobar)" or
"Refused connection made from unknown peer (XXXX-1234-ABCD), which indicate
wrong ID/Serial No. entered at any/both routers.
Peplink
52
If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still be
encrypted in both directions, as the other router will trigger to turn on the encryption on
both end.
Once the VPN profile has been created on both sides, and if the WAN links are
up, the routers will automatically initiate the VPN connection. If all the parameters
are correct, it will take only few minutes.
As shown in the screenshots, at the Dashboard page, the status of the VPN
connection will change to Established, indicating a successful VPN connection.
Peplink
53
To verify which links are participating in the VPN connection, you can click on the
Status button in the SpeedFusion or PepVPN section as shown in the screen
capture.
It also lists the network(s) learned from other sides, via the built-in routing
protocol. HQ will see the 192.168.0.0/24 network from Remote router, and
Remote will learn 10.0.0.0/8 network from the HQ side.
In our screencaps, the HQ side router is using WAN 1 for the VPN connection,
while the remote site is using WiFi WAN as VPN link.
Peplink
54
To ensure the end-to-end connectivity is up, a PING test to the other side host
(LAN IP) should receive a response as shown above.
Ping Test:
1) HQ side ping to Remote LAN IP: 192.168.0.11
Passed or Failed
2) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Peplink
55
With PepVPN, the failover process is carried out automatically.

Failover Test:
1) Unplug WAN 1 at HQ, and/or
2) Disconnect the WiFi WAN at Remote
3) Observe the changes to the routers
Failover Test Result:

1) HQ side WAN 2 will take over, maintaining the VPN connectivity
2) Remote site WAN 5 will resume the VPN link
Ping Test:
Passed or Failed
Peplink
56
SpeedFusion Hot Failover Unbreakable VoIP and VPN.

SpeedFusion Hot Failover is a premium add-on that manages multiple redundant
connections to keep VPNs and VoIP deployments up and running at all times.
Easy setup Just add connections, you can even mix wired and wireless links of
different WAN technologies.
Unbreakable VoIP and VPN With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion Hot
Failover prevents this by maintaining secure tunnels over all available WAN links.
In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly
switch traffic to another available tunnel. This provides unbreakable VPNs and
VoIP sessions.
Requirement:
A customer with branch-to-HQ connections often run delay sensitive applications like
VoIP, so it needs a fast failover VPN connectivity to ensure the VoIP session not
interrupted if any of the WAN links break. The following set-up will fulfill this requirement:
- A MAX BR1 installed at branch level with Wired and WiFi WAN,
- A Balance 380 deployed in HQ with 2 wired WAN (eg. Metro-e) with static Public IP
assigned at each WAN link.
Peplink
57
The user interface is same across the MAX router series. Assuming we are taking
the same HQ setup in previous example, the VPN profile creation process is the
same except the name changed to MY-MaxBR1. Here are the steps to creating a
VPN profile on the MAX BR1.
At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. MY-MaxBR1.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the
opposite side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all the IPs.
4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN will
follow the state of the WAN link in order to maintain the VPN link, (eg. if WAN
1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 as
primary link to forward VPN traffic, while keep WAN 2 in hot standby mode).
Peplink
58
Once the VPN profile is created on both sides, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters correct, the
VPN will come up in minutes.
As shown in the screenshots, on the Dashboard page, the status of the VPN
connection will change to Established, indicating a successful VPN connection.
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt window and
conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 1 at Remote (MAX BR1)
3) Observe the changes at the routers

1) Remote site WiFi WAN will resume the VPN link
2) Any timeout during failover? Yes or No
Ping Test:
Passed or Failed
Peplink
59
The SpeedFusion Hot Failover recovery process should have no timeout.

Recovery Test:
2) Plug back the WAN 1 at Remote (MAX BR1)
Recovery Test Result:

1) WAN 1 will resume the VPN link
Ping Test:
Passed or Failed
Peplink
60
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the
SpeedFusion Status window.
1) Go to DashBoard, click on Status button at SpeedFusion section
2) Click on the blue triangle beside the MY-MaxBR1 to expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
Peplink
61
SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding
teams up all your connections to give you blazing throughput whenever you need
it.
Multi-provider bandwidth bonding SpeedFusion Bonding combines multiple
links from multiple providers into a single, superfast tunnel.
Automatic Hot Failover handoff SpeedFusion Bonding monitors connections
and automatically turns control over to Hot Failover when links become unstable.
Easy, on-demand scalability Need more speed for mission-critical VPNs?
How about temporary bandwidth for a specific project? With SpeedFusion
Bonding, you can plug in connections from any provider and get more
bandwidth instantly. And you can unplug connections at any time, keeping your
connectivity costs under control.
Requirement
SpeedFusion VPN Bonding technology is particularly useful for customers with a higher
volume of VPN traffic between sites. It assures that the VPN link is aggregated as bigger
pipe, and same time provide the reliability.
In this example, we will install a Balance 310 at the branch level, while HQ maintains
with Balance 380. We also configure the Balance 310 to Drop-In mode, assuming the
branch has existing infrastructure setup.
Peplink
62
We take the same HQ setup in previous example, the VPN profile creation process is the
same except the name is changed to MYKL-VPN. Here are the steps to create VPN
profile in MAX BR1.
At the branch router (Balance 310), go to Network > SpeedFusion to create the VPN
profile.
VPN Profile
be same for both sides, eg. MYKL-VPN.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the HQ router
WAN link, if HQ has multiple WAN links with static Public IP, you can key in all that
IPs.
4) Balance 310 is capable of VPN Bonding, so choose the active WAN links from the
WAN Connection Priority section to be bond by SpeedFusion VPN, this example
will use WAN 1 & 2 to forward VPN traffic.
Peplink
63
Once VPN profiles have been created on both sides, and if the WAN links
are up, the routers will start negotiating the VPN connection. If all the
parameters are correct, the VPN be online in a minutes time.
As shown in the screenshots, at the Dashboard page, the status of the
VPN connection will change to Established, indicating a successful VPN
connection.
Failover Test:
2) Unplug WAN 2 at Remote router (Balance 310)

Ping Test:
Passed or Failed
Peplink
64
To monitor the SpeedFusion Hot-Failover and recovery process, you can

view the SpeedFusion Status window.
1) Go to DashBoard, click on Status tab at the top, and the
SpeedFusion tab on the side
2) Click on the blue triangle beside MYKL-VPN (or the name of your
VPN) to expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
SpeedFusion Hot Failover recovery process should have no timeouts.
Recovery Test:
1) Before sttest start, at the Remote site, launch the command prompt window and
2) Plug back the WAN 2 at Remote router (Balance 310)
Recovery Test Result:

1) WAN 1 resume the VPN link
Ping Test:
Peplink
65
Passed or Failed
Ethernet-easy WAN
Unlike traditional WAN technologies, PepVPN works with any IP
connection, sets up in minutes, and requires almost no maintenance. It
connects sites, regardless of the distance, with a lightning-quick 256-bit
AES-encrypted tunnel. It is 100% compatible with all your
Peplink/Pepwave devices.
PepVPN is so fast and easy to use, its like having everyone on the same
LAN, connected by Ethernet cables. PepVPN eliminates the 100-meter
limitation. In fact, it eliminates any distance limitations, so go ahead and do
business anywhere you please across town, throughout the country,
around the globe.
Requirement
Many companies need to mobilize a team at the project while keeping the team
connected to the company network. However, some systems in their company dont
work well in a routed environment or a VPN (eg. NetBIOS, Mainframe base application,
and even Vmware SRM). In these situations, the solution is to extend the office network
to the project site using SpeedFusion Long Distance Ethernet VPN solution.
In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-The-Go
(MOTG) at the remote site. The HQs LAN IP (192.168.125.0/24) will be extend to
remote site, with DHCP enabled to assign IP to remote hosts.
Peplink
66
Extending the HQ LAN to the remote site can be done using the
SpeedFusion L2 approach. These screencaps show the VPN profiles at
both HQ and Remote sites.
HQ VPN Profile
be same for both sides, eg. SF-L2.
2) To enable Layer 2, first click on the ? at the top-right of the SpeedFusion Profile
window and click on the link to unhide the Layer 2 Bridging feature.
3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default
setting).
4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve
LAN Settings Upon Connected.
Remote VPN Profile

2) To enable Layer 2, first click on the ? at the top-right of the SpeedFusion Profile
window and click on the link to unhide the Layer 2 Bridging feature.
3) Tick the checkbox of Layer 2 Bridging, select the Bridge Port to LAN (default
setting).
4) As remote site to follow HQ DHCP assignment, leave the checkbox of Preserve
LAN Settings Upon Connected unchecked, a warning message will display to
remind that this site (Remote) LAN will follow HQ LAN IP assignment.
Peplink
67
5) In order to manage this router (MOTG), you need to manually assign an unused HQ
LAN IP to this router. Once SpeedFusion is connected, you will be accessing this
router via this new IP (192.168.125.5).
Once both sides VPN profile created, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters
correct, the VPN will come up in a minutes time. The description on the
SpeedFusion will change, with the added wording Layer 2 beside
SpeedFusion. At the remote router, a warning message display at the
bottom of the Device Information section.
Peplink
68
To verify the SpeedFusion tunnel, you can view the SpeedFusion Status
window.
1) Go to DashBoard, click on Status button at SpeedFusion section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that the Remote router IP is 192.168.125.5, as assigned in the
VPN profile
Remote Host Verification:
1) Open command prompt of the remote site notebook, check the ip with ipconfig, you
will notice the host grabbed 192.168.125.11 from HQ DHCP server.
Ping Test:
Passed or Failed
Peplink
69
SpeedFusion 3G/4G Bonding

As more business takes place outside the office, telecom providers have
responded by boosting the speed and reliability of their 3G networks. In
addition, they are rolling out innovations like 4G, LTE, and WiMax in an
increasing number of markets.
However, no matter how quickly cellular data bandwidth and quality
improve, mobile business always to demand more. From live video
streaming and conferencing to ever-larger file transfers and real-time
collaboration, todays mobile applications strain even the latest and
greatest cellular technology to its limits. The result is fluctuating data
quality, unpredictable data rates, and widespread frustration, in addition to
costly overage charges
Requirement
In our previous case, the remote site area doesnt have any WiFi or Wired Internet
facility. So, the project team needs to use Cellular WAN to establish a VPN back to the
office. We can combine both 3G cellular lines into SpeedFusion Bonded VPN to allow
greater throughput and reliability. The remote site LAN IP is 192.168.0.0/24, and the HQ
LAN IP is 192.168.125.0/24.
Peplink
70
Assuming the HQ router has created the SpeedFusion profile named SF-L2, a normal
Layer 3 bonded VPN. Here are steps to creating a VPN profile in MAX OTG.
At the branch router (Balance 310), go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ router
WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the
IPs.
4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from the
WAN Connection Priority section to be bonded by SpeedFusion VPN, this
example will use WAN 1 & 2 to forward VPN traffic.
Peplink
71
Once VPN profiles have been created on both sides, and if the WAN links
are up, the routers will start negotiating the VPN connection. If all the
parameters correct, the VPN will come up in a minutes time.
As shown in the screenshots, the Dashboard shows the status of the VPN
connection changing to Established, indicating that the VPN connection
process is successful. Also notice that both WAN 1 & 2 are up and
connected to the Internet.
Peplink
72
To further verify the SpeedFusion tunnel, you can view the SpeedFusion
Status window.
1) Go to DashBoard, click on the Status button at the SpeedFusion
section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that both WAN 1 & 2 are connected to the SpeedFusion VPN,
and forwarding the traffic via the VPN tunnel
Load Sharing Test via multiple Ping commands:
1) Remote side launch at least 2 ping command to HQ LAN IP: 192.168.125.1
Passed or Failed
WAN 1 & 2 links Receive (RX) and Transmit (TX) counters increase? Yes or
No
Refer to next page for the traffic statistics
Peplink
73
Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN tunnel. In
the event if the uplink direction experiencing link interruption, the SpeedFusion graph will
indicate packet loss.
Peplink
74
Using SpeedFusion Behind a Firewall

If a Peplink Balance is placed behind a firewall, simply define firewall rules and inbound
port forwarding policy in order to allow VPN traffic to pass through it.
By default, SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing VPN
connections and transmitting data. However, you can change the Data Port assignment
in your SpeedFusion profile to another value.
Peplink
75
SpeedFusion bonded VPN requires all transmitted data to be

encapsulated in a special UDP stream. This stream contains additional
packet headers with all the information needed to reconstruct the original
data stream in the correct order at the remote location.
SpeedFusion adds an additional 80 bytes of data to each packet sent
over a SpeedFusion connection, no matter what size the original data
packet is. This compares well to the 58 bytes of overhead required by
IPsec, especially considering that SpeedFusion provides advanced
routing, load balancing, and 256 bit AES encryption within the tunnel.
As the chart on the left shows, when a SpeedFusion VPN tunnel is used to
transmit IMIX data (4084 bytes), an additional 960 bytes of SpeedFusion
overhead is required.
The SpeedFusion overhead is 19% of the total transmitted data (IMIX +
overhead). Since it uses a fixed number of bytes per packet transmitted (an
additional 80 bytes), SpeedFusion is much more efficient when transmitting larger
packet sizes.
Peplink
76
Accounting for SpeedFusion bandwidth overhead and assuming that the

traffic passing across the links is similar to the previously mentioned IMIX
standard, we can calculate available real-world bandwidth at the remote
site:
Download: 10Mb + 10Mb = 20Mbps - 19% = 16.2Mbps
Upload : 2Mb + 2Mb = 4Mbps - 19% = 3.24Mbps
It is important to explain SpeedFusion bandwidth overhead to your end
users so that they understand why they will not get full 20Mbps/4Mbps
bandwidth when using VPN bonding.
Remember, while conventional VPN technology such as IPsec has an
overhead of 14.6%. SpeedFusion provides bandwidth aggregation &
WAN resilience for only an additional 4% overhead.
SpeedFusion Isnt Just about Bandwidth Aggregation
The big benefit of SpeedFusion is VPN reliability and the highly availability connection it
provides (with packet level fail-over).
Customers can take advantage of this reliability and use a pair (or more) of low-cost DSL
circuits to achieve higher reliability and throughput than comparable private circuits
often at up to 80% less cost.
Peplink
77
We always recommend the use of WAN links with similar bandwidth

profiles from different ISPs to allow for the best possible SpeedFusion
throughput.
Using at least two different ISPs offers the benefit of provider diversity,
which means less chance of a technical (or even accounting/billing) error
causing a network outage. Provider diversity also lessens the impact of
bandwidth sharing, a common problem when using multiple circuits from a
single provider.
Download : 20 + 20 = 40 - 19% = 32.4Mbps
Upload : 4 + 4 = 8 - 19% = 6.48Mbps
The above configuration example uses two DSL circuits from two different
ISPs, each circuit having a similar bandwidth profile, as the best use case
for fixed line SpeedFusion bonding.
Peplink
78
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections

Another important factor to consider is the quality of the WAN links connecting
SpeedFusion enabled devices. Let's consider some of the typical drivers for using
SpeedFusion in the first place:
1) Internet Connection Bandwidth Availability SpeedFusion is often deployed by
customers who are limited to slow DSL or cellular connections at a given location.
Typically, these customers want to combine these slow links to create a faster
aggregate connections between locations.
2) Internet Connection Reliability We often see poor physical line quality at
customer locations, particularly DSL using old copper (and sometimes even lead)
cable over a long run from the nearest exchange or POP. These connections are
inherently unreliable and can sometimes be affected by rain ingress into the physical
circuits, as well as temperature changes. We also see customers who have no
physical lines and want to use cellular connectivity. Naturally, the quality, bandwidth
availability, and reliability of cellular connections vary depending on location.
3) Flexibility One of the benefits of SpeedFusion is that it is connection agnostic, so
we often see customers who want to use it to bond WAN links of different technology
types, such as 3G/4G, VSAT, DSL, and leased lines. Obviously, the characteristics
of these connections are very different (VSAT has high latency, cellular connections
have variable latency/bandwidth depending on their location/signal strength, etc.).
Peplink
79
4) ISP Diversity This is a big driver for customers who want to make sure that even if
an ISP has a service issue, they can still connect using a WAN link from another ISP.
The same DSL product from different ISPs can have quite different characteristics,
with everything from variable contention, latency, and bandwidth availability being
factors.
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections,

Continued
The two main WAN link characteristics that are important are;
Packet Loss
When the SpeedFusion engine detects excessive packet loss on a WAN link, the link will
fail its health test and will not be used by SpeedFusion as an active link until it passes a
subsequent health test.
Latency
When latency characteristics are the same across connected WAN links, it has very little
effect on SpeedFusion bandwidth throughput. However, when the latency of WAN links
vary considerably, bandwidth throughput will be affected.
Example 1. If WAN1: 100ms, WAN2: 400ms, the resulting latency of SpeedFusion
bonded link will be 400ms, which follow the higher WAN.
Example 2. Or, if packets travel multiple SpeedFusion hops (site A-> site B-> site C),
with 100ms per link between 2 sites, then total latency will be 200ms from site A to site C
(via site B).
Any variation of these characteristics have an effect on the amount of WAN link
bandwidth that is available for use by SpeedFusion.
Packet Loss in high latency environments
In the example above, there is a 3G connection which is highly susceptible to packet
loss. Because the latency across the SpeedFusion link is equalized to the link with the
highest latency (800ms), SpeedFusion will take longer to spot the packet loss (800ms+).
Peplink
80
In certain conditions, such as a combination of regular timed packet loss and high latency
on the above 3G link, the TCP protocol method of retransmitting lost packets can have a
drastic effect on the available bandwidth over the VPN. This is another reason why we
recommend that, whenever possible, high latency links be used for failover and not as an
active SpeedFusion WAN link.
Recommended latency difference = Less than 150ms
Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCP
which has restrictive flow control.
External Factors that Affect WAN Link Quality

Whatever WAN connections you are using, it is always a good idea to test each
individually and repeatedly to discover its maximum throughput in both directions.
Remember, bandwidth availability can vary throughout the
day, especially if using cellular or fixed lines with variable contention.
Cellular and Satellite Bandwidth Availability

The amount of bandwidth available on a 3G/4G or satellite data connection is dependent
on a number of factors:
Signal Strength Determined by the distance to the nearest cellular tower (or
visibility of the satellite) and the subsequent signal quality received.
Backhaul Bandwidth Availability From the cellular tower to the ISP's core network
or from the satellite ground station to the ISP's core network.
Device Contention At the tower or satellite you are connected to (determined by
the number of active subscribers on a tower or satellite at any given moment).
Fixed Line Contention

Most internet connections are provided as a contended service. This means that
although your provider has advised you will get up to 24Mbps broadband over DSL for
example, depending on how oversubscribed your DSL service is (literally how many
people in your area are connected to the ISPs service), the bandwidth that's actually
available at any given moment could be considerably less.
Peplink
81
The Benefits of Using Multiple Verizon LTE Connections on

Contended Cell Towers
Verizon and other LTE providers use a process called windowing/time-slicing when
multiple subscribers connect to their LTE services.
In the first example, the third user only gets 1/3 (33Mbps) of the available bandwidth
(100Mbps) from the Cell Tower, but in second example, the third user with Pepwave
MAX device (installed with 2 LTE data SIM), able to gets half (50Mbps) of the available
bandwidth from Cell Tower.
Multiple Cellular Connections Deliver a Larger Share of Available

Bandwidth
As the above diagrams show, adding an additional cellular connection does not always
mean a doubling of available bandwidth, especially if both connections are from the
same ISP.
However, an additional cellular connection can provide the end user with a larger share
of the available bandwidth at a tower.
So, if there is multiple LTE carriers available, it is always recommended to connect to
two different cellular providers to gain bigger bandwidth share of your LTE connections.
Peplink
82
Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg. Cisco and
Juniper, but Peplink always recommend to establish SpeedFusion VPN whenever
possible, if both peers are Peplink routers.
Notes:
We advise you to only use IPSec Aggressive Mode when one of your device has a
dynamic IP address. You should choose Main Mode whenever possible because
Aggressive Mode is not as secure as Main Mode, although Aggressive Mode is a little
bit faster because of fewer packets exchange.
With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA negotiation,
they will generate a new set of Phase 1 keys, so that if the security key was
compromised, the attackers will only be able to access the data protected by that key.
After the new SA is negotiated, all data will be well protected and not affected by the
previously compromised key.
You can only select Force UDP Encapsulation if you have turned on NAT-Traversal.
This option is useful when you do not want NAT-T to automatically detect a NAT
connection, or if the remote peer failed to detect NAT. If enabled, it will force Balance /
MAX to tell the remote peer that UDP encapsulation (Port 4500) is required (even you
are connecting to internet directly without NAT).
IPSec Tunnel will not be treat as WAN interface when configuring Outbound Policy
83
In a new setup environment, where customer subscribes 2 Internet links, and

they do not need a dedicated firewall, then the Balance model will be a good
choice for providing Internet load balancing (outbound) while acting as the
security gateway (firewall)
Planning Your Network
A ISP #1 router/default gateway (210.10.10.1) connected to ISP #1.

A ISP #2 router/default gateway (20.2.2.1) connected to ISP #2.
Trusted LAN IP: 192.168.1.0/24
Peplink Balance WAN #1 IP: 210.10.10.2/24, WAN #2 IP: 22.2.2.2/24, LAN IP:
192.168.1.1/24
Peplink Balance Router Default Gateway IP: 210.10.10.1 for ISP #1, IP: 22.2.2.1 for
ISP #2
Internal host (PC/Notebook) accessing internet will be load balancing across 2
Internet links.
Peplink
84
Assumptions:
1) Both ISPs are providing static Public IP ranges.
2) All outgoing traffic will be load balance across both Internet links.
Part 1 Interface Configuration steps:

1) Go to Network > Interfaces > WAN, click on WAN 1.
2) Choose Static IP from the Connection Method drop-down list.
3) If you need to implement QoS, then make sure the Upload Bandwidth and
Download Bandwidth value follow the subscribed bandwidth.
4) Fill in the Static IP Settings area, with the ISP given details accordingly.
5) Go through steps 1 4 above for WAN 2 interface.
6) For LAN interface, if want to change to different IP range then the default
(192.168.1.1/24), then go to Network > Interfaces > LAN.
Peplink
85
7) Fill in the IP address, subnet mask respectively.

8) DHCP service is enabled by default, change it if required, else can leave it as it is.
Part 2 Configure Outbound Policy for load balance outgoing traffic:

1) Go to Network > Outbound Policy, click on Add Rule button, the Add a New
Custom Rule window will appear.
2) Give a name for the Service Name, in this example is All-Traffic.
3) Choose Any for Source, Destination, and Protocol base on the assumption made
above.
4) We have WAN 1 and WAN 2 active, so choose Weighted Balance from the
Algorithm drop-down list. This will allow 50:50 load balance between WAN 1 and
WAN 2.
5) For WAN 3 and Mobile Internet, either to leave it as it is, or drag the pointer to 0, as it
will not affect the connectivity.
6) Click Save button to save the configuration.
7) At the Rules window, drag the newly created service All-Traffic to below the
HTTPS_Persistence. This is to ensure the HTTPS _Persistence rule being process
before All-Traffic, as the policy being processed from top to bottom.
8) Save to apply the changes.
Done, now the Balance router is performing outgoing Internet traffic load balancing
Peplink
86
between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to WAN 1 and WAN 2
Public IP. You may proceed to configure the firewall rules if needed, else you can leave it
with the default policy.
Understanding Outbound Load Balancing

Peplink's load balancing algorithms help you easily fine-tune how traffic is distributed
across connections. Each deployment has a unique setup, and Peplink's enterprise
grade load balancing features can fulfill all of your special requirements. Create your
own rule with the following algorithms and you can sit back and enjoy the high
performance routing that Peplink brings to you.
A flexible rule-based configuration design enables the fine-tuning of outbound traffic at a
per-service level by allowing multiple rules to be configured. The following types of
Outbound Traffic Rules are available:
Weighted Balance
Persistence
Enforced
Priority
Overflow
Least Used
Lowest Latency
Outgoing Traffic Control via Firewall

Besides Outbound Policy, A firewall is a mechanism that selectively filters data traffic
between the WAN side (the Internet) and the LAN side of the network. It can protect the
local network from potential hacker attacks, offensive Web sites, and/or other
inappropriate uses.
The Outbound firewall policy supports the selective filtering of data traffic on LAN-toWAN, from PPTP clients, and from SpeedFusion peers.
Peplink
87
Outbound Firewall Rules can Block the following traffic types

- Traffic coming from LAN clients
- Traffic coming from PPTP clients
- Traffic coming from SpeedFusion peers
There are 3 types of Outbound policies can be defined:

1) High Application Compatibility
With the selection of this policy, outbound traffic from a source LAN device is
routed through the same WAN connection regardless of the destination
Internet IP address and protocol.
This provides the highest application compatibility.
2) Normal Application Compatibility
With the selection of this policy, outbound traffic from a source LAN device to
the same destination Internet IP address will persistently be routed through
the same WAN connection regardless of protocol.
This provides high compatibility to most applications, and users still benefit
from WAN link load balancing when multiple Internet servers are accessed.
3) Custom policy
With the selection of this policy, outbound traffic behavior can be managed by
defining custom rules.
Rules can be defined in a custom rule table. A default rule can be defined for
connections that cannot be matched with any one of the rules.
The default policy is Normal Application Compatibility.
Peplink Ltd.
88
"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcp
traceroute packets every 10 seconds to measure link latency. Change to any algorithm
other lowest latency can stop the latency measurement packet and reduce link usage.
Note:
HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.
Weighted Balance
Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap.
Set a weight on the scale for each connection and outgoing traffic will be proportionally
distributed according to the specified ratio.
The amount of matching traffic that is distributed to a WAN connection is proportional to
the weight of WAN connection relative to the total weight. Use the sliders to change each
WANs weight.
Example: With the following weight settings on a Peplink Balance 310:
WAN1: 10
WAN2: 10
WAN3: 5
Total weight is 25 = (10 + 10 + 5)
Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100%
Note:
If the LAN user is running multiple Internet session like Bittorrent or Download Manager,
that user can utilize all available WAN's bandwidth at particular moment.
Persistence
Eliminate session termination issue for HTTPS, E-banking, and other secure websites.
Specify a traffic type and it will be routed through the same connection persistently
based on its source and/or destination IP addresses. Traffic will keep routing on the
same connection until the session ends.
There are two Persistent Modes. One is by source and the other by destination. The
default Mode is By Source.
Enforced
Restrict outbound traffic to a particular connection. Select a connection and the specified
traffic type will be routed through it at all times, whether the link is up or down. For
scenarios like accessing a server that only allows users from a specific IP.
Priority
Route traffic to your preferred link as long as it's available. Arrange the connection
priority order, and traffic will be routed through the healthy link that has the highest
priority in the list. Lower priority links will only be used if the current connection fails.
Overflow
Prevent traffic flow from slowing down when the connection runs out of available
bandwidth. Drag and drop to arrange the connection overflow order and the highest
priority link will route traffic as long as it has not been congested. Once it saturates, the
lower priority links will start routing traffic.
Least Used
Help you choose the better connection with more free bandwidth. Traffic will be directed
to the link with the most available bandwidth among the selected connections. This
option is useful for maximizing reliability and bandwidth utilization.
Lowest Latency
Give you the fastest response time when using applications like online gaming. Traffic
will be assigned to the link with the lowest latency time among the selected connections.
Latency checking packets are issued periodically to a nearby router of each WAN
connection to determine its latency value. The latency of a WAN is the packet round trip
time of the WAN connection. Additional network usage may be incurred as a result.
Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it will
fallback to use ping
Note: The round trip time of a 6M down /640k up link can be higher than that of a 2M
down /2M up link. It is because the overall round trip time is lengthened by its slower
upload bandwidth despite of its higher downlink speed.
Therefore this algorithm is good for two scenarios:
All WAN connections are symmetric; or
A latency sensitive application requires to be routed through the lowest latency WAN
regardless the WANs available bandwidth.
In addition to physical WAN interfaces, Peplink Balance allows you to redirect the
designated traffic to VPN tunnel, eg. SpeedFusion VPN tunnel. For example, a
customer with centralized Internet access can force all branch Internet traffic go
thru the VPN tunnel back to HQ (and probably web content filtering/security
assessment) before reaching Internet sites. Another example would be customer
internal applications (email, CRM, etc) that should be redirect via a secured VPN
tunnel to access servers in HQ, rather going through unsecure Internet.
Peplink Ltd.
94
Configuration Example - Restricting IPSec VPN Traffic to the WAN1

Lnk
To configure Peplink Balance to restrict IPSec VPN traffic to WAN1, add the following
per-service Enforced rules:
1) Rule to specify UDP Port 500 traffic:
Service Name: UDP500_on_WAN1
Source & Destination IP: Any
Protocol & Port: UDP 500
Algorithm: Enforced
Enforced Connection: WAN1
2) Rule to specify UDP Port 4500 traffic:
Service: UDP4500_on_WAN1
Source & Destination IP: Any
Protocol & Port: UDP 4500
Algorithm: Enforced
Enforced Connection: WAN1
With these rules enabled, Peplink Balance will route IPSec VPN traffic with NAT-T (that
require UDP ports 500 and 4500) to WAN1 regardless of its up/down status. In the event
the WAN1 is down the specified traffic will simply be dropped rather than routed via the
other WAN links.
Peplink
95
Drop-in Mode allows Peplink Balance to be deployed in a network without

incurring any configuration changes to existing network devices. It
simplifies the installation of a Balance to an existing network by
transparently and seamlessly working with routers and firewalls. The
process is done in 2 phases. In the 1st phase, you can transparently insert
the Balance into existing setup. In the 2nd phase, you will be able to add
Internet links without modifying existing network equipment settings.
Phase 1 Insert Peplink Balance into existing environment
Suppose you have a migration plan similar to the following environment.

Currently, you have:
A router/default gateway (210.10.10.1) connected to ISP1.
A firewall (210.10.10.10) protecting your users on trusted LAN.
We will be installing the Peplink Balance transparently in between the

router and the firewall. Then we will add more ISP connections to the
network.
In this example, we assume:
Peplink
Router (Default Gateway) IP: 210.10.10.1

Firewall IP: 210.10.10.10
Peplink Balance IP: 210.10.10.5 (for WAN 1 and LAN, bridge)
WAN1 Subnet Mask: 255.255.255.240
96
First, start with setting up Drop-in Mode:

1) Go to Network > Interfaces > LAN.
2) Fill in the IP address, Subnet Mask as 210.10.10.5 and 255.255.255.240
respectively.
3) Enable the Drop-In by click on the Enable box.
4) Key in the Defauly Gateway as 210.10.10.1 (ISP router IP).
5) Save and apply changes.
Then configure the DNS Servers for WAN 1:
1) Go to Network > Interface > WAN, click on WAN 1.
2) Fill in the DNS server IP(s). The DNS server information in the screenshot above is
used for example only.
Done.
You may now install the Peplink Balance to the production network.
Notice that some routers and firewalls may have problems updating their ARP tables.
Resetting these devices may be necessary.
You have just completed the Drop-in mode configuration of the Peplink Balance. You
should verify the network with single WAN before moving to the next step of
connecting additional internet connections.
Peplink
97
Phase 2 - Connecting additional WANs to the Balance

To install additional Internet connections:
1)
2)
3)
4)
Go to Network > Interfaces > WAN

Select a free WAN interface. For example, WAN 2 in this case.
Enter information for this WAN connection.
Save changes and activate the changes.
Your Balance should now aggregate and load balance across the two
links. Please repeat Step 1 to 4 for more internet connections.
Peplink
98
How to set up Inbound Load Balance under Drop-in Mode

Once the Drop-in mode with multi-WAN links is successfully set up, we can proceed with
Inbound Load Balancing. This will allow the internal server(s) to be publicly accessible.
Prerequisite
This task assumes that you already have a good understanding of Drop-in Mode. If not,
please read the guide on Drop-in Mode before proceeding further.
Scenario
We will use an example throughout this note. Suppose you currently have a network
similar to the following:
Peplink Balance installed and connected to three ISPs, using Drop-in Mode
Static IP address ranges (subnets) from the ISPs
A firewall protecting your trusted LAN
Hosts and servers on the trusted LAN are using private IP addresses
Conceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISP
A to achieve inbound load balancing.
In this example, we assume:

ISP A
ISP B
ISP C
Peplink
Network: 210.10.10.0/24
Router A (Default Gateway) IP: 210.10.10.1
Network: 22.2.2.0/24
Router B (Default Gateway) IP: 22.2.2.1
Network: 33.3.3.0/24
Router C (Default Gateway) IP: 33.3.3.1
99
Peplink Balance (Interface addresses)

WAN1 and LAN: 210.10.10.5
WAN2: 22.2.2.5
WAN3: 33.3.3.5
Firewall IP: 210.10.10.10
Trusted LAN Network: 192.168.0.0/24
NAT Mappings (at Firewall)
210.10.10.20:SMTP -> 192.168.0.20:SMTP
210.10.10.30:SMTP -> 192.168.0.30:SMTP
Drop-in Mode already configured and working in previous scenario, so no changes on
the existing router and firewall.
Our Target:
We want to map IP addresses from ISP B and ISP C to logically point to the mail
servers.
Define Additional Public IP addresses of ISP B and ISP C

1) Go to Network > Interfaces > WAN > WAN2 > Additional Public IP Settings
2) Add the public IP addresses assigned to you by ISP B
3) You can add a series of IP addresses easily using the tool. (But remember to remove
the default gateway and Balance IP addresses from the auto-generated list by the
tool.)
4) Repeat the same step for WAN3 (if applicable for you).
Purpose: To tell Balance what IP addresses are available for inbound use.
Define Inbound Servers

1) Go to Advanced Network > Inbound Access > Servers
2) Add the two mail servers
3) Notice the use of IP addresses from ISP A here. To Peplink Balance, it only sees
IP addresses on its LAN interface.
Peplink
100
Define Inbound Services

1) Go to Network > Inbound Access > Services
2) Add a new service rule, tying up IP addresses of ISP B and ISP C to existing
server(s).
3) The screenshot essentially describes the following:
Map 22.2.2.20:SMTP -> 210.10.10.20:SMTP
Map 33.3.3.20:SMTP -> 210.10.10.20:SMTP
4) Notice that no mapping is required for ISP A. (Uncheck it)
5) Repeat the same step for other service(s).
Peplink
101
How to set up Inbound Load Balance via built-in DNS (Drop-in Mode)
Peplink Balance has a built-in DNS server for inbound link load balancing. You can
delegate a domains NS/SOA records, e.g. www.mycompany.com, to the Peplink
Balances WAN IP address(es). The Peplink Balance will return healthy WAN IP
addresses as an A record when a DNS query for the host name is received.
It can also act as a generic DNS server for hosting A, CNAME, MX, TXT and NS
records. The Peplink Balance can perform this in two methods, either in Non Drop-in or
Drop-in Mode.
Inbound Load Balancing is configured via:
DNS records configured within Peplink Balance
External DNS records at an Authoritative DNS Server
To illustrate this, we will use the previous example, changing the server from mail to
web, and only using single server for simplified illustration. The steps to define the
server(s) and service(s) are the same as the previous example, so we will start with the
DNS settings.
Peplink
102
To define the DNS records to be hosted in Peplink Balance, go to the setup page located
at: Network > Inbound Access > DNS Settings, as shown in above.
Peplink
103
Step 1: Configure DNS Server

Click the Edit button to choose the IP addresses that the DNS server should be listening
on. This will result in a pop-up screen.
There, select the desired WAN link(s) and respective WAN Interface IP addresses.
Multiple addresses in the list can be selected by holding the CTRL key while clicking on
the addresses. Click Save to continue.
Peplink
104
Step 2: Define the Default SOA / NS

From Network > Inbound Access > DNS Settings, click on the Edit button, create the
Default SOA / NS record, and map the WAN 1, 2 & 3 interface IP to the Name Server
respectively.
Peplink
105
Step 3: Select Connection Priority

From Network > Inbound Access > DNS Settings, click the Edit button to configure
Default Connection Priority. In the resulting pop-up, you will see a list of WAN Interfaces
with priority, please choose the desired WAN priorities and click Save to continue.
In the above example, WAN 1, 2 & 3 are the DNS query answering interface, so it should
be selected. And we are assuming all three WAN links are equally healthy.
Peplink
106
Step 4: Creating DNS Records

From Network > Inbound Access > DNS Settings, enter a domain name in the Domain
Name field and click the Add New button.
Click on the New A Record button to create A Record for the web server.
Peplink
107
As the A Record window appears, enter the name of the server (eg. www) which will be
auto associated with the previous defined domain name (.mypeplink.com).
Check on the IP at the respective WAN interfaces, these will be mapped to
www.mypeplink.com.
Only the highlighted IP addresses in the lists receive responses to a DNS

query. (Multiple items in a list can be selected by holding CTRL and
clicking on the items.) In case a WAN link is down, the corresponding set
of IP addresses will not be returned. However, the IP addresses in the
Custom IP field will always be returned.
Click Save and Apply the changes.
Peplink
108
Domain Delegation
This diagram is useful for users who want to delegate a sub-domain to be resolved and
managed with the Peplink Balance (Assuming they host their domain at an ISP or
domain registrar).
In order for Internet users to look up the host name (e.g. www.mypeplink.com) using
the Peplink Balance, you have to point NS records of it in the domain (e.g.
mypeplink.com) to the Peplink Balances WAN IP addresses. If you are using ISC
BIND 8 or 9, add these lines in the zone file of mypeplink.com:
www
IN NS balancewan1
www
IN NS balancewan2
www
IN NS balancewan3
balancewan1 IN A 210.10.10.5
Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the Peplink
Balance in this example. The IP values here are for illustration only and would likely be
different for you. In order to host the complete domain on your own DNS server with the
Peplink Balance, contact the DNS registrar to have the NS records of the domain (eg.
mypeplink.com) point to your Balances WAN IP addresses.
Peplink
109
Testing
From a host on the Internet, use an IP address of Peplink Balance and nslookup to
lookup the corresponding hostname. Check if the returned IP addresses are the desired
addresses for the host name. Above is a sample Windows nslookup.
The IP values here are for illustration only and would likely be different for you. In the lab
example, it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you query
for www.mypeplink.com.
Peplink
110
Continuous Failover Support Using Master and Slave Setup

Background
1+1 backup enables failover to happen when the master device goes out of service. This
requires a pair of Peplink Balance devices operating in active-standby mode. When the
master device is down, the slave device takes over and handles all the LAN traffic.
The Peplink Balance series supports failover between two Balance devices based on
Virtual Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets are
sent out from the master device to VRRP-specific IP multicast addresses. The slave
device assumes the master devices responsibilities when these messages have not
been heard from for a pre-defined time interval.
In the above example, a VRRP Group 20 is assigned to the HA pair. The virtual IP
address (VIP) is 210.10.10.2. However, the default gateway for the firewall should
remain unchanged, as Internet router IP: 210.10.10.1, as this is Drop-In Mode. A unique
VRRP group identifier is used for each HA pair subsequently set up on the same LAN.
Balance devices have to be on the same subnet to support VRRP and the same VRRP
group identifier must be used on the HA pair.
Additional Ethernet switches are required to separate each ISP connection so that
Master and Slave Balance devices can both be connected. More than one Ethernet
switch must be used in order to prevent a single point of failure, which would otherwise
defeat the purpose of the 1+1 backup concept.
In this example, Master Peplink unit will use 210.10.10.3 as its LAN IP, Slave Peplink
unit will use 210.10.10.4 as its LAN IP. Both Master and Slave units use the same VIP
210.10.10.2.
Peplink
111
The the master unit goes down, the failover will place with a typical recovery time of 10-15
seconds. After the Slave unit changed its role to Master, all WAN connections will be reestablished again.
VRRP for Master Configuration

1) Go to Network> Misc. Settings > High Availability of the Master unit. Select
Enable.
2) Enter the following and then click Save:
A. Group Number: (use the same number for HA pair, eg. 20)
B. Preferred Role: (select master or slave)
C. Virtual IP: (210.10.10.2)
(Note: VIP and LAN Administration IP have to be from the same network. Devices
behind the Balance liked firewall will need to configure their default gateway pointing
towards VIP.)
3) Click Apply Changes to activate settings
VRRP for Slave Configuration configuration sync.

1)
2)
3)
4)
Click and choose Slave as the Preferred Role.

Check the box to enable the Configuration Sync. feature.
Enter the serial number of the master unit.
Before applying the changes, it is required to change the LAN IP address and set it
as a different one from Master unit. Go to Network > LAN of the Slave unit and
change LAN IP address.
5) Click Save and then Apply Changes to activate settings.
6) Once the Configuration Sync succeeds, you will find the successful message in the
event log of the slave unit.
NOTE:
The failover takes place with a typical recovery time of 10-15 seconds. After the
Slave unit changed its role to Master, all WAN connections will be re-established
Peplink
112
again.
Two Balance units should connect to the Internet in the same mode. For example,
they should be both in NAT mode or both in Drop-in mode.
NOTE:
Once the slave unit is configured to automatically synchronize configuration from the
master unit, the web admin of slave unit will be locked. Changes can only be made after
you have disabled the Configuration Sync. Function, sample captured screen above.
In HA mode, configuration synchronization only happen from Master unit to Slave unit,
configuration will not be obtained from Slave unit to Master unit.
Peplink
113
VRRP for Slave Configuration manual

Alternatively, you may configure the slave unit manually.
1) Go to System > Configuration of the MASTER unit. Click Download under
Download Active Configurations and save the configuration file for the Slave unit.
2) Go to System > Configuration of the SLAVE unit. Choose the configuration file
exported in step 1 under the Upload Configurations from High Availability Pair
and click Upload.
3) Before applying the changes, change the LAN IP address and set it as a different
one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP
address. Click Save to save changes.
4) Go to Network > High Availability and change the Preferred Role from Master to
Slave.
5) Click Save and then Apply Changes to activate settings
Peplink
114
LAN Bypass Feature

Available in Peplink Balance 580, 710, 1350, and 2500:
LAN Bypass is a fault-tolerant feature that protects you in the event of a power
outage.
When used with Drop-in Mode, such failure would be completely transparent to the
network.
In the above example, WAN1 and LAN1 ports are bridged together when the power
runs out.
Note:
Starting from firmware version 5.0, Drop-in mode can be configured on any WAN
ports. Please be noted that still only one WAN port can be configured in Drop-in
mode.
If you have selected the LAN Bypass port (which is currently available on WAN1 of
Balance 1350 and WAN5 of Balance 580) as the WAN for Drop-in Mode, High
Availability feature will be DISABLED automatically.
When the LAN Bypass feature is enabled, the High Availability feature will be
automatically DISABLED.
Peplink
115
Balance Router As Wireless LAN Controller

In this section, we will cover the Balance router WLC configurations, all other settings of
AP will be cover in another module (Wireless Access Point).
For model 305 onwards, the Balance comes with built-in WLC. This is useful for
deploying a centrally controlled WLAN setup at significantly lower costs. The Balance
can serve as a WLAN Controller for Managing Pepwave AP Devices, as well as multiple
SSIDs. The Balance and the Pepwave AP can automatically discover each other using
DNS and TFTP protocols.
Requirement
The customer has a Balance router installed and operating in their network. Recently,
they have purchased two units of Pepwave AP One. The customer wants to integrate
these APs into their existing LAN for their staff, while creating Guest access which
would allow visitors to only access the Internet.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Captive Portal with Open security
The Balance router, acting as the WLC will need to configure above settings and push
the policy to the AP(s).
Peplink
116
Getting Started Enable AP Management

1) Select Network from the top menu. Choose AP Management from the left menu,
and then select the check box to enable the feature.
2) To manage access points located in a remote network, enable Manage Remote AP.
3) You can set up a list of recognized access points with Access Point to be
Managed. Input the serial number of the AP you want to manage in the box.
4) Click Save, and then click Apply Changes.
Peplink
117
Creating Wireless Networks (SSID) for Staff

1) Choose Wireless Networks from the left menu. Click the New Network button
displayed on the bottom of the page.
2) In the Wireless Network dialog box, enter the Network Name (SSID) used to
identify the Wi-Fi network. Enter Staff as the SSID, as this will be used for internal
access.
3) Under Wireless Security Settings, select WPA/WPA2 - Personal for home or small
business use. Enter an authentication password of at least 8 characters in the
Shared Key field. If you are managing the network of a larger company, you may
consider using WPA/WPA 2 - Enterprise, which allows you to use a separate
RADIUS server to handle the wireless networks authentication. Assign the
WPA/WPA2 PSK as staffwlan for this example.
4) Click OK at the bottom of the dialog box, and then click Apply Changes to save the
wireless network.
5) Repeat the above steps to add more wireless networks and/or specify additional
name and network permissions for various user groups. Next we will create Guest
SSID.
Peplink
118
Creating Wireless Networks (SSID) for Guest

1) Choose Wireless Networks from the left menu. Click the New Network button
displayed on the bottom of the page.
2) In the Wireless Network dialog box, enter the Network Name (SSID) used to
identify the Wi-Fi network. Enter Guest as the SSID, as this will be used for visitor
Internet access.
3) Under Wireless Security Settings, select Open (No Encryption)
4) To further customize network permissions, you can also change Guest Protect,
Bandwidth Management, and Firewall Settings. As this is for visitor usage, click
on the Block All Private IP checkbox to protect internal LAN (assuming the LAN IP
range is using private IP range).
5) To show a splash screen for your Wi-Fi service, which is useful for Wi-Fi service
offered to guests in restaurant, hospitality, and other settings,enable Captive Portal.
We will configure the Captive Portal in another page.
6) Click OK at the bottom of the dialog box, and then click Apply Changes to save the
wireless network.
Peplink
119
Creating AP Profiles
1) Choose AP Profiles from the left menu. Click the New AP Profile button displayed
on the bottom of the page.
2) In the AP Profile dialog box, enter a name for the device configuration profile, eg.
Office.
3) Select up to four wireless networks to include in the AP profile, check on the Guess
and Staff SSIDs to be included in this profile.
4) Optimize your devices radio performance by adjusting the options in AP Advanced
Settings. For example, you can select a different 2.4 GHz Wi-Fi radio channel in
order to ensure the best signal strength and eliminate potential channel conflicts.
5) Change your AP Ones device security settings, such as passwords, under Web
Administration Settings. Set the password to public, which is default for AP One.
6) Click Save at the bottom of the dialog box, and then click Apply Changes to store
the AP profile.
Note:
You can select up to maximum of 16 Wireless Networks in an AP Profile when using
Balance router as WLC.
Peplink
120
Managed AP Status in Dashboard

1) AP One devices in the network will be automatically discovered. The number of APs
detected will be shown on the Dashboard and Access Point section of Status.
2) To manage access points located in a remote network, enable Manage Remote AP.
3) You can set up a list of recognized access points with Access Point to be
Managed. In this case, one unit has been connected.
Peplink
121
Verify From AP Web Console

1) You can verify the AP management by accessing the AP web console page using
web browser. The AP login details as follows:
IP Address: 192.168.0.11
Username: admin (set by WLC)
Password: public (set by WLC)
2) In the System view of the AP, the real time status shows that the AP is connected to
WLC (IP: 192.168.0.1).
Peplink
122
Applying AP Profiles
1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel.
2) Select the check box for the AP One device you wish to configure.
3) Select AP Profile from the drop-down menu located in the lower right corner.
4) In the AP Profile dialog box, select a previously created AP profile (eg. Office for
this case) and Click OK.
5) The selected AP profile will be sent to your AP One devices automatically.
Peplink
123
Creating a Captive Portal
A captive portal is a great opportunity to build your brand while providing

Wi-Fi service to hotel guests, coffee shop patrons, students, and other
users. You can create a customized portal start page using one of two
captive
portal modes, in this example we will use the Open Access mode.
1) Navigate to the Dashboard page. Under WLAN Information, click Control Panel.
2) In the Access Point Control Panel dialog box, click Captive Portal Settings,
located on the lower left.
3) Click the General tab and choose a Captive Portal Mode:
Open Access Mode -- No user name or password will be required on the
portal page. To limit the amount of time a guest can use the network, enter
the allowed time in Free Access Quota. Click Save to store your changes.
Guest Account Mode -- The portal page will be displayed with a login box,
and a user name and password will be required. After selecting Guest
account mode, click Save. Click Guest Accounts to create accounts.
4) Click the Portal Page Customization tab.
5) To upload an image for the portal page, first click Choose File. Select the desired
image from your system and click Upload. If no image is select, then the default
image of the AP One will be used.
Peplink
124
6) Customize your portal page with a Message and Terms & Conditions.
7) Specify where the customer will be redirected after successful authentication with a
Custom Landing Page if desired.
8) Click Preview to review your design, and click Publish to save your portal page and
make it available to guests.
Testing Guest Access

The Guest SSID is meant for visitors, so it only allows access to
resources outside of the company network.
1) On your notebook, try to connect to the Guest SSID broadcasted from the AP One. It
should have Open security without any WPA/WPA2 key required.
2) Once connected, open the command prompt and use ipconfig to check your
notebook IP address.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
Passed or Failed
Peplink
125
Testing Guest Access to Internet

1) On your notebook, open your web browser and enter www.google.com in the URL.
2) You will be redirected to the Captive Portal page, where you will need to review the
T&C and click Agree to proceed.
3) This will depend on how you configure the Custom Landing Page. If you have none
configured, then you will be redirected to your designated page, www.google.com.
Peplink
126
Once the wireless client access is granted, you will able to access Internet sites.
However the Guest SSID access will not be allowed to access to internal LAN hosts.
Ping Test:
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
Passed or Failed
Peplink
127
Testing Staff Access

The Staff SSID is equivalent to internal LAN access, thus it has the same
access rights as wired LAN users.
1) At your notebook, try to connect to the Staff SSID broadcasting from the AP One.
Key in staffwlan when Windows prompts you for your WPA/WPA2 key.
2) Once connected, open the command prompt, use ipconfig to check your notebook IP
address.
Ping Test:
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
Passed or Failed
Web Browsing Test:
1) At your notebook, open your web browser, enter www.google.com in the URL. The
page can load? Yes or No
Peplink
128
Balance Router Other Configurations

In addition to the key features mentioned in previous sections, the Balance Router offers
other useful features:
- QoS
- Service Passthrough
- Service Forwarding
- System settings.
The following tasks will be based on this diagram.
Peplink
129
Example:
The Balance router has built-in standard firewall functionality, thus it can be
used as firewall in the environment that doesnt has any firewall. Assuming the
company wants to prevent their staff from accessing social websites, eg
facebook.com, the Balance firewall rule by domain name can be
configured.
The steps as follow, with foobar.com as the example domain name:
1) Go to Network > Firewall > Access Rules, Select Domain Name in the
Destination field.
2) Enter foobar.com in the empty field.
3) Click Save and apply the changes.
String
Matching
foobar.com
*.foobar.com
Example
After a firewall rule by domain name is created, all traffic from that domain will be allowed
or denied according to your settings.
foobar.com
www.foobar.com
mail.foobar.com
TIP: If you are trying to block outgoing HTTP access to a website
using a domain name,
consider using the Web Blocking feature.
foobar.*
Peplink
foobar.com
foobar.co.uk
www.foobar.co.uk
*.foobar.*
130
The Balance router has QoS features, allowing you to control the traffic
based on its user group (predefined 3 groups), as well as by application. In
this scenario, we have implemented an IP Telephony system in the branch
office, and we have deployed an IP Telephony server reside in HQ. To
optimize the voice quality over the Internet links, QoS is essential for
ensure the VoIP traffic can be smoothly delivered across sites.
To assign the user group:
1) Go to Network > User Groups under QoS, either click on existing Subnet or Add
button to create a new subnet/IP range.
2) From the Group drop down list, select the desired group (Manager, Staff, Guest),
click Save.
To enable QoS based on application:

1) Go to Network > Application under QoS, click Add button in the Application
section to define the application requiring QoS.
2) At the Add / Edit Application window, choose the appropriate Category and
Application from the drop down list, eg. VoIP, click OK to save.
3) Once application defined, it will appear in the Application section, assign the
Priority to this application (High, Normal, Low).
Peplink
131
Assuming your business partner is running systems that only allow access from IPSec
Clients in your office environment. In such a situation, you would need to enable Service
Passthrough Support in your Balance router. By default, the router has enabled IPSec
NAT-T, if the IPSec is running on custom ports, then you can define the ports
accordingly.
Step to enable IPSec passthrough:
1)
2)
3)
Go to Network > Service Passthrough under Misc. Settings, check the Enable box under IPSec
NAT-T.
Check the Define box if its running custom ports, and fill in the ports accordingly.
Click Save and apply the changes.
Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in this
page as well.
Peplink
132
Enable SMTP Forwarding

There are situations where the ISP will block SMTP forwarding from
different ISPs. Thus, the Balance router allows you to control the right ISP
links to forward your SMTP service.
When this option is enabled, all outgoing SMTP connections destined for any
host at TCP port 25 will be intercepted. These connections will then be redirected
to a specified SMTP server and port number. SMTP server settings for each
WAN can be specified after selecting Enable.
Step to enable SMTP Service Forwarding:

1) Go to Network > Service Forwarding under Misc. Settings, check the Enable box
under SMTP Forwarding.
2) A window appear with listed WAN connection, check to Enable the respective WAN
and enter the associated SMTP Server name/IP.
Enable DNS Forwarding

When this option is enabled, all outgoing DNS lookups will be intercepted and redirected
to the built-in DNS name server.
If any LAN device is using DNS name servers of a WAN connection, you may want to
enable this option to enhance the DNS availability without modifying the DNS server
setting of the clients. The built-in DNS name server will distribute DNS lookups to
corresponding DNS servers of all available WAN connections. In this case, DNS service
Peplink
133
will not be interrupted even if any WAN connection is down.
Some of the System settings are crucial to the operation, eg. InControl,
Remote Assistance, and Email Notification.
InControl Cloud Management
When this check box is checked, the device's status information, usage data, and
configuration will be sent to Peplinks InControl system. You can sign up for an InControl
account at https://incontrol.peplink.com/. You can register devices under your account,
monitor device status and usage reports, as well as download backed up configuration
files.
Default: Enabled
(Post usage data): Disabled
Email Notification
The feature Email Notification allows email to be sent to the listed recipient email
addresses when the following events take place:
Email notification test
A new firmware version is available
Health status changes for any WAN connection
VPN status changes
Bandwidth usage has reached 75% of the allowance
Peplink
134
Bandwidth usage has reached 95% of the allowance

Click the button Test Email Notification and click Send Test Notification to send a testing
email.
Remote Assistance
When you face some serious technical issue with the Balance router, where you need
Peplink Technical Support to check on the device, you can turn on this feature, go to
Status > Remote Assistance under System Information window.
Diagnostic Report
Normally when you report problem related to the Balance router to Peplink Technical
Support, it is good to attach the Diagnostic Report together so the support team can
analyze the report to understand the router condition. To generate the report, go to
Status > Diagnostic Report under System Information. Click on the Download button
to save the file.
The report filename usually carry the format as below:
YYYYMMDD_Model No._SSSSSSSSSSSS_diag.report
with:
YYYY 4 digits represent year
MM 2 digits represent month
DD 2 digits represent day
Model No. The Balance Model, eg. B380
SSSSSSSSSSSS 12 digits serial number
Support Information page

Another way to turn on the Remote Assistance will be through the Web Admin URL,
which shown above, http://<your peplink ip>/cgi-bin/MANGA/support.cgi.
Diagnostics Report also can be obtain in this page, besides from Status page.
In this page, the router Ethernet connections negotiated speed and duplex status was
shown, in which it aids in troubleshooting tasks, like debugging connectivity issues.
Additional Support Resources
1) If you need to access the products user manual or firmware, please visit
http://www.peplink.com/support/downloads/.
2) To access our knowledge base, please visit http://www.peplink.com/knowledgebase/
to find out more about our product deployment scenario in various environment and
requirement.
3) To log case with Peplink
priority.support@peplink.com.
Peplink
support,
you
can
135
send
your
case
to
Out of the box, the Pepwave MAX router comes with the following default
settings:
IP: 192.168.50.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.50.10 192.168.50.250
In the diagram, the switch is optional as a console into the Pepwave MAX
Routers. You can plug the UTP cable directly from PC/Notebook into MAX
Router LAN port for the same purpose.
Generally, the Web Admin UI is similar to Balance router, making to easier
for users who have experience with the Balance router UI.
Peplink
136
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard provides a status overview of the MAX Router:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Depends on the model, BR1 & HD2 provide the GPS map status too
A unique feature on the MAX router interface is that you can configure the WAN
interfaces on the Wan Connection Status page. You can do so by clicking the Details
button of each of the WAN interface bar. Alternately, you can go to Network > WAN to
reach to same setting page.
In this page, you can also assign different priority levels to the WAN interfaces by
dragging the interface bar up or down. If all WAN interfaces are assigned with same
priority, then it will perform load balancing for the WAN traffic.
Note:
Peplink
137
Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 &
U4-SF) will allow WAN load balancing, the other models will allow WAN failover.
Cellular Interface Settings

The settings are similar across different interfaces. However, for cellular interface, there
is extra feature you need to take note of.
When you click on the Details button of any of the active Cellular WAN interfaces, you
will reach the Connection Details setting page shown above. If the mobile broadband
provider or the data plan has a quota limit (eg. 2GB/month), then you need to enable
Bandwidth Allowance Monitor and set the data limit on this WAN to 2GB. At the same
time in the Action section, you can set the MAX router to notify you via email if the
usage hits 75% of quota. Lastly, you can further control the WAN condition to either
continue or disconnect this particular WAN link if usage hits to 100% of that month.
Health Check Method SmartCheck
SmartCheck will trigger DNS lookup health check if there is no return packet after an
outbound packet was sent for 10 seconds. Since it is not an active algorithm (send hc
packet in constant interval), it saves bandwidth.
If the Cellular WAN has limited data usage/quota, and you want to reduce the Cellular
WAN utilization, you can:
1) Choose SmartCheck as Health Check Method
2) Set Standby State of Cellular WAN to "Disconnected" instead of "Remain
Connected
3) Increase the value of Health Check Interval
Peplink
138
Saving Bandwidth with Smart Check

Smart check will trigger a DNS lookup health check if there is no return
packet after an outbound packet was sent for 10 seconds. Since it is not an
active algorithm (it does not send hc packet in constant interval), it saves
bandwidth.
MAX routers come with various connectivity options, allowing you to set it
up in different ways to suit customer requirements. In the following
scenarios, we will exploring three most common MAX routers deployment
setups.
1) Branch Network Connections
3 WAN + 2 LAN
2) Mobile Command
2 WAN + 2 LAN
3) Public Transport
1 WAN + 2 LAN
Lets take a look at each of these scenarios in detail, and what

configurations need to be done to achieve the objective.
Peplink
139
Branch Network Connections

In this environment, we have a fast food businesses with many outlets throughout the
country. Each of these outlets need to connect back HQ in order to update business
transactions data. At the same time, the outlet also needs to provide WiFi to their
customer.
Requirements
1)
2)
Peplink
WAN
The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and a
Cellular WAN.
The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal
staff as well as their guest.
LAN
140
Configuration for the WAN/LAN interfaces are the same as for the Balance
routers, please refer to previous section if you need instructions.
This screenshot shows the MAX BR1 router configured with a wired WAN
as primary link, followed by a WiFi WAN as first standby, and Cellular as
secondary standby WAN link.
Peplink
141
WAN Failover #1 Wired WAN Failed

The MAX router has built-in intelligent and link health checks to enable a
fast failover process. All the standby link(s) are in hot-standby state.
That is, if the primary link fails, the MAX router will redirect the traffic to the
standby WAN links.
Failover Test:
1) Before starting the test, take a Windows machine, launch a command prompt
window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1)
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
6) How many timeout during failover?
Peplink
142
WAN Failover #2 Wired WAN & WiFi WAN Failed

Assuming a worse scenario where the first two WAN links are faulty, the
MAX router still can operate with the 3rd WAN Celllular broadband link.
Failover Test:
1) Before starting the test, take a Windows machine, launch a command
prompt window and conduct a continuous ping to Internet host IP (eg.
8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN
WPA/WPA2 Key to simulate 2 WAN links failed
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular
WAN
6) How long was the timeout during failover?
Peplink
143
WAN Link Recovery

MAX router has fast and smooth recovery mechanism that no timeout
when the primary WAN link(s) service restored.
Recovery Test:
2) Plug back the Wired WAN & enter the correct WiFi WAN WPA/WPA2 Key for the
MAX BR1 router
3) Observe the changes at the routers WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
6) How long was the timeout during failover?
Peplink
144
Mobile Command
In this example, we have a police patrol driving in an urban area. The MAX BR1 router
can be installed in these vehicles, allowing them stay connected to their control center
while they are on the move. This is accomplished with 2 different WAN options.
Requirement
1) WAN
The police vehicle can use WiFi WANas primary WAN link, backed up by a
Cellular WAN.
2) LAN
Peplink
The wired LAN will be used for fixed machines, while the WiFi AP can serve
the policemen any handheld devices.
145
We have gone through the configuration steps of the WAN/LAN interfaces

in the Balance router section, so we will skip that step.
The screenshot shows the MAX BR1 router configured with WiFi WAN as
the primary link, followed by Cellular as the standby WAN link.
Peplink
146
Public Transport
Public transport systems often travel long distances, so WiFi WAN may not able to cover
the entire path. The only available WAN option would be Cellular broadband. If bus
companies want WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem so
they can put in second SIM card for Cellular failover purposes.
Requirement
1) WAN
The bus needs to be equipped with Cellular WAN.
2) LAN
Peplink
The wired LAN will be used for machine in the bus, and the WiFi AP can
serve the passengers handheld devices.
147
We have gone through WAN/LAN configuration in the Balance router

section, so we will skip the explanation there.
Above screenshot shows the MAX BR1 router configured with Cellular as
the primary and the only WAN link.
Peplink
148
As mentioned earlier, the LAN/WAN interface settings are similar to

Balance router.
Peplink
149
The difference between Balance and MAX router is that non-interface

related settings are placed in the Advanced section. You can configure
WiFi Settings, SpeedFusion VPN, Port Forwarding, etc in this panel.
Peplink
150
The System and Status menus are identical to those for the Balance
router.
For further details on these settings, please refer to the relevant firmware
user manual.
Peplink
151
This module will examine different real life deployment scenarios, and how
to configure the access points to achieve the desired results.
Peplink
152
Course Agenda
Module 4: Wireless Access Point Configurations
- To study how Pepwave Access Points can be implemented into various
deployment scenarios.
- To explain the steps to configure APs to achieve the desired effect.
Peplink
153
Hardware Overview
Peplink
154
Setting up the AP One for the 1st time:

1) Default settings
IP: 192.168.0.3/24
Username: admin
Password: public
LAN DHCP: Disabled
2) Connect a PC to the backbone network. Configure the IP address of the PC to be
between 192.168.0.4 and 192.168.0.254, with a subnet mask of 255.255.255.0.
3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google
Chrome 2.0 or above, connect to https://192.168.0.3.
4) Enter the default admin login ID and password, admin and public respectively.
After logging in, the following information main page will appear. Click System, located
under Configure on the left, to begin setting up your access point.
Peplink
155
After enter the parameters correctly, you will be able to login to the Wed
Admin page.
At the System Information, provide overview of system conditions:
Model
Firmware Version
AP Name
Location (user define for the AP physical location)
Serial Number
MAC Address
Network IP Information (details will be display if default settings changed)
System Time
Up Time
Peplink
156
First, we will be defining some system settings (eg. Name, IP information,

etc).
Steps to configure system settings:
1) Go to Configure > System
2) Click on Basic tab
3) Enter the necessary information
4) If you want the AP to keep the default Management IP after reboot, click the
checkbox to enable Keep Default IP, else uncheck the box.
5) If this AP is manage as standalone and using static IP, select Manual on the IP
Address Mode, then enter Static IP Address.
6) To save the changes and activate later, click Save button, to apply the changes
immediately click Save to flash and activate button.
Peplink
157
Pepwave AP One series has an unique feature: it can operate in either

Layer 2 (Bridge) or Layer 3 (Router) mode.
A. Router Mode
- When using Router mode, your Pepwave access point can be used as a DHCP
server for devices located behind it in the network, and provide routing between the
wired and wireless networks
- In this example, putting AP One in router mode would be separate the wireless LAN
from wired LAN segment, either for security control & enforcement, or broadcast
isolation purpose.
B. Bridge Mode
- This would be typical WLAN deployment, where the AP bridge between the wired and
wireless networks in the same broadcast domain.
To select the AP role;

1) Go to Configure > System
2) Click on Advanced tab
3) Select Bridge or Router in AP Mode field
4) Once the selection is made, it will toggle LAN settings page
configuration mode.
Peplink
158
LAN Settings
Manual Router Settings are available only when AP Mode in Advanced
System Settings is set to Router.
1) Go to Configure > LAN to access the LAN settings page.
2) Assign the IP details for the wireless segment, where this segment of IP will be
assigned to wireless client. The AP IP will be the default gateway for the wireless
clients.
Peplink
159
LAN Settings disabled when AP One set to bridge mode, and all the fields
will be grey out. The wireless client will get IP assigned from DHCP server
sit in the wired LAN, and the packets will passthrough AP One to reach to
the wired LAN.
Peplink
160
In a normal office WLAN deployment scenario, the AP will host at least 2

different sets of users, namely internal and external.
Requirement
The customer has purchased one unit of Pepwave AP One recently. They want to
enable wireless access for their staff and visitors. Staff will have full access to internal
networks and the Internet, and visitors only have Internet access.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Open Authentication with no security
Lets look at the tasks needed to accomplish the objective.
Peplink
161
To create the SSID:

1) Go to Configure > Wireless Networks, click on the Add button on the Wireless
Networks tab.
2) It will open the Wireless Network Details page, click the Yes button to enable the
SSID you want to create.
3) In Wireless Network SSID field, define the SSID, eg. Guest.
4) Broadcast SSID checked box enabled by default.
5) Assign the Security Level from choices of Open, Static WEP, 802.1X, WPA,
WPA2, and WPA and WPA2. For Guest SSID, choose Open.
6) Click Save to flash and activate to apply the changes.
Next two slides show you the advance settings for the SSID configurations.
Peplink
162
As mentioned earlier, visitors are only allowed to access the Internet, so

we need to place measurements to prevent them from reaching internal
networks:
1) Click on the Guest Protect tab under Wireless Network Details for Guest SSID.
2) Select the Block All Private IPs tab, then tick on the checkbox for Block LAN
Access to turn on the feature.
3) If this AP One has established a SpeedFusion VPN tunnel, and you dont want the
Guest traffic through it, tick on the checkbox for Block SpeedFusion as well.
You can also block custom subnets using the Custom Subnet tab, or
prevent all with exception via Block Exception tab.
One more step to complete the Guest SSID configuration, as shown in
next page.
Peplink
163
It is normal to have different groups of visitors needing to access Internet

at the same time, so you may want to prevent them seeing each other for
visitor privacy purposes:
1) Click on the Advanced tab under Wireless Network Details for Guest SSID.
2) Leave other settings as it is, select the checkbox for Layer 2 Isolation to turn on the
feature.
Once this feature turned on, each of the wireless client in Guest network
will not able to access each other.
Next, get a machine to test the configuration.
Peplink
164
Testing Guest Access

1) At your notebook, try to connect to Guest SSID that broadcast from AP One. It
should be Open security without any WPA/WPA2 key required.
address, or you verify via the Windows Wireless Network Connection Status.
Ping and Access Tests:

1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8
Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com)
Passed or Failed
Peplink
165
To create the Staff SSID:

1) Go to Configure > Wireless Networks, click on the Add button on the
Wireless Networks tab.
2) It will open the Wireless Network Details page, click the Yes button to
enable the SSID you want to create.
3) In Wireless Network SSID field, define staff SSID as Staff, assign the
Security Level to WPA and WPA2, the key is staffwlan.
Next, at the Guest Protect tab, ensure to guest

protect features unchecked:
1) Click on the Guest Protect tab under Wireless Network Details for Staff SSID.
2) Select the Block All Private IPs tab, then uncheck the checkbox for Block LAN
Access to turn off the feature.
3) If this AP One has established SpeedFusion VPN tunnel, and you want to include
Peplink
166
Staff traffic forward to the tunnel, uncheck the checkbox for Block SpeedFusion.
One more step to complete the Staff SSID configuration, as shown in next
page.
For internal staff access, layer 2 security need not be apply, to ensure it is
not enable:
1) Click on the Advanced tab under Wireless Network Details for Staff SSID.
2) Leave other settings as it is, make sure the checkbox clear for Layer 2 Isolation.
Next, get a machine to test the new testing.
Peplink
167
Testing Staff Access

1) At your notebook, try to connect to Staff SSID that broadcast from AP One. It should
be WPA/WPA2 security, the key is staffwlan.

Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com) & internal
website (eg. Gateway web console, http://192.168.0.1)
Passed or Failed
Peplink
168
Wireless distribution system (WDS) are useful to for deployment sites

where area cables cannot reach, and for temporary deployments. Using
WDS, it is possible to wirelessly connect Access Points, and in doing so
extend a wired infrastructure to locations where cabling is impossible or
inefficient to implement.
Note:
WDS may also be considered a repeater mode because it appears to bridge and accept
wireless clients at the same time (unlike traditional bridging). However, with this method,
throughput is halved for all clients connected wirelessly.
Requirement
The customer is expanding their head office, and the cabling work can only be
completed in a months time. Staff need to move in to the new office area immediately. In
response, the IT manager will setup a WDS using additional AP One (AP #2), to
wirelessly connect back to existing the AP One (AP #1).
Information needed to setup WDS
Both AP MAC Address
Encryption type: None or AES
Passphrase
Encryption Key
Lets look at the tasks needed to accomplish the objective.
Peplink
169
To set up the WDS on both APs:

1)
2)
3)
4)
Go to Configure > WDS, the WDS Details window tab will appear.
Select the Yes radio button to enable the function.
Key in the MAC Address of the peer AP.
Enter any wording for the Passphrase, eg. wdskey, click the Generate Key button
to create the Encryption Key
Once the settings are saved, it will take a moment for both APs to
recognize each other, initiate and negotiate the WDS connection. Go to
status page to verify the WDS status.
Peplink
170
To verify the WDS status on both AP:

1) Go to Information > Wireless > WDS Info tab.
2) If WDS established, you will able to see the peer AP details in this window, the
information includes:
Peplink
Manufacturer
Peer MAC Address
Encryption
Type
Signal
TX/RX Bytes (Packets)
171
Testing Access Through WDS

1) At your notebook, try to connect to configured on the AP #2, eg. Pismo Research for
this case.

Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com) & internal
website (eg. Gateway web console, http://192.168.0.1)
Passed or Failed
To verify clients connection at AP #2:

1) Go to Information > Wireless > Connected Clients tab.
2) If clients associated, you will able to see the their details in this window in
accordance to SSID, the information includes:
MAC Address
Manufacturer
IP Address
Type
Signal
Duration
TX/RX Rate
TX/RX Bytes (Packets)
TX Errs
RX Errs
Peplink
172
Requirement
A company wishes to install AP in their office, but they aware that other tenants in the
same floor have already installed a WLAN infrastructure. They want to know which
wireless spectrum (channel) will have the least interference.
The AP One series is capable of discovering nearby wireless networks and listing down
all the wireless network information. That way, you can choose the least affected
channel (if no available channel) for your AP.
Peplink
173
To enable the nearby network discovery:

1) Go to Configure > Advanced Wireless > Advanced Features tab.
2) Click on Discover Nearby Networks checked box to enable the feature.
To view the nearby networks discovered:

1) Go to Information > Wireless > Nearby Networks tab.
2) If detected, there will be list of AP shown, with following details:
Manufacturer
SSID
Security
MAC Address
Channel
Signal
Last Seen
Status
Peplink
174
In the event if the AP need to provide higher power output to cover bigger
area wirelessly, you can enable the Power Boost feature by:
1) Go to Configure > Advanced Wireless > Radio Settings tab.
2) Click on Power Boost checked box to enable the feature.
Note:
Enables the power boost feature, will increase the output power from 400mW to 2W,
which maximizes your access points Wi-Fi capacity. Please enable only if local
regulations permit.
175
There are other settings like SpeedFusion, SNMP, Web Administration

in Configure menu, Tools and Commands, which will not be discussed.
For further details on these settings, please refer to the relevant firmware
user manual.
Peplink
176
This module will examine different real life deployment scenarios, and
provide detailed instructions on how to utilize the major features of the Surf
On-The-go.
Peplink
177
Peplink
178
1st time setup steps on Surf On-The-Go:

1) Default settings
LAN IP: 192.168.20.1/24
Admin ID: (No ID by default)
Admin PW: (No password by default)
DHCP Enabled
DHCP Range: 192.168.20.10 192.168.20.250
WLAN AP: Enabled
SSID: PEPWAVE_#### (where #### is the suffix of MAC Address of
SOTG)
2) Connect a PC to SOTG Ethernet port, it will be assigned with IP address between
192.168.20.1 to 192.168.0.20, with a subnet mask of 255.255.255.0.
3) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google
Chrome 2.0 or above, connect to https://192.168.20.1.
4) As there is no login security enabled by default, you will be redirect to Dashboard
page.
Peplink
179
Dashboard Page
At the Dashboard page, you will see the devices current WAN connection status. It also
displays a real-time graph displaying Network Data Usage and Signal Timeline (if WiFi
or Cellular is active).
You can change the WAN connection type by clicking the Switch WAN Mode icons
(WiFi, Cellular, Wired)
Status Page
You can view the device status in this page, detail information included:
Firmware version
Hardware version
Model
Serial Number
Supported Mode (operating radio frequency, a/b/g/n)
etc
If WAN link is active, you will see the relevant information like IP Address, Subnet Mask,
Gateway, etc.
Peplink
180
Your Surf On-The-Go supports three WAN connection modes, giving you
maximum connectivity on the road, at the office, or at home.
Wi-Fi Mode
Connect to the Internet via Wi-Fi Hotspot (and backup by Cellular), and provide a Local
Access Point and Ethernet Connection. e.g. Wi-Fi Services from ISP, Hotel, RV Park,
Marina.
Cellular Mode
Connect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem, and provide a Local
Access Point and Ethernet Connection. e.g. Traveler, Remote Area.
Wired Mode
Connect to the Internet via an Ethernet cable (and backup by Cellular), through a
DSL/Cable Modem, or Router, and provide a Local Access Point. e.g. Home, Hotel
Peplink
181
Wi-Fi Mode
Wi-Fi Mode makes it easy to share Wi-Fi service provided by hotels,
restaurants, marinas, RV parks, and more. Once connected to Wi-Fi, your
Surf can serve as a local access point for an unlimited number of devices.
You can also connect printers, game consoles, and other wired devices to
the Surf using its Ethernet port.
Peplink
182
WiFi Mode Configuration Steps

1) Connect to the Web Admin Interface. Click Wi-Fi, and then Settings.
2) In the Wireless Settings section, change Wireless Network Name (SSID) from the
default value of MySSID to the SSID specified by your wireless Internet service
provider. Otherwise, you may change this field to a blank value, and then select an
SSID from the resulting list, which also includes corresponding encryption types and
signal strengths. With the MAC Clone function, you can use the Ethernet client
MAC address as Surf's WAN MAC address.

3) From the Authentication drop-down menu, select the authentication type required
by your Wi-Fi Internet service provider. Then, if applicable, enter the Encryption Key
value provided by your ISP.
4) In the AP Settings section, select Configure Manually. In the AP SSID field, enter
the network name used to identify the home Wi-Fi network. The default AP SSID
value is PEPWAVE_####, change to MY-MOTG.
5) From the Authentication drop-down menu, select WPA/WPA2-Personal. In the
Encryption Key field, enter an authentication password of at least 8 characters, eg.
motgwlan. To store your settings, click the Save button that appears on the lower
right.
6) Navigate to the Dashboard page, which displays connection details and signal
strength level.
Peplink
183
7) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
PWR Solid Green
RDY Yellow
ENET Solid Green
Wi-Fi Displays a varying number of lit signal bars depending on the strength
of the received signal
If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable the
Connect to Any Open Mode AP feature, which it will connect to these Hotspot
automatically.
When needed, you can use the Ethernet client MAC address as Surf's WAN MAC
address by enabling the "MAC Clone" under Wi-Fi WAN Settings.
Testing Client Access

1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It
should be WPA/WPA2 security, the key is motgwlan.
2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP
cable from notebook to switch.
addresses obtain IP on both Wireless and Ethernet adapters.

Passed or Failed
Passed or Failed
Peplink
184
Cellular Mode
This mode allows you to connect your Surf to a 3G or 4G(WiMAX/LTE)
USB modem and share the connection with all your devices wirelessly
and/or using the Surfs Ethernet port. Cellular Mode is an ideal choice for
travelers
or those living/working in remote areas without broadband service.
Peplink
185
Cellular Mode Configuration Steps

1) Connect to the Web Admin Interface. Click Cellular, and then Settings.
2) Click Cellular Settings on the left. In general, selecting Auto Operator Settings is
sufficient to connect to the Internet. If not, select Custom Operator Settings to
manually enter settings specified by your cellular service provider (typically APN and
Dial Number). When nished, click Save on the lower right.
3) Refer to previous example for WLAN AP settings, SSID is MY-MOTG and
WPA/WPA2 key is motgwlan.
strength
PWR Solid Green
RDY Yellow
ENET Solid Green
Wi-Fi Displays a varying number of lit signal bars depending on the
strength of the received signal
Peplink
186

2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP
cable from notebook to switch.
addresses obtain IP on both Wireless and Ethernet adapters.

Passed or Failed
Passed or Failed
Peplink
187
Wired Mode
Wired Mode lets you connect the Surf to a DSL/cable modem or router.
You can also connect the Surf to a multi-port switch for use with multiple
wired and wireless devices.
Peplink
188
Wired Mode Configuration Steps

1) Connect one end of an Ethernet cable to the Surf On-The-Go and the other end to
your Internet source.
2) Refer to previous example for WLAN AP settings, SSID is MY-MOTG and
WPA/WPA2 key is motgwlan.
3) Connect to the Web Admin Interface. Click Wired, and then Settings.
4) In the WAN IP Settings section, select a method the Surf will use to obtain IP
address:
Congure Manually - After selecting this option, manually enter a static IP
address.
Obtain an IP Address using DHCP - Obtain an IP address automatically.
Obtain an IP Address using PPPOE Connect to Internet service using
PPPoE.
strength level.
PWR Solid Green
RDY Yellow
ENET Solid Green
Wi-Fi Displays a varying number of lit signal bars depending on the strength
Peplink
189
of the received signal

2) Since the Surf OTG operating in Wired Mode, the Ethernet port has become WAN
interface, thus no DHCP Server service available through this interface.
addresses obtain IP on Wireless adapters.

Passed or Failed
Passed or Failed
Peplink
190
WAN Connection Failover

The Surf OTG provides WAN failover if its running in WiFi and Wired
Mode, with Cellular as the standby WAN link. This feature adds WAN
reliability that would normally be available only in enterprise setups.
Peplink
191
WAN Failover Configuration Steps (Wired WAN Mode)

1) Connect to the Web Admin Interface. Click Wired, and then Settings.
2) Ensure the Wired radio button selected in the WAN Mode.
3) At the Fail Over Settings section, click on the Enable radio button to turn the
Cellular WAN as backup link for Wired (or WiFi) WAN Mode.
4) Click Save button at the bottom of the page to save and apply the changes.
At the Dashboard, Cellular 1 icon will appear below the Wired WAN,
depending on the Cellular settings, if you choose disconnect then it will
be remained disconnected (icon dimmed) when primary WAN link active. If
you select remained connected in the Cellular settings, the cellular will
establish connection and remain in hot-standby mode (icon turned green).
Peplink
192
Wired Failed, Cellular WAN Take-over

1) Unplug the UTP from Surf OTG Ethernet port
2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN failed, it will automatically bring up the
Cellular WAN. As shown in the screen capture, Cellular 1 is active (green
icon) with signal strength status display.
Peplink
193
Testing Client Access After Wired WAN Failover

addresses obtain IP on Wireless adapters.
Ping & Traceroute Tests:

1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia www.google.com.my
Passed or Failed
2) Traceroute Internet web sites (eg. www.google.com.my)
Note down the path taken
Peplink
194
Testing Client Access After Wired WAN Service Restored

1) Plug back the UTP cable to Surf OTG Ethernet Port.
2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN restored, it will forward traffic on the
Ethernet port again, at same time put Cellular WAN in standby mode by
disconnecting from cellular connection.
Ping & Traceroute Tests:
1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia www.google.com.my
Passed or Failed
2) Traceroute Internet web sites (eg. www.google.com.my)
Note down the path taken and compare when Wired WAN failed
Peplink
195
Surf OTG Other Settings

There is other settings available on the Surf OTG, such as Cellular Settings, WiFi WAN
Profile Settings, PepVPN, Web Administration (turn on login ID and password), Port
Forwarding, QoS, Firmware upgrade, and System settings.
For further details on these settings, please refer to the relevant firmware user manual.
Peplink
196

Peplink Certified Engineer Training Program

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Peplink Certified Engineer Training Program

Încărcat de

Drepturi de autor:

Formate disponibile

Training Materials

Last updated: 26-09-2013

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

In this chapter, we will focus on how SpeedFusion functions, its

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

A well-designed VPN provides a business with the following benefits:

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplinks Unbreakable VPN uses multiple WAN connections to keep VPNs up

Peplink Balance Series

Enterprise-class Multi-WAN Router

Introducing the Worlds Easiest VPN

Peplink Balance Series

Enterprise-class Multi-WAN Router

SpeedFusion Hot Failover Unbreakable VoIP and VPN

Peplink Balance Series

Enterprise-class Multi-WAN Router

SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

10) Flawless Connections in Remote Areas

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink is the leader in Internet load balancing and VPN bonding

Peplink Balance Series

Enterprise-class Multi-WAN Router

Peplink Balance Series

Enterprise-class Multi-WAN Router

We offer five major categories of products:

Peplink and Pepwave solutions cover different market segments, ranging

Peplink Balance Series

Enterprise-class Multi-WAN Router

Target Market Segments for Balance Products

- 19 Rack mount form factor

Peplink Balance Series

Enterprise-class Multi-WAN Router

A. Internet Load Balancing

B. Inbound Load Balancing

Peplink Balance Series

Enterprise-class Multi-WAN Router

Site-to-Site VPN Bonding in Mesh Scenario

Peplink Balance Series