Pismolabs Technology P1811ACLTE User Manual

Download

Peplink Balance B30 LTE User Manual

Peplink Products:

Peplink Balance 30 LTE / Balance 30 LTE / BPL-031-LTE-E-T / Pismo 811AC /

Peplink Balance Firmware 7.1.1 April 2019

Table of Contents

https://www.peplink.com 1 Copyright @ 2019 Peplink

Introduction and Scope 7

Glossary 8

Product Comparison Chart 10

Product Features 11

Supported Network Features 11 Other Supported Features 13

Advanced Feature Summary 14

Drop-in Mode and LAN Bypass: Transparent Deployment 14 QoS: Clearer VoIP 15 Per-User Bandwidth Control 15 High Availability via VRRP 16 USB Modem and Android Tethering 17 Built-In Remote User VPN Support 17 LACP NIC Bonding 18

Package Contents 19

Peplink Balance 30 LTE 19

Peplink Balance Overview 19

Peplink Balance 30 LTE 19

Installation 21

Preparation 21 Constructing the Network 21

Basic Configuration 21

Connecting to the Web Admin Interface 21 Configuration with the Setup Wizard 23

Network Tab 27

WAN 27 Health Check Settings 33 Bandwidth Allowance Monitor Settings 37 Additional Public IP Settings 37 Dynamic DNS Settings 38 LAN 40

Network Settings 40

https://www.peplink.com 2 Copyright @ 2019 Peplink

Network Settings (Common Settings) 44 Port Settings 48

VPN 49

SpeedFusion 49

IPsec VPN 55 Outbound Policy 59 Inbound Access 62

Servers 62

Services 63

DNS Settings 66

SOA Records 69 NS Records 70 MX Records 71 CNAME Records 71 A Records 72 PTR Records 73 TXT Records 74 SRV Records 74

Reverse Lookup Zones 75 SOA Record 76 NS Records 77 CNAME Records 77 PTR Records 78

DNS Record Import Wizard 78 NAT Mappings 82 MediaFast 85 Setting Up MediaFast Content Caching 85 Viewing MediaFast Statistics 86

Prefetch Schedule 87

ContentHub 89 MDM Settings 91 Captive Portal 91 QoS 95

User Groups 95 Bandwidth Control 96 Application 96

https://www.peplink.com 3 Copyright @ 2019 Peplink

Prioritization for Custom Application 97 DSL/Cable Optimization 98

Firewall 98

Access Rules 98 Intrusion Detection and DoS Prevention 102 Content Blocking 103

Application Blocking 105

Web Blocking 105

Customized Domains 105

Exempted User Groups 105

Exempted Subnets 105

URL Logging 106

OSPF & RIPv2 106 BGP 109 Remote User Access 111 Misc. Settings 113

High Availability 113 Certificate Manager 116 Service Forwarding 116 SMTP Forwarding 118 Web Proxy Forwarding 118 DNS Forwarding 119 Custom Service Forwarding 119 Service Passthrough 119

AP Tab 120

AP 120

AP Controller 120 Wireless SSID 121 Settings 127

AP Controller Status 131

Info 131 Access Points (Usage) 133 Wireless SSID 135 Wireless Client 136 Nearby Device 137 Event Log 138

https://www.peplink.com 4 Copyright @ 2019 Peplink

Toolbox 139

System Tab 140

System 140

Admin Security 140 Firmware 142 Time 143 Schedule 144 Email Notification 146 Event Log 148 SNMP 149 InControl 151 Configuration 152 Feature Add-ons 153 Reboot 153

Tools 154

Ping 154 Traceroute 154 Wake-on-LAN 155 CLI (Command Line) Support 155

Status Tab 156

Status 156

Device 156 Active Sessions 158 Client List 160 WINS Clients 161 OSPF & RIPv2 161 MediaFast 161 SpeedFusion Status 162 Event Log 166 Device Event Log 167 IPsec Event Log 167

Bandwidth 167

Real-Time 168 Hourly 169 Daily 169 Monthly 172

https://www.peplink.com 5 Copyright @ 2019 Peplink

Harrington Industrial Plastics 179 PLUSS 182

https://www.peplink.com 6 Copyright @ 2019 Peplink

1 Introduction and Scope

The Peplink Balance series provides link aggregation and load balancing across up to thirteen WAN connections.

The Peplink Balance series offers cost-effective solutions suitable for SOHO/power users and small businesses. The Balance lineup also features a range of advanced enterprise solutions. Peplink enterprise routers are ideal single-box solutions for medium to large business environments, and they allow service providers to enable highly available multi-network services.

The Peplink MediaFast series downloads and buffers video, audio, iTunes/iTunes U, HTTP, and other content for uninterrupted learning and fun anytime.

This manual applies to the following Peplink Balance products:

● Peplink Balance 30 LTE

● Peplink Balance 30 Pro

The manual covers setting up your Peplink Balance or MediaFast and provides a collection of case studies detailing the advanced features of the Peplink Balance.

https://www.peplink.com 7 Copyright @ 2019 Peplink

2 Glossary

The following terms, acronyms, and abbreviations are frequently used in this manual:

Term Definition

3G 3rd generation standards for wireless communications (e.g., HSDPA)

4G 4th generation standards for wireless communications (e.g., LTE)

DHCP Dynamic Host Configuration Protocol

DNS Domain Name System

EVDO Evolution-Data Optimized

FQDN Fully Qualified Domain Name

HSDPA High-Speed Downlink Packet Access

HTTP Hyper-Text Transfer Protocol

ICMP Internet Control Message Protocol

IP Internet Protocol

LAN Local Area Network

MAC Address Media Access Control Address

MTU Maximum Transmission Unit

MSS Maximum Segment Size

NAT Network Address Translation

PPPoE Point to Point Protocol over Ethernet

QoS Quality of Service

SNMP Simple Network Management Protocol

TCP Transmission Control Protocol

UDP User Datagram Protocol

https://www.peplink.com 8 Copyright @ 2019 Peplink

VPN Virtual Private Network

VRRP Virtual Router Redundancy Protocol

WAN Wide Area Network

WINS Windows Internet Name Service

WLAN Wireless Local Area Network

210+ Refers to Peplink Balance 210/310/380/580/710/1350/2500

380+ Refers to Peplink Balance 380/580/710/1350/2500

https://www.peplink.com 9 Copyright @ 2019 Peplink

3 Product Comparison Chart

Click underlined features to reach the relevant portion of the manual.

Full product comparison available at: http://www.peplink.com/products/balance/model-comparison

https://www.peplink.com 10 Copyright @ 2019 Peplink

4 Product Features

Peplink Balance Series products enable all LAN users to share broadband Internet connections and provide advanced features to enhance Internet access. The following is a list of supported features:

4.1 Supported Network Features

4.1.1 WAN

● Multiple public IP support (DHCP, PPPoE, static IP address)

● Static IP support for PPPoE

● 10/100/1000Mbps Ethernet connection in full/half duplex

● Built-in HSPA and EVDO cellular modems

● USB mobile connection (only one USB modem can be connected at a time)

● Drop-in mode on selectable WAN port with MAC address passthrough network address translation (NAT) / port address translation (PAT)

● Inbound and outbound NAT mapping

● Multiple static IP addresses per WAN connection

● MAC address clone

● Customizable MTU and MSS values

● WAN connection health check

● Dynamic DNS (supported service providers: changeip.com, dyndns.org, noip.org,tzo.com, and DNS-O-Matic)

● Ping, DNS lookup, and HTTP-based health check

4.1.2 LAN

● DHCP server on LAN

● Extended DHCP option support

● Static routing rules

● Local DNS proxy server

● VLAN on LAN support

4.1.3 VPN

● Secure SpeedFusionTM

● SpeedFusion performance analyzer

● X.509 certificate support (feature activation required on some Balance models)

● Bandwidth bonding and failover among selected WAN connections

● Ability to route traffic to a remote VPN peer

● Optional pre-shared key setting

● Layer 2 bridging

● Layer 2 Peer Isolation

● SpeedFusion

https://www.peplink.com 11 Copyright @ 2019 Peplink

throughput, ping, and traceroute tests

● Built-in L2TP / PPTP VPN server

● Authenticate L2TP / PPTP clients using RADIUS and LDAP servers

● Multi-Site PepVPN Profile

● IPsec VPN for network-to-network connections (works with Cisco and Juniper only)

● L2TP / PPTP and IPsec passthrough

4.1.4 Inbound Traffic Management

● TCP/UDP traffic redirection to dedicated LAN server(s)

● Inbound link load balancing by means of DNS

4.1.5 Outbound Policy

● Link load distribution per TCP/UDP service

● Persistent routing for specified source and/or destination IP addresses per TCP/UDP service

● Prioritize and route traffic to VPN tunnels with Priority and Enforced algorithms

● Time-based scheduling

4.1.6 AP Controller

● Configure and manage Pepwave AP devices

● Review the status of connected AP

4.1.7 QoS

● Quality of service for different applications and custom protocols

● User group classification for different service levels

● Bandwidth usage control and monitoring on group- and user-level

● Application prioritization for custom protocols and DSL optimization

4.1.8 Firewall

● Outbound (LAN to WAN) firewall rules

● Inbound (WAN to LAN) firewall rules per WAN connection

● Intrusion detection and prevention

● Specification of NAT mappings

● Web blocking

● Application blocking

● Time-based scheduling

● Outbound firewall rules can be defined by destination domain name

4.1.9 Captive Portal

● Social Wi-Fi Hotspot Support

● Splash screen of open networks, login page for secure networks

● Customizable built-in captive portal

● Supports linking to outside page for captive portal

https://www.peplink.com 12 Copyright @ 2019 Peplink

4.2 Other Supported Features

● Easy-to-use web administration interface

● HTTP and HTTPS support for web administration interface

● Configurable web administration port and administrator password

● Read-only user for web admin

● Shared-IP drop-in mode

● Authentication and accounting by RADIUS server for web admin

● Firmware upgrades, configuration backups, ping, and traceroute via web administration interface

● Remote web-based configuration (via WAN and LAN interfaces)

● Remote reporting to Peplink Balance reporting server

● Hardware high availability via VRRP, with automatic configuration synchronization

● Real-time, hourly, daily and monthly bandwidth usage reports and charts

● Hardware backup via LAN bypass

● Built-in WINS server

● Time server synchronization

● SNMP

● Email notification

● Syslog

● SIP passthrough

● PPTP packet passthrough

● Active sessions

● Active client list

● WINS client list

● UPnP / NAT-PMP

● Improved active sessions page

● Event log is persistent across reboots

● IPv6 support

● Support for USB tethering on Android 2.2+ phones

https://www.peplink.com 13 Copyright @ 2019 Peplink

5 Advanced Feature Summary

5.1

As your organization grows, it needs more bandwidth. But modifying your network would require effort better spent elsewhere. In Drop-in Mode, you can conveniently install your Peplink router without making any changes to your network. And if the Peplink router loses power for any reason, LAN Bypass will safely and automatically bypass the Peplink router to resume your original network connection.

Drop-in Mode and LAN Bypass: Transparent Deployment

https://www.peplink.com 14 Copyright @ 2019 Peplink

5.2

VoIP and videoconferencing are highly sensitive to latency. With QoS, Peplink routers can detect VoIP traffic and assign it the highest priority, giving you crystal-clear calls.

QoS: Clearer VoIP

5.3

https://www.peplink.com 15 Copyright @ 2019 Peplink

Per-User Bandwidth Control

With per-user bandwidth control, you can define bandwidth control policies for up to 3 groups of users to prevent network congestion. Define groups by IP address and subnet, and set bandwidth limits for every user in the group.

5.4

When your organization has a corporate requirement demanding the highest availability with no single point of failure, you can deploy two Peplink routers in High Availability mode. With High Availability mode, the second device will take over when needed.

High Availability via VRRP

https://www.peplink.com 16 Copyright @ 2019 Peplink

5.5

For increased WAN diversity, plug in a USB LTE modem as backup. Peplink routers are compatible with over 200 modem types. You can also tether to smartphones running Android

4.1.X and above.

USB Modem and Android Tethering

5.6

https://www.peplink.com 17 Copyright @ 2019 Peplink

Built-In Remote User VPN Support

Use L2TP with IPsec to safely and conveniently connect remote clients to your private network. L2TP with IPsec is supported by most devices, but legacy devices can also connect using PPTP.

Click here for full instructions on setting up L2TP with IPsec.

5.7

LACP NIC Bonding

Use 802.3ad to combine multiple LAN connections into a virtual LAN connection. This virtual connection has higher throughput and redundancy in case any single link fails.

https://www.peplink.com 18 Copyright @ 2019 Peplink

6 Package Contents

The contents of Peplink Balance product packages are as follows:

6.1 Peplink Balance 30 LTE

● Peplink Balance 30 LTE

● 4G LTE Antennas

● Power adapter

● Information slip

● Rackmount kit

7 Peplink Balance Overview

7.1 Peplink Balance 30 LTE

7.1.1 Panel Appearance

7.1.2 LED Indicators

The statuses indicated by the front panel LEDs are as follows:

Power and Status Indicators

https://www.peplink.com 19 Copyright @ 2019 Peplink

OFF – Power off

Power

Green – Power on

OFF – Upgrading firmware

Red – Booting up or busy

Status

Blinking red – Boot up error

Green – Ready

LAN and WAN Ports

Green LED

Orange LED

Port Type

USB Ports

ON – 10 / 100 /1000 Mbps

Blinking – Data is transferring

OFF – No data is being transferred or port is not connected

Auto MDI/MDI-X ports

USB Port

For connecting a 4G/3G USB modem

https://www.peplink.com 20 Copyright @ 2019 Peplink

8 Installation

The following section details connecting the Peplink Balance to your network:

8.1 Preparation

Before installing your Peplink Balance, please prepare the following:

● At least one Internet/WAN access account

● For each network connection, one 10/100BaseT UTP cable with RJ45 connector, one 1000BaseT Cat5E UTP cable for the Gigabit port, or one USB modem for the USB WAN port

● A computer with the TCP/IP network protocol and a web browser installed— supported browsers include Microsoft Internet Explorer 8.0 and above, Mozilla Firefox 10.0 and above, Apple Safari 5.1 and above, and Google Chrome 18 and above

8.2 Constructing the Network

At the high level, construct the network according to the following steps:

1. With an Ethernet cable, connect a computer to one of the LAN ports on the Peplink Balance. For Peplink Balance models that support multiple connections, repeat with different cables for up to four computers to be connected.

2. With another Ethernet cable, connect the WAN/broadband modem to one of the WAN ports on the Peplink Balance. Repeat using different cables to connect from two to 13 WAN/broadband connections or connect a USB modem to the USB WAN port.

3. Connect the provided power adapter or cord to the power connector on the Peplink Balance, and then plug the power adapter into a power outlet.

9 Basic Configuration

9.1 Connecting to the Web Admin Interface

1. Start a web browser on a computer that is connected with the Peplink Balance through the LAN.

2. To connect to the web admin of the Peplink Balance, enter the following LAN IP address in the address field of the web browser:

http://192.168.1.1

https://www.peplink.com 21 Copyright @ 2019 Peplink

(This is the default LAN IP address of the Peplink Balance.) Enter the following to access the web admin interface.

Username: admin Password: admin

(This is the default admin user login of the Peplink Balance. The admin and read-only user password can be changed at System>Admin Security.)

3. After successful login, the Dashboard of the web admin interface will be displayed. It looks similar to the following:

https://www.peplink.com 22 Copyright @ 2019 Peplink

Important Note

The Save button causes the changes to be saved. Configuration changes (e.g., WAN, LAN, admin settings, etc.) take effect after clicking the Apply Changes button on each page’s top-right corner.

9.2 Configuration with the Setup Wizard

The Setup Wizard simplifies the task of configuring WAN connection(s) by guiding the configuration process step-by-step.

To begin, click Setup Wizard after connecting to the web admin interface.

Click Next >> to begin.

Select Yes if you want to set up drop-in mode using the Setup Wizard.

https://www.peplink.com 23 Copyright @ 2019 Peplink

Click on the appropriate checkbox(es) to select the WAN connection(s) to be configured. If you have chosen to configure drop-in mode using the Setup Wizard, the WAN port to be configured in drop-in mode will be checked by default.

If drop-in mode is going to be configured, the setup wizard will move on to Drop-in Settings.

https://www.peplink.com 24 Copyright @ 2019 Peplink

If you are not using drop-in mode, select the connection method for the WAN connection(s) from the following screen:

Depending on the selection of connection type, further configuration may be needed. For example, PPPoE and static IP require additional settings for the selected WAN port. Please refer to Section 13, Configuring the WAN Interface(s) for details on setting up DHCP, static IP, and PPPoE.

If Mobile Internet Connection is checked, the setup wizard will move on to Operator Settings.

If Custom Mobile Operator Settings is selected, APN parameters are required. Some service providers may charge a fee for connecting to a different APN. Please consult your service provider for the correct settings.

Click on the appropriate check box(es) to select the preferred WAN connection(s). Connection(s) not selected in this step will be used as backup only. Click Next >> to continue.

https://www.peplink.com 25 Copyright @ 2019 Peplink

Choose the time zone of your country/region. Check the box Show all to display all time zone options.

Check in the following screen to make sure all settings have been configured correctly, and then click Save Settings to confirm.

After finishing the last step in the setup wizard, click Apply Changes on the page header to allow the configuration changes to take effect.

https://www.peplink.com 26 Copyright @ 2019 Peplink

WAN Connection Settings

10 Network Tab

10.1 WAN

From Network>WAN, choose a WAN connection by clicking it.

You can also enable IPv6 support in this section

WAN Connection Settings (Ethernet)

Clicking an Ethernet WAN connection will result in the following screen:

WAN

Connection

Name

Enable

https://www.peplink.com 27 Copyright @ 2019 Peplink

Enter a name to represent this WAN connection.

This setting enables the WAN connection. If schedules have been defined, you will be able to select a schedule to apply to the connection.

Connection

Method

Routing Mode

There are three possible connection methods for Ethernet WAN:

● DHCP

● Static IP

● PPPoE

The connection method and details are determined by, and can be obtained from, the ISP. See the following sections for details on each connection method. DNS server settings can be configured in the corresponding menu for each connection method.

This field shows that NAT (network address translation) will be applied to the traffic routed over this WAN connection. IP Forwarding is available when you click the link in the help text.

DNS Servers

Independent

from Backup

WANs

Standby State

Reply to ICMP

PING

Upload

Bandwidth

Download

Bandwidth

Select a DNS server for this port to use. This port can either be automatically selected or manually designated.

If this is checked, the connection will be working independent from other Backup WAN connections. Those in Backup Priority will ignore the status of this WAN connection, and will be used when none of the other higher priority connections are available.

This setting specifies the standby state of the WAN connection. The available options are Remain connected and Disconnect. The default state is Remain Connected.

If No is selected, this option is disabled and the system will not reply to any ICMP ping echo requests to the WAN IP addresses of this WAN connection.

Default: Yes

This field refers to the maximum upload speed.

This value is referenced when default weight is chosen for outbound traffic and traffic prioritization. A correct value can result in effective traffic prioritization and efficient use of upstream bandwidth.

This field refers to the maximum download speed.

Default weight control for outbound traffic will be adjusted according to this value.

WAN Connection Settings (Cellular)

Clicking an Ethernet WAN connection will result in the following screens:

https://www.peplink.com 28 Copyright @ 2019 Peplink

WAN

Connection

Name

Connection Settings

Indicate a name you wish to give this WAN connection

Enable

Routing Mode

Connection

Type

Standby State

Idle Disconnect

Click the checkbox to toggle the on and off state of this connection.

This option allows you to select the routing method to be used in routing IP frames via the WAN connection. The mode can be either NAT (Network Address Translation) or IP Forwarding.

In the case if you need to choose IP Forwarding for your scenario. Click the button to enable IP Forwarding.

This option allows you to configure the WAN connection whether for normal daily usage or as a backup connection only.

If Always-on is chosen, the WAN connection will be kept on continuously and is used for load balancing.

If Backup Priority is chosen, the WAN connection will not be used unless none of the Alwayson connection(s) is available.

This option allows you to choose whether to remain the connection connected or disconnect it when this WAN connection is no longer in the highest priority and has entered the standby state. When Remain connected is chosen, upon bringing up this WAN connection to active, it will be immediately available for use. If this WAN connection is charged by connection time, you may want to set this option to Disconnect so that connection will be made only when needed.

If checked, you can define the number of minutes of idle time has passed before a network

https://www.peplink.com 29 Copyright @ 2019 Peplink

2 fields.

DNS Servers

gets disconnected.

Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.

Selecting Obtain DNS server address automatically results in the DNS servers assigned by the WAN DHCP server being used for outbound DNS lookups over the connection. (The DNS servers are obtained along with the WAN IP address assigned by the DHCP server.) When Use the following DNS server address(es) is selected, you may enter custom DNS server addresses for this WAN connection into the DNS server 1 and DNS server

Cellular Settings

SIM Card

Preferred SIM

Card

3G/2G

Authentication

https://www.peplink.com 30 Copyright @ 2019 Peplink

Indicate which SIM card this cellular WAN will use. Only applies to cellular WAN with redundant SIM cards.

If both cards were enabled on the above field, then you can designate the priority of the SIM card slots here.

This drop-down menu allows restricting cellular to particular band. Click the button to enable the selection of specific bands.

Choose from PAP Only or CHAP Only to use those authentication methods exclusively.

Select Auto to automatically choose an authentication method.

Data Roaming

Operator

Settings

APN / Login /

Password /

SIM PIN

Bandwidth

Allowance

Monitor

Action

Start Day

This checkbox enables data roaming on this particular SIM card. Please check your service provider’s data roaming policy before proceeding.

This setting applies to 3G/EDGE/GPRS modems only. It does not apply to EVDO/EVDO Rev. A modems. This allows you to configure the APN settings of your connection. If Auto is selected, the mobile operator should be detected automatically. The connected device will be configured and connection will be made automatically. If there is any difficulty in making connection, you may select Custom to enter your carrier’s APN, Login, Password, and Dial Number settings manually. The correct values can be obtained from your carrier. The default and recommended setting is Auto.

When Auto is selected, the information in these fields will be filled automatically. Select Custom to customize these parameters. The parameter values are determined by and can be obtained from the ISP.

Check the box Enable to enable bandwidth usage monitoring on this WAN connection for each billing cycle. When this option is not enabled, bandwidth usage of each month is still being tracked but no action will be taken.

If email notification is enabled, you will be notified by email when usage hits 75% and 95% of the monthly allowance. If Disconnect when usage hits 100% of monthly allowance is checked, this WAN connection will be disconnected automatically when the usage hits the monthly allowance. It will not resume connection unless this option has been turned off or the usage has been reset when a new billing cycle starts.

This option allows you to define which day of the month each billing cycle begins.

Monthly

Allowance

This field is for defining the maximum bandwidth usage allowed for the WAN connection each month.

WAN Connection Settings (Common)

The remaining WAN-related settings are common to both Ethernet and cellular WAN

Physical Interface Settings

https://www.peplink.com 31 Copyright @ 2019 Peplink

Port Speed

MTU

MSS

This is the port speed of the WAN connection. It should be set to the same speed as the connected device in case of any port negotiation problems.

When a static speed is set, you may choose whether to advertise its speed to the peer device or not. Advertise Speed is selected by default. You can choose not to advertise the port speed if the port has difficulty in negotiating with the peer device.

Default: Auto

This field is for specifying the Maximum Transmission Unit value of the WAN connection. An excessive MTU value can cause file downloads stall shortly after connected. You may consult your ISP for the connection's MTU value.

This field is for specifying the Maximum Segment Size of the WAN connection.

When Auto is selected, MSS will be depended on the MTU value. When Custom is selected, you may enter a value for MSS. This value will be announced to remote TCP servers for maximum data that it can receive during the establishment of TCP connections.

Some Internet servers are unable to listen to MTU setting if ICMP is filtered by firewall between the connections.

Normally, MSS equals to MTU minus 40. You are recommended to reduce the MSS only if changing of the MTU value cannot effectively inform some remote servers to size down data size.

Default: Auto

Some service providers (e.g. cable network) identify the client's MAC address and require

MAC Address

Clone

VLAN

client to always use the same MAC address to connect to the network. If it is the case, you may change the WAN interface's MAC address to the client PC's one by entering the PC's MAC address to this field. If you are not sure, click the Default button to restore to the default value.

Check the box to assign a VLAN to the interface.

DHCP Settings

Hostname

https://www.peplink.com 32 Copyright @ 2019 Peplink

If your service provider's DHCP server requires you to supply a hostname value upon acquiring an IP address, you may enter the value here. If your service provider does not

(Optional)

DNS Servers

provide you with a hostname, you can safely bypass this option.

Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through

this

connection.

may enter custom DNS server addresses for this WAN connection into the DNS server

1 and DNS server 2 fields.

Health Check Settings

To ensure traffic is routed to healthy WAN connections only, the Peplink Balance can periodically check the health of each WAN connection. Health Check settings for each WAN connection can be independently configured via

Network>Interfaces>WAN>*Connection name*>Health Check Settings.

Enable Health Check by selecting PING, DNS Lookup, or HTTP from the Health Check Method drop-down menu.

Health Check Settings

This setting specifies the health check method for the WAN connection. This value can be

Method

configured as Disabled, PING, DNS Lookup, or HTTP. The default method is DNS Lookup. For mobile Internet connections, the value of Method can be configured as Disabled or SmartCheck.

Health Check Disabled

When Disabled is chosen in the Method field, the WAN connection will always be considered as up. The connection will NOT be treated as down in the event of IP routing errors.

https://www.peplink.com 33 Copyright @ 2019 Peplink

Health Check Method: PING

ICMP ping packets will be issued to test the connectivity with a configurable target IP address or hostname. A WAN connection is considered as up if ping responses are received from either one or both of the ping hosts.

This setting specifies IP addresses or hostnames with which connectivity is to be tested via ICMP ping. If Use first two DNS servers as Ping Hosts is checked, the target ping host

PING Hosts

will be the first DNS server for the corresponding WAN connection. Reliable ping hosts with a high uptime should be considered. By default, the first two DNS servers of the WAN connection are used as the ping hosts.

Health Check Method: DNS Lookup

DNS lookups will be issued to test connectivity with target DNS servers. The connection will be treated as up if DNS responses are received from one or both of the servers, regardless of whether the result was positive or negative.

This field allows you to specify two DNS hosts’ IP addresses with which connectivity is to be tested via DNS Lookup.

If Use first two DNS servers as Health Check DNS Servers is checked, the first two DNS servers will be the DNS lookup targets for checking a connection's health. If the box is not

Health Check

DNS Servers

checked, Host 1 must be filled, while a value for Host 2 is optional. If Include public DNS servers is selected and no response is received from all specified

DNS servers, DNS lookups will also be issued to some public DNS servers. A WAN connection will be treated as down only if there is also no response received from the public DNS servers.

Connections will be considered as up if DNS responses are received from any one of the health check DNS servers, regardless of a positive or negative result. By default, the first two DNS servers of the WAN connection are used as the health check DNS servers.

Health Check Method: HTTP

https://www.peplink.com 34 Copyright @ 2019 Peplink

HTTP connections will be issued to test connectivity with configurable URLs and strings to match.

WAN Settings>WAN Edit>Health Check Settings>URL1 The URL will be retrieved when performing an HTTP health check. When String to Match

URL1

is left blank, a health check will pass if the HTTP return code is between 200 and 299 (Note: HTTP redirection codes 301 or 302 are treated as failures). When String to Match is filled, a health check will pass if the HTTP return code is between 200 and 299 and if the HTTP response content contains the string.

URL 2

WAN Settings>WAN Edit>Health Check Settings>URL2

If URL2 is also provided, a health check will pass if either one of the tests passed.

https://www.peplink.com 35 Copyright @ 2019 Peplink

Other Health Check Settings

Timeout

Health Check

Interval

Health Check

Retries

Recovery

Retries

This setting specifies the timeout in seconds for ping/DNS lookup requests. The default timeout is 5 seconds.

This setting specifies the time interval in seconds between ping or DNS lookup requests. The default health check interval is 5 seconds.

This setting specifies the number of consecutive ping/DNS lookup timeouts after which the Peplink Balance will treat the corresponding WAN connection as down. Default health retries is set to 3. Using the default Health Retries setting of 3, the corresponding WAN connection will be treated as down after three consecutive timeouts.

This setting specifies the number of consecutive successful ping/DNS lookup responses that must be received before the Peplink Balance treats a previously down WAN connection as up again. By default, Recover Retries is set to 3. Using the default setting, a WAN connection that is treated as down will be considered as up again upon receiving three consecutive successful ping/DNS lookup responses.

Note

If a WAN connection goes down, all of the WAN connections not set with a Connection Type of Alw ays-o n will also be brought up until any one of higher priority WAN connections is up and found to be healthy. This design could increase overall network availability.

For example, if WAN1, WAN2, and WAN3 have connection types of Always-on , Backup Priority Group 1, and Backup Priority Group 2, respectively, when WAN1 goes down, WAN2 and WAN3 will try to connect. If WAN3 is connected first, WAN2 will still be kept connecting. If WAN2 is connected, WAN3 will disconnect or abort making connection.

Automatic Public DNS Server Check on DNS Test Failure

When the health check method is set to DNS Lookup and checks fail, the Balance will automatically perform DNS lookups on some public DNS servers. If the tests are successful, the WAN may not be down, but rather the target DNS server malfunctioned. You will see the following warning message on the main page:

https://www.peplink.com 36 Copyright @ 2019 Peplink

Bandwidth Allowance Monitor Settings

Bandwidth Allowance Monitor

If Email Notification is enabled, you will be notified by email when usage hits 75% and 95% of the monthly allowance.

Action

If Disconnect when usage hits 100% of monthly allowance is checked, this WAN connection will be disconnected automatically when the usage hits the monthly allowance. It will not resume connection unless this option has been turned off or the usage has been reset when a new billing cycle starts.

Start Day

Monthly

Allowance

This option allows you to define which day of the month each billing cycle begins.

This field is for defining the maximum bandwidth usage allowed for the WAN connection each month.

Disclaimer

Due to different network protocol overheads and conversions, the amount of data reported by this Peplink device is not representative of actual billable data usage as metered by your network provider. Peplink disclaims any obligation or responsibility for any events arising from use of the numbers shown here.

Additional Public IP Settings

https://www.peplink.com 37 Copyright @ 2019 Peplink

IP Address List represents the list of fixed Internet IP addresses assigned by the ISP in the

IP Address List

event that more than one Internet IP address is assigned to this WAN connection. Enter the fixed Internet IP addresses and the corresponding subnet mask, and then click the Down

Arrow button to populate IP address entries to the IP Address List.

Dynamic DNS Settings

The Peplink Balance allows registering domain name relationships to dynamic DNS service providers. Through registration with dynamic DNS service provider(s), the default public Internet IP address of each WAN connection can be associated with a hostname. With dynamic DNS service enabled for a WAN connection, you can connect to your WAN's IP address externally even if its IP address is dynamic. You must register for an account from the listed dynamic DNS service providers before enabling this option.

If the WAN connection's IP address is a reserved private IP address (i.e., behind a NAT router), the public IP of each WAN will be automatically reported to the DNS service provider.

Either upon a change in IP addresses or every 23 days without link reconnection, the Peplink Balance will connect to the dynamic DNS service provider to update the provider’s IP address records.

The settings for dynamic DNS service provider(s) and the association of hostname(s) are configured via Network>Interfaces>WAN>*Connection name*>Dynamic DNS Settings.

If your desired provider is not listed, you may check with DNS-O-Matic. This service supports updating 30 other dynamic DNS service providers. (Note: Peplink is not affiliated with DNS-OMatic.)

https://www.peplink.com 38 Copyright @ 2019 Peplink

Service Provider

Dynamic DNS Settings

This setting specifies the dynamic DNS service provider to be used for the WAN. Supported providers are:

● changeip.com

● dyndns.org

● no-ip.org

● tzo.com

● DNS-O-Matic

● Others… support custom Dynamic DNS servers by entering its URL. Works with any

service compatible with DynDNS API.

Select Disabled to disable this feature.

User ID / User /

Password / Pass /

TZO Key

Update All Hosts

Hosts / Domain

This setting specifies the registered user name for the dynamic DNS service.

This setting specifies the password for the dynamic DNS service.

Check this box to automatically update all hosts.

This setting specifies a list of hostnames or domains to be associated with the public Internet IP address of the WAN connection.

Important Note

In order to use dynamic DNS services, appropriate hostname registration(s), as well as a valid account with a supported dynamic DNS service provider, are required.

A dynamic DNS update is performed whenever a WAN’s IP address is changed, such as when an IP is changed after a DHCP IP refresh or reconnection.

Due to dynamic DNS service providers’ policies, a dynamic DNS host expires automatically when the host record

https://www.peplink.com 39 Copyright @ 2019 Peplink

has not been not updated for a long time. Therefore, the Peplink Balance performs an update every 23 days, even if a WAN’s IP address did not change.

10.2 LAN

10.2.1 Network Settings

Click the LAN or VLAN you wish to edit or click New LAN to create a new VLAN. When you do so, the following configuration menus will appear:

IP Settings

IP Address &

Enter the Peplink Balance’s IP address and subnet mask values to be used on the LAN.

Subnet Mask

Network Settings

https://www.peplink.com 40 Copyright @ 2019 Peplink

Name

VLAN ID

Inter-VLAN

routing

Captive Portal

Enter a name for the LAN.

Enter a VLAN ID for your LAN.

Check this box to enable routing between virtual LANs.

Check this box to turn on captive portals.

Drop-In Mode

Drop-in mode (or transparent bridging mode) eases the installation of the Peplink Balance on a live network between the firewall and router, such that changes to the settings of existing equipment are not required.

The following diagram illustrates drop-in mode setup:

Enable drop-in mode using the Setup Wizard. After enabling this feature and selecting the WAN for drop-in mode, various settings, including the WAN's connection method and IP address, will be automatically updated.

When drop-in mode is enabled, the LAN and the WAN for drop-in mode ports will be bridged. Traffic between the LAN hosts and WAN router will be forwarded between the devices. In this case, the hosts on both sides will not notice any IP or MAC address changes.

After successfully setting up the Peplink Balance as part of the network using drop-in mode, it will, depending on model, support one or more WAN connections. Some MediaFast units also

https://www.peplink.com 41 Copyright @ 2019 Peplink

support multiple WAN connections after activating drop-in mode, though a SpeedFusion license may be required to activate more than one WAN port.

Please note the Drop-In Mode is mutually exclusive with VLAN.

Drop-in Mode Settings

Drop-in mode eases the installation of the Peplink Balance on a live network between the

Enable

WAN for Drop-

In Mode

Shared Drop-In

IPA

Shared IP

https://www.peplink.com 42 Copyright @ 2019 Peplink

existing firewall and router, such that no configuration changes are required on existing equipment. Check the box to enable the drop-in mode feature.

Please refer to Section 12, Drop-in Mode for details.

Select the WAN port to be used for drop-in mode. If WAN 1 with LAN Bypass is selected, the high availability feature will be disabled automatically.

When this option is enabled, the passthrough IP address will be used to connect to WAN hosts (email notification, remote syslog, etc.). The Balance will listen for this IP address when WAN hosts access services provided by the Balance (web admin access from the WAN, DNS server requests, etc.).

To connect to hosts on the LAN (email notification, remote syslog, etc.), the default gateway address will be used. The Balance will listen for this IP address when LAN hosts access services provided by the Balance (web admin access from the WAN, DNS proxy, etc.).

Access to this IP address will be passed through to the LAN port if this device is not serving the service being accessed. The shared IP address will be used in connecting to hosts on

AddressA

WAN Default

Gateway

the WAN (e.g., email notification, remote syslog, etc.) The device will also listen on the IP address when hosts on the WAN access services served on this device (e.g., web admin accesses from WAN, DNS server, etc.)

Enter the WAN router's IP address in this field. If there are more hosts in addition to the

router on the WAN segment, click the button next to “WAN Default Gateway” and check the I have other host(s) on WAN segment box and enter the IP address of the hosts that need to access LAN devices or be accessed by others.

WAN DNS

Servers

- Advanced feature, please click the button on the top right-hand corner to activate.

Enter the selected WAN's corresponding DNS server IP addresses.

Layer 2 PepVPN BridgingA

PepVPN

Profiles to

BridgeA

Remote

Network

The remote network of the selected PepVPN profiles will be bridged with this local LAN, creating a Layer 2 PepVPN. They will be connected and operate like a single LAN, and any broadcast or multicast packets will be sent over the VPN.

Enable this option if you want to block network traffic between remote networks. This will not affect the connectivity between them and this local LAN.

IsolationA

Spanning Tree

ProtocolA

Override IP

Address when

bridge is

connectedA

- Advanced feature, please click the button on the top right-hand corner of the Network

When Layer 2 bridging is enabled, this field specifies the port to be bridged to the remote site. If you choose WAN, the selected WAN will be dedicated to bridging with the remote site and will be disabled for WAN purposes. The LAN port will remain unchanged.

Select "Do not override" if the LAN IP address and local DHCP server should remain unchanged after the Layer 2 PepVPN is up.

If you choose to override IP address when the VPN is connected, the device will not act as a router, and most Layer 3 routing functions will cease to work.

Settings menu to activate.

https://www.peplink.com 43 Copyright @ 2019 Peplink

10.2.2 Network Settings (Common Settings)

For VLAN-enabled configurations, DHCP Server settings are accessible by clicking individual VLAN

DHCP Server Settings

When this setting is enabled, the Peplink Balance’s DHCP server automatically assigns an

DHCP Server

Logging

IP Range &

Subnet Mask

Lease Time

DNS Servers

WINS Server

https://www.peplink.com 44 Copyright @ 2019 Peplink

IP address to each computer that is connected via LAN and configured to obtain an IP address via DHCP. The Peplink Balance’s DHCP server can prevent IP address collisions on the LAN.

Check this box to log DHCP server activity.

These settings allocate a range of IP addresses that will be assigned to LAN computers by the Peplink Balance’s DHCP server.

This setting specifies the length of time throughout which an IP address of a DHCP client remains valid. Upon expiration of Lease Time, the assigned IP address will no longer be valid and the IP address assignment must be renewed.

This option allows you to input the DNS server addresses to be offered to DHCP clients. If Assign DNS server automatically is selected, the Peplink Balance’s built-in DNS server address (i.e., LAN IP address) will be offered.

This option allows you to specify the Windows Internet Name Service (WINS) server. You

may choose to use the built-in WINS server or external WINS servers. When this unit is connected using SpeedFusionTM, other VPN peers can share this unit's

built-in WINS server by entering this unit's LAN IP address in their DHCP WINS Servers setting. Therefore, all PC clients in the VPN can resolve the NetBIOS names of other clients in remote peers. If you have enabled this option, a list of WINS clients will be displayed at

Status>WINS Clients.

BOOTP

Extended

DHCP Option

DHCP

Reservation

Check this box to enable BOOTP on older networks that still require it.

In addition to standard DHCP options (e.g. DNS server address, gateway address, subnet mask), you can specify the value of additional extended DHCP options, as defined in RFC

2132. With these extended options enabled, you can pass additional configuration information to LAN hosts.

To define an extended DHCP option, click the Add button, choose the option to define, and then enter its value. For values that are in IP address list format, you can enter one IP address per line in the provided text area input control. Each option can be defined once only.

This setting reserves the assignment of fixed IP addresses for a list of computers on the LAN. The computers to be assigned fixed IP addresses on the LAN are identified by their MAC addresses.

The fixed IP address assignment is displayed as a cross-reference list between the computers’ names, MAC addresses, and fixed IP addresses.

Name (an optional field) allows you to specify a name to represent the device. MAC

addresses should be in 00:AA:BB:CC:DD:EE format. Press to create a new record. Press to remove a record. Reserved clients information can be imported from the

Client List, located at Status>Client List. For more details, please refer to Section 27.3.

DHCP relay settings is an advanced feature. To enable it, click the button next to DHCP

Server.

DHCP Relay Settings

DHCP Relay

DHCP Server

IP Address

https://www.peplink.com 45 Copyright @ 2019 Peplink

Enter the address of the DHCP server here. DHCP requests will be relayed to it.

DHCP requests from the LAN are relayed to the entered DHCP server. For active-passive DHCP server configurations, enter active and passive DHCP server IPs

into the DHCP Server 1 and DHCP Server 2 fields.

Status>WINS Clients

DHCP Option

DHCP Relay

Logging

Static Route

This feature includes device information as relay agent for the attached client when forwarding DHCP requests from a DHCP client to a DHCP server. Device MAC address and network name are embedded to circuit ID and Remote ID in option 82.

Check this box to log DHCP relay activity.

Static Route Settings

This table is for defining static routing rules for the LAN segment. A static route consists of the network address, subnet mask, and gateway address. The address and subnet mask values are in w.x.y.z format.

The local LAN subnet and subnets behind the LAN will be advertised to the VPN. Remote routes sent over the VPN will also be accepted. Any VPN member will be able to route to

the local subnets. Click to create a new route. Click to remove a route.

WINS Server Settings

Enable

Check the box to enable the WINS Server. A list of WINS clients will be displayed at

Enter any needed DNS proxy settings. Once all settings have been entered, click Save to store your changes.

https://www.peplink.com 46 Copyright @ 2019 Peplink

Enable

DNS Proxy Settings

To enable the DNS proxy feature, check this box, and then set up the feature at Network>LAN>DNS Proxy Settings.

A DNS proxy server can be enabled to serve DNS requests originating from LAN/PPTP/SpeedFusion defined for each WAN connection.

peers. Requests are forwarded to the DNS servers/resolvers

This field is to enable DNS caching on the built-in DNS proxy server. When the option is enabled, queried DNS replies will be cached until the records’ TTL has been reached. This

DNS Caching

Include Google

Public DNS

Servers

Local DNS

Records

Domain

Lookup Policy

feature can improve DNS response time by storing all received DNS results for faster DNS lookup. However, it cannot return the most updated result for frequently updated DNS records. By default, DNS Caching is disabled.

When this option is enabled, the DNS proxy server will forward DNS requests to Google's

public DNS servers, in addition to the DNS servers defined in each WAN. This could increase the DNS service's availability. This setting is disabled by default.

This table is for defining custom local DNS records. A static local DNS record consists of a host name and IP address. When looking up the host name from the LAN to LAN IP of the Peplink Balance, the corresponding IP address will be returned. To display the option to set

TTL manually, click . Click to create a new record. Click to remove a record.

DNS proxy will look up the domain names defined here using only the specified connections.

https://www.peplink.com 47 Copyright @ 2019 Peplink

Check the box to enable the WINS server. A list of WINS clients will be displayed at Network>LAN>DNS Proxy Settings>DNS Resolvers.

This field specifies which DNS resolvers will receive forwarded DNS requests. If no

DNS

ResolversA

- Advanced feature, please click the button on the top right-hand corner to activate.

WAN/VPN/LAN DNS resolver is selected, all of the WAN’s DNS resolvers will be selected. If a SpeedFusion address(es). Queries will be forwarded to the selected connections’ resolvers. If all of the selected connections are down, queries will be forwarded to all resolvers on healthy WAN connections.

peer is selected, you may enter the VPN peer’s DNS resolver IP

Finally, if needed, configure your Bonjour forwarding settings. Once all settings have been entered, click Save to store your changes.

Bonjour Forwarding Settings

Enable

Bonjour

Service

Check this box to turn on Bonjour forwarding.

Choose Service and Client networks from the drop-down menus, and then click to add the networks. To delete an existing Bonjour listing, click .

10.2.3 Port Settings

To configure port settings, navigate to Network > Port Settings

On this screen, you can enable specific ports, as well as determine the speed of the LAN ports, whether each port is a trunk or access port, can well as which VLAN each link belongs to, if any.

https://www.peplink.com 48 Copyright @ 2019 Peplink

10.3 VPN

10.3.1 SpeedFusion

Peplink Balance SpeedFusion

Bandwidth Bonding is our patented technology that enables our SD-WAN routers to bond multiple Internet connections to increase site-to-site bandwidth and reliability. SpeedFusion securely connects one or more branch offices to your company's main headquarters or to other branches. The data, voice, and video communications between these locations are kept confidential across the public Internet.

The SpeedFusion

of the Peplink Balance is specifically designed for multi-WAN environments. With SpeedFusion, in case of failures and network congestion at one or more WANs, other WANs can be used to continue carrying the network traffic. The Peplink Balance can bond all WAN connections’ bandwidth for routing SpeedFusion

traffic. Unless all the WAN connections of one site are down, the Peplink Balance can keep the VPN up and running. Bandwidth bonding is enabled by default.

To begin, navigate to Network > VPN > SpeedFusion and enter a Local ID and click save.

This device will be identified by other SpeedFusion Peers by this local ID. The following menus will appear:

SpeedFusion Profiles

https://www.peplink.com 49 Copyright @ 2019 Peplink

This table displays all defined profiles. Click the New Profile button to create a new profile for making a VPN connection to a remote unit via available WAN connections. Each pair of VPN connection requires its own profile.

The local LAN subnet and subnets behind the LAN (defined under Static Route on the LAN Settings page) will be advertised to the VPN. All VPN members will be able to route to local subnets.

Send All Traffic To

This feature allows you to redirect all traffic to a specified PepVPN connection. Click the button to select your connection and the following menu will appear:

You could also specify a DNS server to resolve incoming DNS requests. Click the checkbox next to Backup Site to designate a backup SpeedFusion profile that will take over, should the main PepVPN connection fail.

PepVPN Local ID

This feature allows you to change the local ID of a PepVPN connection. Click the button to select your connection and the following menu will appear:

After updating the local ID, click Save to store your changes.

https://www.peplink.com 50 Copyright @ 2019 Peplink

Link Failure

Detection Time

Link Failure Detection

The bonded VPN can detect routing failures on the path between two sites over each WAN connection. Failed WAN connections will not be used to route VPN traffic. Health check packets are sent to the remote unit to detect any failure. The more frequently checks are sent, the shorter the detection time, although more bandwidth will be consumed.

When Recommended (default) is selected, a health check packet is sent every five seconds, and the expected detection time is 15 seconds.

When Fast is selected, a health check packet is sent every three seconds, and the expected detection time is six seconds.

When Faster is selected, a health check packet is sent every second, and the expected detection time is two seconds.

When Extreme is selected, a health check packet is sent every 0.1 second, and the expected detection time is less than one second.

Important Note

Peplink proprietary SpeedFusionTM uses TCP port 32015 and UDP port 4500 for establishing VPN connections. If you have a firewall in front of your Peplink Balance devices, you will need to add firewall rules for these ports and protocols to allow inbound and outbound traffic to pass through the firewall.

SpeedFusion: Profile Configuration

Click the New Profile button, or click one of the existing profiles, and the following menus will appear:

https://www.peplink.com 51 Copyright @ 2019 Peplink

A list of defined SpeedFusion connection profiles and a Link Failure Detection Time option will be shown. Click the New Profile button to create a new VPN connection profile for making a VPN connection to a remote Peplink Balance via the available WAN connections. Each profile is for making a VPN connection with one remote Peplink Balance.

PepVPN Profile Settings

This field is for specifying a name to represent this profile. The name can be any combination of alphanumeric characters (0-9, A-Z, a-z), underscores (_), dashes (-),

Name

Active

Encryption

Authentication

https://www.peplink.com 52 Copyright @ 2019 Peplink

and/or non-leading/trailing spaces ( ).

Click the icon next to the PepVPN Profile title bar to use the IP ToS field of your data packet on PepVPN WAN traffic.

When this box is checked, this VPN connection profile will be enabled. Otherwise, it will be disabled.

By default, VPN traffic is encrypted with 256-bit AES. If Off is selected on both sides of a VPN connection, no encryption will be applied.

Select from By Remote ID Only, Preshared Key, or X.509 to specify the method the Peplink Balance will use to authenticate peers. When selecting By Remote ID Only, be sure to enter a unique peer ID number in the Remote ID field.

Remote ID /

Pre-shared Key

This optional field becomes available when Remote ID / Pre-shared Key is selected as the Peplink Balance’s VPN Authentication method, as explained above. Pre-shared Key defines the pre-shared key used for this particular VPN connection. The VPN connection's session key will be further protected by the pre-shared key. The connection will be up only if the pre-shared keys on each side match. When the peer is running firmware 5.0+, this setting will be ignored.

Enter Remote IDs either by typing out each Remote ID and Pre-shared Key, or by pasting a

CSV. If you wish to paste a CSV, click the icon next to the “Remote ID / Preshared Key” setting.

Remote ID/Remote Certificate

Allow Shared

Remote ID

NAT Mode

Remote IP

Address / Host

Names

(Optional)

Data Port

These optional fields become available when X.509 is selected as the Peplink Balance’s VPN authentication method, as explained above. To authenticate VPN connections using X.509 certificates, copy and paste certificate details into these fields. To get more information on a listed X.509 certificate, click the Show Details link below the field.

When this option is enabled, the router will allow multiple peers to run using the same remote ID.

Check this box to allow the local DHCP server to assign an IP address to the remote peer. When NAT Mode is enabled, all remote traffic over the VPN will be tagged with the assigned IP address using network address translation.

If NAT Mode is not enabled, you can enter a remote peer’s WAN IP address or hostname(s) here. If the remote uses more than one address, enter only one of them here. Multiple hostnames are allowed and can be separated by a space character or carriage return. Dynamic-DNS host names are also accepted.

This field is optional. With this field filled, the Peplink Balance will initiate connection to each of the remote IP addresses until it succeeds in making a connection. If the field is empty, the Peplink Balance will wait for connection from the remote peer. Therefore, at least one of the two VPN peers must specify this value. Otherwise, VPN connections cannot be established.

Click the icon to customize the handshake port (TCP)

This field is used to specify a UDP port number for transporting outgoing VPN data. If Default is selected, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable. If Custom is selected, enter an outgoing port number from 1 to 65535.

Bandwidth

Limit

Cost

WAN

SmoothingA

Define maximum download and upload speed to each individual peer. This functionality requires the peer to use PepVPN version 4.0.0 or above.

Define path cost for this profile. OSPF will determine the best route through the network using the assigned cost. Default: 10

While using PepVPN, utilize multiple WAN links to reduce the impact of packet loss and get the lowest possible latency at the expense of extra bandwidth consumption. This is suitable for streaming applications where the average bitrate requirement is much lower than the

https://www.peplink.com 53 Copyright @ 2019 Peplink

WAN's available bandwidth.

Off - Disable WAN Smoothing.

Normal - The total bandwidth consumption will be at most 2x of the original data traffic.

Medium - The total bandwidth consumption will be at most 3x of the original data traffic.

High - The total bandwidth consumption depends on the number of connected active tunnels.

- Advanced feature, please click the button on the top right-hand corner to activate.

To enable Layer 2 Bridging between PepVPN profiles, navigate to Network>LAN>*LAN Profile

Name*

8.41

WAN Connection Priority

If your device supports it, you can specify the priority of WAN connections to be used for

WAN

Connection

Priority

making VPN connections. WAN connections set to OFF will never be used. Only available WAN connections with the highest priority will be used.

To enable asymmetric connections, connection mapping to remote WANs, cut-off latency,

and packet loss suspension time, click the button.

Peplink Balance IPsec VPN functionality securely connects one or more branch offices to your company's main headquarters or to other branches. Data, voice, and video communications between these locations are kept safe and confidential across the public Internet.

IPsec VPN on the Peplink Balance is specially designed for multi-WAN environments. For instance, if a user sets up multiple IPsec profiles for his multi-WAN environment and WAN1 is connected and healthy, IPsec traffic will go through this link. However, should unforeseen

https://www.peplink.com 54 Copyright @ 2019 Peplink

problems (e.g.,unplugged cables or ISP problems) cause WAN1 to go down, our IPsec implementation will make use of WAN2 and WAN3 for failover.

10.3.2 IPsec VPN

All Peplink products can make multiple IPsec VPN connections with Peplink routers, as well as Cisco and Juniper routers.

Note that all LAN subnets and the subnets behind them must be unique. Otherwise, VPN members will not be able to access each other.

All data can be routed over the VPN with a selection of encryption standards, such as 3DES, AES-128, and AES-256.

To configure, navigate to Network>Interfaces>IPsec VPN.

A NAT-Traversal option and list of defined IPsec VPN profiles will be shown. NAT-Traversal should be enabled if your system is behind a NAT router. Click the New Profile button to create new IPsec VPN profiles that make VPN connections to

remote Peplink Balance, Cisco, or Juniper Routers via available WAN connections. To edit any of the profiles, click on its associated connection name in the leftmost column.

https://www.peplink.com 55 Copyright @ 2019 Peplink

https://www.peplink.com 56 Copyright @ 2019 Peplink

IPsec VPN Settings

Name

Active

Connect Upon Disconnection

Remote

Gateway IP

Address /

Host Name

Local

Networks

This field is for specifying a local name to represent this connection profile.

When this box is checked, this IPsec VPN connection profile will be enabled. Otherwise, it will be disabled.

Check this box and select a WAN to connect to this VPN automatically when the specified

WAN is disconnected. To activate this function, click the button next to the “Active” option.

Enter the remote peer’s public IP address. For Aggressive Mode, this is optional.

Enter the local LAN subnets here. If you have defined static routes, they will be shown here.

Using NAT, you can map a specific local network / IP address to another, and the packets received by remote gateway will appear to be coming from the mapped network / IP address. This allow you to establish IPsec connection to a remote site that has one or more subnets overlapped with local site.

Two types of NAT policies can be defined:

One-to-One NAT policy: if the defined subnet in Local Network and NAT Network has the same size, for example, policy "192.168.50.0/24 > 172.16.1.0/24" will translate the local IP address 192.168.50.10 to 172.16.1.10 and 192.168.50.20 to 172.16.1.20. This is a bidirectional mapping which means clients in remote site can initiate connection to the local clients using the mapped address too.

Many-to-One NAT policy: if the defined NAT Network on the right hand side is an IP address (or having a network prefix /32), for example, policy "192.168.1.0/24 >

172.168.50.1/32" will translate all clients in 192.168.1.0/24 network to 172.168.50.1. This is a unidirectional mapping which means clients in remote site will not be able to initiate connection to the local clients.

Remote

Networks

Authentication

Mode

Enter the LAN and subnets that are located at the remote site here.

To access your VPN, clients will need to authenticate by your choice of methods. Choose between the Preshared Key and X.509 Certificate methods of authentication.

Choose Main Mode if both IPsec peers use static IP addresses. Choose Aggressive Mode if one of the IPsec peers uses dynamic IP addresses.

https://www.peplink.com 57 Copyright @ 2019 Peplink

Force UDP

Encapsulation

Pre-shared

Key

Remote

Certificate

(pem

encoded)

Local ID

Remote ID

Phase 1 (IKE)

Proposal

Phase 1 DH

Group

For forced UDP encapsulation regardless of NAT-traversal, tick this checkbox.

This defines the peer authentication pre-shared key used to authenticate this VPN connection. The connection will be up only if the pre-shared keys on each side match.

Available only when X.509 Certificate is chosen as the Authentication method, this field allows you to paste a valid X.509 certificate.

In Main Mode, this field can be left blank. In Aggressive Mode, if Remote Gateway IP Address is filled on this end and the peer end, this field can be left blank. Otherwise, this field is typically a U-FQDN.

In Main Mode, this allows setting up to six encryption standards, in descending order of priority, to be used in initial connection key negotiations. In Aggressive Mode, only one selection is permitted.

This is the Diffie-Hellman group used within IKE. This allows two parties to establish a shared secret over an insecure communications channel. The larger the group number, the higher the security.

Group 2: 1024-bit is the default value. Group 5: 1536-bit is the alternative option.

Phase 1 SA

Lifetime

Phase 2 (ESP)

Proposal

Phase 2 PFS

Group

Phase 2 SA

Lifetime

This setting specifies the lifetime limit of this Phase 1 Security Association. By default, it is set at 3600 seconds.

In Main Mode, this allows setting up to six encryption standards, in descending order of priority, to be used for the IP data that is being transferred. In Aggressive Mode, only one selection is permitted.

Perfect forward secrecy (PFS) ensures that if a key was compromised, the attacker will be able to access only the data protected by that key.

None - Do not request for PFS when initiating connection. However, since there is no valid reason to refuse PFS, the system will allow the connection to use PFS if requested by the remote peer. This is the default value.

Group 2: 1024-bit Diffie-Hellman group. The larger the group number, the higher the security.

Group 5: 1536-bit is the third option.

This setting specifies the lifetime limit of this Phase 2 Security Association. By default, it is set at 28800 seconds.

https://www.peplink.com 58 Copyright @ 2019 Peplink

IPsec Status shows the current connection status of each connection profile and is displayed at Status>IPsec VPN.

10.4 Outbound Policy

Outbound policies for managing and load balancing outbound traffic are located at

Network>Outbound Policy. Click the button beside the Outbound Policy box:

A selection menu will appear, giving you the choice between three different Outbound Policy Settings:

Outbound Policy Settings

High

Application

Compatibility

Normal

Application

Compatibility

Custom

The menu underneath enables you to define Outbound policy rules:

https://www.peplink.com 59 Copyright @ 2019 Peplink

Outbound traffic from a source LAN device is routed through the same WAN connection regardless of the destination Internet IP address and protocol. This option provides the highest application compatibility.

Outbound traffic from a source LAN device to the same destination Internet IP address will be routed through the same WAN connection persistently, regardless of protocol. This option provides high compatibility to most applications, and users still benefit from WAN link load balancing when multiple Internet servers are accessed.

Outbound traffic behavior can be managed by defining rules in a custom rule table. A default rule can be defined for connections that cannot be matched with any of the rules.

The bottom-most rule is Default. Edit this rule to change the device’s default manner of controlling outbound traffic for all connections that do not match any of the rules above it. Under the Service heading, click Default to change these settings.

To rearrange the priority of outbound rules, drag and drop them into the desired sequence.

By default, Auto is selected as the Default Rule. You can select Custom to change the algorithm to be used. Please refer to the upcoming sections for the details on the available algorithms.

To create a custom rule, click Add Rule at the bottom of the table. Note that some Pepwave routers display this button at Advanced>PepVPN>PepVPN Outbound Custom Rules.

https://www.peplink.com 60 Copyright @ 2019 Peplink

New Custom Rule Settings

Service Name

rule.

www.foobar.co.jp

, or

foobar.co.uk

will also match. Placing wildcards in any other position is

This setting specifies the name of the outbound traffic rule.

This setting specifies whether the outbound traffic rule takes effect. When Enable is checked, the rule takes effect: traffic is matched and actions are taken by the Pepwave router based on the other parameters of the rule. When Enable is unchecked, the rule does

Enable

Source

Destination

not take effect: the Pepwave router disregards the other parameters of the rule.

Click the drop-down menu next to the checkbox to apply a time schedule to this custom

This setting specifies the source IP address, IP network, or MAC address for traffic that matches the rule.

This setting specifies the destination IP address, IP network, or domain name for traffic that matches the rule.

If Domain Name is chosen and a domain name, such as foobar.com, is entered, any outgoing accesses to foobar.com and *.foobar.com will match this criterion. You may enter a wildcard (.*) at the end of a domain name to match any host with a name having the domain name in the middle. If you enter foobar.*, for example, www.foobar.com,

https://www.peplink.com 61 Copyright @ 2019 Peplink

Protocol and Port

Algorithm

Terminate

Sessions on Link

Recovery

not supported. NOTE: if a server has one Internet IP address and multiple server names, and if one of the names is defined here, accesses to any one of the server names will also match this rule.

This setting specifies the IP protocol and port of traffic that matches this rule.

This setting specifies the behavior of the Pepwave router for the custom rule. One of the following values can be selected (note that some Pepwave routers provide only some of these options):

● Weighted Balance

● Persistence

● Enforced

● Priority

● Overflow

● Least Used

● Lowest Latency

For a full explanation of each Algorithmn, please see the following article:

https://forum.peplink.com/t/exactly-how-do-peplinks-load-balancing-algorithmns-work/8059

This setting specifies whether to terminate existing IP sessions on a less preferred WAN connection in the event that a more preferred WAN connection is recovered. This setting is applicable to the Weighted, Persistence, and Priority algorithms. By default, this setting is disabled. In this case, existing IP sessions will not be terminated or affected when any other WAN connection is recovered. When this setting is enabled, existing IP sessions may be terminated when another WAN connection is recovered, such that only the preferred healthy WAN connection(s) is used at any point in time.

10.5 Inbound Access

Inbound access is also known as inbound port address translation. On a NAT WAN connection, all inbound traffic to the server behind the Peplink unit requires inbound access rules.

By the custom definition of servers and services for inbound access, Internet users can access the servers behind Peplink Balance. Advanced configurations allow inbound access to be distributed among multiple servers on the LAN.

Important Note

Inbound access applies only to WAN connections that operate in NAT mode. For WAN connections that operate in drop-in mode or IP forwarding, inbound traffic is forwarded to the LAN by default.

10.5.1 Servers

The settings to configure servers on the LAN are located at Network>Inbound Access>Servers.

Inbound connections from the Internet will be forwarded to the specified Inbound IP address(es) based on the protocol and port number. When more than one server is defined, requests will be distributed to the servers in the weight ratio specified for each server.

https://www.peplink.com 62 Copyright @ 2019 Peplink

To define a new server, click Add Server, which displays the following screen:

Enter a valid server name and its corresponding LAN IP address. Upon clicking Save after entering required information, the following screen appears.

To define additional servers, click Add Server and repeat the above steps.

10.5.2 Services

Services are defined at Network>Inbound Access>Services.

Tip

At least one server must be defined before services can be added.

To define a new service, click the Add Service button, upon which the following menu appears:

https://www.peplink.com 63 Copyright @ 2019 Peplink

Enable

Services Settings

This setting specifies whether the inbound service rule takes effect.

When Yes is selected, the inbound service rule takes effect. If the inbound traffic matches the specified IP protocol and port, action will be taken by the Peplink Balance based on the other parameters of the rule.

When No is selected, the inbound service rule does not take effect. The Peplink Balance will disregard the other parameters of the rule.

Service Name

IP Protocol

Port

This setting identifies the service to the system administrator. Only alphanumeric and the underscore “_” characters are valid.

The IP Protocol setting, along with the Port setting, specifies the protocol of the service as TCP, UDP, ICMP, or IP. Inbound traffic that matches the specified IP Protocol and Port(s) will be forwarded to the LAN hosts specified by the Servers setting.

Upon choosing a protocol, the Protocol Selection Tool drop-down menu can be used to automatically the port information of common Internet services (e.g. HTTP, HTTPS, etc.).

After selecting an item from the Protocol Selection Tool drop-down menu, the protocol and the port number will remain manually modifiable.

The Port setting specifies the port(s) that correspond to the service, and can be configured to behave in one of the following manners:

Any Port, Single Port, Port Range, Port Map, and Range Mapping

Any Port: all traffic that is received by the Peplink Balance via the specified protocol is

forwarded to the servers specified by the Servers setting. For example, if IP Protocol is set to TCP and Port is set to Any Port, then all TCP traffic will

be forwarded to the configured servers.

Single Port: traffic that is received by the Peplink Balance via the specified protocol at the specified port is forwarded via the same port to the servers specified by the Servers setting.

https://www.peplink.com 64 Copyright @ 2019 Peplink

For example, if IP Protocol is set to TCP, Port is set to Single Port, and Service Port is set to 80, then TCP traffic received on Port 80 will be forwarded to the configured servers via port

80.

Port Range: traffic that is received by the Peplink Balance via the specified protocol at the specified port range is forwarded via the same respective ports to the LAN hosts specified by the Servers setting.

For example, if IP Protocol is set to TCP, Port is set to Port Range, and Service Port set to 80-88, then TCP traffic received on ports 80 through 88 will be forwarded to the configured servers via the respective ports.

Port Mapping: traffic that is received by the Peplink Balance via the specified protocol at the specified port is forwarded via a different port to the servers specified by the Servers setting.

For example, if IP Protocol is set to TCP, Port is set to Port Mapping, Service Port is set to 80, and Map to Port is set to 88, then TCP traffic on port 80 is forwarded to the configured servers via port 88.

(Please see below for details on the Servers setting.)

Range Mapping: traffic that is received by Peplink Balance via the specified protocol at the specified port range is forwarded via a different port to the servers specified by the Servers setting.

Inbound IP

Address(es)

Included

Server(s)

This setting specifies the WAN connections and Internet IP address(es) from which the service can be accessed.

This setting specifies the LAN servers that handle requests for the service, and the relative weight values. The amount of traffic that is distributed to a server is proportional to the weight value assigned to the server relative to the total weight.

Example:

With the following weight settings on a Peplink Balance:

● demo_server_1: 10

● demo_server_2: 5 The total weight is 15 = (10 + 5) Matching traffic distributed to demo_server_1:67% = (10 / 15) x 100% Matching traffic distributed to demo_server_2:33% = (5 / 15) x 100%

UPnP / NAT-PMP Settings

UPnP and NAT-PMP are network protocols which allow a computer connected to the LAN port to automatically configure the router to allow parties on the WAN port to connect to itself. That way, the process of inbound port forwarding becomes automated.

When a computer creates a rule using these protocols, the specified TCP/UDP port of all WAN connections' default IP address will be forwarded.

Check the corresponding box(es) to enable UPnP and/or NAT-PMP. Enable these features only if you trust the computers connected to the LAN ports.

When the options are enabled, a table listing all the forwarded ports under these two protocols can be found at Network>Services>UPnP / NAT-PMP.

10.5.3 DNS Settings

The built-in DNS server functionality of the Peplink Balance facilitates inbound load balancing. With this functionality, NS/SOA DNS records for a domain name can be delegated to the Internet IP address(es) of the Peplink Balance. Upon receiving a DNS query, the Peplink Balance can return (as an “A” record) the IP address for the domain name on the most appropriate healthy WAN connection. It can also act as a generic DNS server for hosting “A”, “CNAME”, “MX”, “TXT” and “NS” records.

The settings for defining the DNS records to be hosted by the Peplink Balance are located at

Network>Inbound Access>DNS Settings.

DNS Settings

DNS Servers

This setting specifies the WAN IP addresses on which the DNS server of the Peplink Balance should listen.

If no addresses are selected, the inbound link load balancing feature will be disabled and the Peplink Balance will not respond to DNS requests.

To specify and/or modify the IP addresses on which the DNS server should listen, click the button that corresponds to DNS Server, and a selection screen will be displayed:

To specify the Internet IP addresses on which the DNS server should listen, select the desired WAN connection then select the desired associated IP addresses. (Multiple items in the list can be selected by holding CTRL and clicking on the items.)

Click Save to save the settings when configuration is complete.

Zone Transfer

Routing Control

by Subnet

Database

Default SOA / NS

Default

Connection

Priority

This setting specifies the IP address(es) of the secondary DNS server(s)authorized to retrieve zone records from the DNS server of the Peplink Balance.

The zone transfer server of the Peplink Balance listens on TCP port 53.

The Peplink Balance serves both the clients that are accessing from the specified IP addresses, and the clients that are accessing its LAN interface.

When this function is enabled, the system will check to see if an incoming DNS client is within any WAN's ISP subnet. Only the matched WAN(s)'s IP addresses will be returned. Note that this feature is available only when a subnet database has been defined.

Click the button to define a default SOA / NS record for all domain names.

When defining a default SOA record, Name Server IP Address is optional. If left blank, the Address (A) record for the same server should be defined manually in each domain. For defining default NS records, the host [domain] indicates that this record is for the domain name itself without a sub-domain prefix. To add a secondary NS server, just create a second NS record with the Host field left empty. When the entered name server is a fully qualified domain name (FQDN), the IP Address field will be disabled.

Default Connection Priority defines the default priority group of each WAN connection in resolving A records. It applies to Address (A) records which have the Connection Priority set to Default. Please refer to Section 17.3.9 for details.

The WAN connection(s) with the highest priority (smallest number) will be chosen. Those with lower priorities will not be chosen in resolving A records unless the higher priority ones become unavailable.

To specify the primary and backup connections, click the button that corresponds to Default Connection Priority. A selection screen screen will appear.

Each WAN connection is associated with a priority number. Click Save to save the settings when configuration is complete.

Domain name

This section shows a list of domain names to be hosted by the Peplink Balance. Each domain can have its “NS”, “MX” and “TXT” records, and its sub-domains’ “A” and “CNAME” records. Add a new record by clicking the New Domain Name button. Click on a domain name to edit. Press the red X to remove a domain name.

New Domain Name Upon clicking the New Domain Name button, and the following screen will appear:

This page is for defining the domain’s SOA, NS, MX, CNAME, A, TXT, and SRV records. Seven tables are presented in this page for defining the five types of records.

10.5.3.1

SOA Records

Click on the icon to choose whether to use the pre-defined default SOA record and NS records. If the option Use Default SOA and NS Records is selected, any changes made in the default SOA/NS records will be applied to this domain automatically. Otherwise, select the option Customize SOA Record for this domain to customize this domain's SOA and NS records.

This table displays the current SOA record. When the option Customize SOA Record for this domain is selected, you can click the link Click here to define SOA record to create or click on the Name Server field to edit the SOA record.

In the SOA record, you have to fill out the fields Name Server, Name Server IP Address, Email, Refresh, Retry, Expire, Min Time, and TTL.

Default values are set for SOA and NS records,

● Name Server IP Address: This is the IP address of the authoritative name server. An entry in this field is optional. If the Balance is the authoritative name server of the domain, this field's value should be the WAN connection's name server IP address that

is registered in the DNS registrar. If this field is entered, a corresponding A record for the name server will be created automatically. If it is left blank, the A record for the name server must be created manually.

● E-mail: Defines the e-mail address of the person responsible for this zone. Note: format should be mailbox-name.domain.com, e.g., hostmaster.example.com.

● Refresh: Indicates the length of time (in seconds) when the slave will try to refresh the zone from the master.

● Retry: Defines the duration (in seconds) between retries if the slave (secondary) fails to contact the master and the refresh (above) has expired.

● Expire: Indicates the time (in seconds) when the zone data is no longer authoritative. This option applies to slave DNS servers only.

● Min Time: Is the negative caching time which defines the time (in seconds) after an error record is cached.

● TTL (Time-to-Live): Defines the duration (in seconds) that the record may be cached.

10.5.3.2

The NS Records table shows the NS servers and TTL that correspond to the domain. The NS record of the name server defined in the SOA record is automatically added here.

To add a new NS record, click the New NS Records button in the NS Records box. Then the table will expand to look like the following:

When creating an NS record for the domain itself (not a sub-domain), the Host field should be left blank.

Enter a name server host name and its IP address into the corresponding boxes. The host name can be a non-FQDN (fully qualified domain name). Please be sure that a corresponding A

record is created. Click the button on the right to finish and to add other name servers. Click the Save button to save your changes.

NS Records

10.5.3.3

MX Records

The MX Record table shows the domain’s MX records. To add a new MX record, click the New MX Records button in the MX Records box. Then the table will expand to look like the following:

When creating an MX record for the domain itself (not a sub-domain), the Host field should be left blank.

For each record, Priority and Mail Server name must be entered. Priority typically ranges from 10 to 100. Smaller numbers have a higher a priority. After finishing adding MX records, click the Save button.

10.5.3.4

The CNAME Record table shows the domain’s CNAME records. To add a new CNAME record, click the New CNAME Records button in the CNAME Record box. Then the table will expand to look like the following:

When creating a CNAME record for the domain itself (not a sub-domain), the Host field should be left blank.

The wildcard character “*”is supported in the Host field. The reference of ".domain.name" will be returned for every name ending with ".domain.name" except names that have their own records.

The TTL field tells the time to live of the record in external DNS caches.

CNAME Records

*.domain.name"

10.5.3.5

A Records

This table shows the A records of the domain name. To add an A record, click the New A Record button. The following screen will appear:

A record may be automatically added for the SOA records with a name server IP address provided.

A Record

Host Name

This field specifies the A record of this sub-domain to be served by the Peplink Balance. The wildcard character “*” is supported. The IP addresses of “

will be

TTL

Priority

Included IP

Address(es)

returned for every name ending with ".domain.name" except names that have their own records.

This setting specifies the time to live of this record in external DNS caches.

In order to reflect any dynamic changes on the IP addresses in case of link failure and recovery, this value should be set to a smaller value, e.g., 5 secs, 60 secs, etc.

This option specifies the priority of different connections. Select the Default option to apply the Default Connection Priority (refer to the table

shown on the main DNS settings page) to an A record. To customize priorities, choose the Custom option and a priority selection table will be shown at the bottom.

This setting specifies lists of WAN-specific Internet IP addresses that are candidates to be returned when the Peplink Balance responds to DNS queries for the domain name specified by Host Name.

The IP addresses listed in each box as default are the Internet IP addresses associated with each of the WAN connections. Static IP addresses that are not associated with any WAN can be entered into the Custom IP list. A PTR record is also created for each custom IP.

For WAN connections that operate under drop-in mode, there may be other routable IP addresses in addition to the default IP address. Therefore, the Peplink Balance allows custom Internet IP addresses to be added manually via filling the text box on the right-hand

side and clicking the button.

Only the checked IP addresses in the lists are candidates to be returned when responding to a DNS query.

If a WAN connection is down, the corresponding set of IP addresses will not be returned. However, the IP addresses in the Custom IP Address field will always be returned.

If the Connection Priority field is set to Custom, you can also specify the usage priority of each WAN connection. Only selected IP address(es) of available connection(s) with the highest priority, and custom IP addresses will be returned. By default, Connection Priority is set to Default.

10.5.3.6

PTR records are created along with A records pointing to custom IPs. Please refer to Section

17.3.9 for details. For example, if you created an A record www.mydomain.com pointing to

11.22.33.44, then a PTR record 44.33.22.11.in-addr.arpa pointing to www.mydomain.com will

also be created. When there are multiple host names pointing to the same IP address, only one PTR record for the IP address will be created. In order for PTR records to function, you also need to create NS records. For example, if the IP address range 11.22.33.0 to 11.22.33.255 is delegated to the DNS server on the Peplink Balance, you will also have to create a domain

33.22.11.in-addr.arpa and have its NS records pointing to your DNS server’s (the Peplink Balance’s) public IP addresses. With the above records created, the PTR record creation is complete.

PTR Records

10.5.3.7

This table shows the TXT record of the domain name.

TXT Records

To add a new TXT record, click the New TXT Record button in the TXT Records box. Click the Edit button to edit the record. The time-to-live value and the TXT record’s value can be entered. Click the Save button to finish.

When creating a TXT record for the domain itself (not a sub-domain), the Host field should be left blank.

The maximum size of the TXT Value is 255 bytes. After editing the five types of records, you can leave the page by simply going to another section

of the web admin interface.

10.5.3.8

To add a new SRV record, click the New SRV Record button in the SRV Records box.

● Service: The symbolic name of the desired service.

● Priority: Indicates the priority of the target; the smaller the value, the higher the priority.

SRV Records

● Weight: A relative weight for records with the same priority.

● Target: The canonical hostname of the machine providing the service.

● Port: Enter the TCP or UDP port number on which the service is to be found.

Reverse Lookup Zones

Reverse lookup zones can be configured in Network>Inbound Access>DNS Settings.

Reverse lookup refers to performing a DNS query to find one or more DNS names associated with a given IP address.

The DNS stores IP addresses in the form of specially formatted names as pointer (PTR) records using special domains/zones. The zone is in-addr.arpa.

To enable DNS clients to perform a reverse lookup for a host, perform two steps:

● Create a reverse lookup zone that corresponds to the subnet network address of the host. In the reverse lookup zone, add a pointer (PTR) resource record that maps the host IP address to the host name.

● Click the New Reverse Lookup Zone button and enter a reverse lookup zone name. If you are delegated the subnet 11.22.33.0/24, the Zone Name should be

33.22.11.in-arpa.addr. PTR records for 11.22.33.1, 11.22.33.2, ... 11.22.33.254 should be defined in this zone where the host IP numbers are 1, 2, ... 254, respectively.

SOA Record

You can click the link Click here to define SOA record to create or click on the Name Server field to edit the SOA record.

Name Server: Enter the NS record's FQDN server name here.

For example: "ns1.mydomain.com" (equivalent to "www.1stdomain.com.") "ns2.mydomain.com."

Email, Refresh, Retry, Expire, Min Time, and TTL are entered in the same way as in the forward zone. Please refer to Section 17.3.5 for details.

NS Records

The NS record of the name server defined in the SOA record is automatically added here. To create a new NS record, click the New NS Records button.

When creating an NS record for the reverse lookup zone itself (not a sub-domain or dedicated zone), the Host field should be left blank. Name Server must be a FQDN.

CNAME Records

To create a new CNAME record, click the New CNAME Record button. CNAME records are typically used for defining classless reverse lookup zones. Subnetted reverse lookup

zones are further described in RFC 2317, "Classless IN-ADDR.ARPA delegation."

PTR Records

To create a new PTR record, click the New PTR Record button. For Host IP Number field, enter the last integer in the IP address of a PTR record. For

example. for the IP address 11.22.33.44, where the reverse lookup zone is 33.22.11.in- arpa.addr, the Host IP Number should be 44.

The Points To field defines the host name which the PTR record should be pointed to. It must be a FQDN.

DNS Record Import Wizard

At the bottom of the DNS settings page, the link Import records via zone transfer…is used to import DNS record using an import wizard.

● Select Next >> to continue.

● In the Target DNS Server IP Address field, enter the IP address of the DNS server.

● In the Transfer via…field, choose the connection which you would like to transfer through.

● Select Next >> to continue.

● In the blank space, enter the Domain Names (Zones) which you would like to assign the IP address entered in the previous step. Enter one domain name per line.

● Select Next >> to continue.

Important Note

If you have entered domain(s) which already exist in your settings, a warning message will appear. Select Next >> to overwrite the existing record or << Back to go back to the previous step.

After the zone records process have been fetched, the fetch results would be shown as above. You can view import details by clicking the corresponding hyperlink on the right-hand side.

10.6 NAT Mappings

The Peplink Balance allows the IP address mapping of all inbound and outbound NAT’ed traffic to and from an internal client IP address.

NAT mappings can be configured at Network>NAT Mappings.

To add a rule for NAT mappings, click Add NAT Rule and the following screen will be displayed:

NAT Mapping Settings

LAN

Client(s)

NAT Mapping rules can be defined for a single LAN IP Address, an IP Range, or an IP

Network.

Mappings

Outbound Mappings

Address

Range

Network

Inbound

This refers to the LAN host’s private IP address. The system maps this address to a number of public IP addresses (specified below) in order to facilitate inbound and outbound traffic. This option is only available when IP Address is selected.

The IP range is a contiguous group of private IP addresses used by the LAN host. The system maps these addresses to a number of public IP addresses (specified below) to facilitate outbound traffic. This option is only available when IP Range is selected.

The IP network refers to all private IP addresses and ranges managed by the LAN host. The system maps these addresses to a number of public IP addresses (specified below) to facilitate outbound traffic. This option is only available when IP Network is selected.

This setting specifies the WAN connections and corresponding WAN-specific Internet IP addresses on which the system should bind. Any access to the specified WAN connection(s) and IP address(es) will be forwarded to the LAN host. This option is only available when IP Address is selected in the LAN Client(s) field.

Note 1: Inbound mapping is not needed for WAN connections in drop-in mode or IP forwarding mode.

Note 2: Each WAN IP address can be associated to one NAT mapping only.

This setting specifies the WAN IP addresses should be used when an IP connection is made from a LAN host to the Internet.

Each LAN host in an IP range or IP network will be evenly mapped to one of each selected WAN's IP addresses (for better IP address utilization) in a persistent manner (for better application compatibility).

Note 1: If you do not want to use a specific WAN for outgoing accesses, you should still choose default here, then customize the outbound access rule in the Outbound Policy section.

Note 2: WAN connections in drop-in mode or IP forwarding mode are not shown here.

Click Save to save the settings when configuration has been completed.

Important Note

Inbound firewall rules override inbound mapping settings.

10.7 MediaFast

MediaFast settings can be configured by navigating to Network > MediaFast.

Setting Up MediaFast Content Caching

To access MediaFast content caching settings, select Network > MediaFast.

MediaFast

Enable

Domains / IP

Addresses

Click the checkbox to enable MediaFast content caching.

Choose to Cache on all domains, or enter domain names and then choose either Whitelist (cache the specified domains only) or Blacklist (do not cache the specified domains).

The Secure Content Caching menu operates identically to the MediaFast menu, except it is for secure contenting accessible through https://.

Cache Control

Content Type

Cache Lifetime

Settings

Check these boxes to cache the listed content types or leave boxes unchecked to disable caching for the listed types.

Enter a file extension, such as JPG or DOC. Then enter a lifetime in days to specify how long files with that extension will be cached. Add or delete entries using the controls on the right.

Viewing MediaFast Statistics

To get details on storage and bandwidth usage, select Status>MediaFast.

10.7.1 Prefetch Schedule

Content prefetching allows you to download content on a schedule that you define, which can help to preserve network bandwidth during busy times and keep costs down. To access MediaFast content prefetching settings, select Network > MediaFast > Prefetch Schedule.

Prefetch Schedule Settings

Name

Status

Next Run

Time/Last Run

Time

Last Duration

Result

Last Download

Actions

This field displays the name given to the scheduled download.

Check the status of your scheduled download here.

These fields display the date and time of the next and most recent occurrences of the scheduled download.

Check this field to ensure that the most recent download took as long as expected to complete. A value that is too low might indicate an incomplete download or incorrectly specified download target, while a value that is too long could mean a download with an incorrectly specified target or stop time.

This field indicates whether downloads are in progress ( ) or complete ( ).

Check this field to ensure that the most recent download file size is within the expected range. A value that is too low might indicate an incomplete download or incorrectly specified download target, while a value that is too long could mean a download with an incorrectly specified target or stop time. This field is also useful for quickly seeing which downloads are consuming the most storage space.

To begin a scheduled download immediately, click

To cancel a scheduled download, click

To edit a scheduled download, click

To delete a scheduled download, click

Click to begin creating a new scheduled download. Clicking the button will cause the

New Schedule

following screen to appear:

Simply provide the requested information to create your schedule.

Clear Web

Cache

Clear Statistics

Click to clear all cached contentn. Note that this action cannot be undone.

Click to clear all prefetch and status page statistics.

10.8 ContentHub

Integrated into MediaFast-enabled routers, ContentHub allows you to deliver webpages and applications using the cache. To access ContentHub, navigate to Network > ContentHub:

Check the Enable box.

Click New Website, and the following configuration options will appear:

The Active checkbox toggles the activation of the website/application. This will be useful when there are multiple applications being delivered. For type, you can select either Website or Application:

Selecting Website:

Domain/Path

Source

Period

Bandwidth

Limit

Both domain and path must be specified for website type.

Enter the FTP server you will be downloading the content from. Enter your credentials under Username and Password.

This field determines how often the Router will search for updates to the source content.

This field determines the amount of bandwidth dedicated to this website.

Selecting Application:

Domain

Method

Enter the domain your application is hosted at

Enter the FTP server you will be downloading the content from. Enter your credentials under Username and Password.

Bandwidth

Limit

This field determines the amount of bandwidth dedicated to this application.

10.9 MDM Settings

In addition to performing content caching, MediaFast-enabled routers can also serve as an MDM, administrating to client devices. To access MDM Settings, navigate to Network > MDM Settings:

MDM Settings

Enable

Account

Settings

Click this checkbox to enable MDM on your router.

Click Follow Web Admin Account to allow client devices to use the built-in administrator account when performing MDM. Set Custom to specify a username and password your router will use to log into your client devices.

10.10 Captive Portal

The captive portal serves as gateway that clients have to pass if they wish to access the Internet using your router. To configure, navigate to Network>Captive Portal.

Captive Portal Settings

Enable

Hostname

Access

Mode

RADIUS

Server

LDAP Server

Check Enable and then, optionally, select the LANs/VLANs that will use the captive portal.

To customize the portal’s form submission and redirection URL, enter a new URL in this field. To reset the URL to factory settings, click Default.

Click Open Access to allow clients to freely access your router. Click User Authentication to force your clients to authenticate before accessing your router.

This authenticates your clients through a RADIUS server. After selecting this option, you will see the following fields:

Fill in the necessary information to complete your connection to the server and enable authentication.

This authenticates your clients through a LDAP server. Upon selecting this option, you will see the following fields:

Fill in the necessary information to complete your connection to the server and enable authentication.

Access

Quota

Quota Reset

Allowed

Networks

Allowed

Clients

Splash Page

Time

Set a time and data cap to each user’s Internet usage.

This menu determines how your usage quota resets. Setting it to Daily will reset it at a specified time every day. Setting a number of minutes after quota reached establish a timer for each user that begins after the quota has been reached.

To whitelist a network, enter the domain name / IP address here and click . To delete an existing network from the list of allowed networks, click the button next

to the listing.

To whitelist a client, enter the MAC address / IP address here and click . To delete an existing client from the list of allowed clients, click the button next to the

listing.

Here, you can choose between using the Balance’s built-in captive portal and redirecting clients to a URL you define.

The Portal Customization menu has two options: and . Clicking will result in a pop-up previewing the captive portal that your clients will see. Clicking

will result in the appearance of following menu:

Portal Customization

Logo

Image

Message

Terms &

Conditions

Click the Choose File button to select an logo to use for the built-in portal.

If you have any additional messages for your users, enter them in this field.

If you would like to use your own set of terms and conditions, please enter them here. If left empty, the built-in portal will display the default terms and conditions.

Custom

Landing

Page

Fill in this field to redirect clients to an external URL.

10.11 QoS

10.11.1 User Groups

LAN and PPTP clients can be categorized into three user groups - Manager, Staff, and Guest. This menu allows you to define rules and assign client IP addresses or subnets to a user group. You can apply different bandwidth and traffic prioritization policies on each user group in the Bandwidth Control and Application sections.

The table is automatically sorted, and the table order signifies the rules' precedence. The smaller and more specific subnets are put towards the top of the table and have higher precedence; larger and less specific subnets are placed towards the bottom.

Click the Add button to define clients and their user group. Click the button to remove the defined rule.

Two default rules are pre-defined and put at the bottom. They are All DHCP reservation

clients and Everyone, and they cannot be removed. The All DHCP reservation client represents the LAN clients defined in the DHCP Reservation table on the LAN settings

page. Everyone represents all clients that are not defined in any rule above. Click on a rule to change its group.

Add / Edit User Group

From the drop-down menu, choose whether you are going to define the client(s) by

Subnet / IP

Address

Group

Once users have been assigned to a user group, their internet traffic will be restricted by rules defined for that particular group. Please refer to the following two sections for details.

an IP Address or a Subnet. If IP Address is selected, enter a name defined in DHCP reservation table or a LAN client's IP address. If Subnet is selected, enter a subnet address and specify its subnet mask.

This field is to define which User Group the specified subnet / IP address belongs to.

10.11.2 Bandwidth Control

This section is to define how much minimum bandwidth will be reserved to each user group when a WAN connection is in full load. When this feature is enabled, a slider with two indicators will be shown. You can move the indicators to adjust each group's weighting. The lower part of the table shows the corresponding reserved download and uploads bandwidth value of each connection.

By default, 50% of bandwidth has been reserved for Manager, 30% for Staff, and 20% for Guest.

You can define a maximum download speed (over all WAN connections) and upload speed (for each WAN connection) that each individual Staff and Guest member can consume. No limit can be imposed on individual Managers. By default, download and upload bandwidth limits are set to unlimited (set as 0).

10.11.3 Application

You can choose whether to apply the same prioritization settings to all user groups or customize the settings for each group.

Three priority levels can be set for application prioritization: Peplink Balance can detect various application traffic types by inspecting the packet content.

Select an application by choosing a supported application, or by defining a custom application manually. The priority preference of supported applications is placed at the top of the table. Custom applications are at the bottom.

High,ʈ Normal, andɧLow. The

Prioritization for Custom Application

Click the Add button to define a custom application. Click the button in the Action column to delete the custom application in the corresponding row.

When Supported Applications is selected, the Peplink Balance will inspect network traffic and prioritize the selected applications. Alternatively, you can select Custom Applications and define the application by providing the protocol, scope, port number, and DSCP value.

Category and Application availability will be different across different Peplink Balance models.

DSL/Cable Optimization

DSL/cable-based WAN connections have lower upload bandwidth and higher download bandwidth.

When a DSL/cable circuit's uplink is congested, the download bandwidth will be affected. Users will not be able to download data at full speed until the uplink becomes less congested. DSL/Cable Optimization can relieve such an issue. When it is enabled, the download speed will become less affected by the upload traffic. By default, this feature is enabled.

10.12 Firewall

A firewall is a mechanism that selectively filters data traffic between the WAN side (the Internet) and the LAN side of the network. It can protect the local network from potential hacker attacks, access to offensive websites, and/or other inappropriate uses.

The firewall functionality of Peplink Balance supports the selective filtering of data traffic in both directions:

Outbound (LAN to WAN)

Inbound (WAN to LAN)

The firewall also supports the following functionality:

● Intrusion detection and DoS prevention

● Web blocking

With SpeedFusion function can be found at Network>Firewall

enabled, the firewall rules also apply to VPN tunneled traffic. The Firewall

10.12.1 Access Rules

The outbound firewall settings are located at Network>Firewall>Access Rules.

Click Add Rule to display the following screen:

The inbound firewall settings are located at Network>Firewall>Access Rules.

Click Add Rule to display the following window:

Inbound / Outbound Firewall Settings

Rule Name

This setting specifies a name for the firewall rule.

Enable

WAN

Connection

(Inbound)

Protocol

This setting specifies whether the firewall rule should take effect.

If the box is checked, the firewall rule takes effect. If the traffic matches the specified protocol/IP/port, actions will be taken by Peplink Balance based on the other parameters of the rule.

If the box is not checked, the firewall rule does not take effect. The Peplink Balance will disregard the other parameters of the rule.

Click the dropdown menu next to the checkbox to place this firewall rule on a time schedule.

Select the WAN connection that this firewall rule should apply to.

This setting specifies the protocol to be matched. Via a drop-down menu, the following protocols can be specified:

● TCP

● UDP

● ICMP

● IP

Alternatively, the Protocol Selection Tool drop-down menu can be used to automatically fill in the protocol and port number of common Internet services (e.g., HTTP, HTTPS, etc.)

After selecting an item from the Protocol Selection Tool drop-down menu, the protocol and port number remains manually modifiable.

This specifies the source IP address(es) and port number(s) to be matched for the firewall rule. A single address, or a network, can be specified as the Source IP & Port setting, as indicated with the following screenshots:

Source IP &

Port

In addition, a single port, or a range of ports, can be specified for the Source IP & Port settings.

This specifies the destination IP address(es) and port number(s) to be matched for the firewall rule. A single address, or a network, can be specified as the Destination IP & Port setting, as indicated with the following screenshots:

Destination IP

& Port

In addition, a single port, or a range of ports, can be specified for the Destination IP & Port settings.

Pismolabs Technology P1811ACLTE User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual