Peplink Certified Engineer - Training Program

Training Materials
Last updated: 14-09-2015

2015 Peplink / Pepwave
All rights reserved. No part of this manual may be reproduced, transcribed, stored in a retrieval system,
translated into any language or computer language or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior written permission of the copyright
owner.
The copyright owner gives no warranties and makes no representations about the contents of this manual
and specifically disclaims any implied warranties or merchantability or fitness for any purpose.
The owner reserves the right to revise this manual and to make changes from time to time in its contents
without notifying any person of such revisions or changes.
Private and Confidential Not for Distribution
Course Agenda
Module 1: Understanding Multi-WAN and SpeedFusion
Brief description of Peplink/Pepwaves most important technologies
Module 2: Peplink and Pepwave Products Overview
Introduction of Peplink and Pepwave products.
Module 3: Balance and MAX Routers
Exploring different configuration scenarios with Balance and MAX
routers.
Module 4: Wireless Access Point
In-depth configuration guide for Wireless Access Points.
Module 5: Surf Series
Explanation and setup instructions for the Surf Series.
Module 6: Cloud-Based Networking
InControl and FusionHub
Slide 2
Module 1: Unbreakable VPN

owner.
In this chapter, we will focus on how SpeedFusion functions, its

distinguishing features/benefits, and its implementation scenarios.
Slide 4
A well-designed VPN provides a business with the following benefits:

- Extended connectivity across multiple geographic locations without using a
leased line
- Improved security for exchanging data

- Ability for remote offices and employees to use business intranet over an
existing Internet connection as if they were directly connected to the network
- Savings in time and expense for employees to commute if they work from virtual
workplaces
- Improved productivity for remote employees
Examples of VPN usage, accessing resources only available in HQ (File or Print

sharing), and some restricted internal applications require VPN to be established.
Slide 5
Peplinks Unbreakable VPN uses multiple WAN connections to keep VPNs up

and running when a connection fails. Powered by our patent-pending
SpeedFusion technology, Unbreakable VPN automatically and seamlessly
moves VPN sessions to standby WAN links when active links drop out. All this is
transparent to users, making all VoIP calls and video streams run flawlessly.
Your business continues, uninterrupted.
SpeedFusion VPN is useful for Public Transport, Video Streaming, Mobile

Command, Branch-to-HQ, and Rural Areas. It is applicable anywhere you need a
reliable VPN connections.
Slide 6
Introducing the Worlds Easiest VPN

PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over
any WAN link. On top of all the benefits of IPsec and other conventional VPN
technologies, the PepVPN engine also offers:
Long-distance Ethernet cable You can easily build a secure and seamless
Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It virtually
provides a long-distance Ethernet cable over any WAN link.
Seamless transition PepVPN and SpeedFusion share the same core VPN
engine, meaning that all your PepVPN and SpeedFusion-enabled devices will
work flawlessly together. It also allows you to easily upgrade a PepVPN endpoint
to SpeedFusion, taking advantage of the added benefits without worrying about
compatibility.
Works in any dynamic IP environment PepVPN is fully compatible with any
dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT
gateway or firewall without worrying about static IP addresses.
This technology can be applied to SOHO and Mobile Office; any environment that
requires reliable connectivity, without using multiple low cost Internet links for
their business operations via VPN. Even if you have one encrypted peer and
another not encrypted, PepVPN will still create an encrypted tunnel. As PepVPN
is easy to setup, hence no technical assistance needed on-site.
Slide 7
SpeedFusion Hot Failover Unbreakable VoIP and VPN

SpeedFusion Hot Failover is a premium add-on that manages multiple redundant
connections to keep VPNs and VoIP deployments up and running at all times.
Easy setup Just add connections, you can even mix wired and wireless
technologies.
Unbreakable VoIP and VPN With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion Hot
Failover prevents this by maintaining secure tunnels over all available WAN links.
In case of a WAN failure, SpeedFusion Hot Failover will instantly and seamlessly
switch traffic to another available tunnel. This creates unbreakable VPNs and
VoIP sessions.
For scenarios that require uninterruptible connections (like Mobile Command,
POS, ATM, and VoIP deployments), SpeedFusion Hot Failover provides an
always-on VPN link that helps these application run smoothly. The make-beforebreak mechanism built-into SpeedFusion Hot Failover VPN. This provides a
transparent switch-over: if there is any link failover or link recovery, the user will
not notice any interruptions. This cannot be accomplished with any other VPN
solution in the market.
Slide 8
WAN Smoothing Packet-level Quality Optimization

Using intelligent algorithms, the sending Peplink device builds and delivers
special packets. Armed with these special packets, the receiving Peplink device
can then reconstruct the lost packets to ensure that communications remains
consistent. At the same time, WAN Smoothing will attempt to assign traffic to the
WAN connection with the lowest latency. Thus, the latency of the SpeedFusion
tunnel becomes the latency of the most responsive WAN connection.
Similar to Bandwidth Bonding, WAN Smoothing combines the bandwidth of the
available WAN connections. The major difference is that WAN Smoothing
prioritizes connection consistency (reduced packet loss) rather than on increasing
connection speed.
Consistent Broadcasting, VoIP, and Videoconference WAN Smoothing is
useful for deployments that are sensitive to latency and packet loss such as VoiP
calls, videoconferencing, and broadcasting; bringing significant improvement to
the quality of the stream.
SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding
builds a fat tunnel using all your connections, giving you blazing throughput
whenever you need it.
Multi-WAN bandwidth bonding SpeedFusion Bonding combines multiple links
from multiple providers into a single, superfast tunnel.
VPN Bonding SpeedFusion Bonding can create high speed VPNs by bonding
multiple WAN links together.
Unbreakable Session Hot Failover SpeedFusion Bonding monitors
connections and automatically turns control over to Hot Failover when links
become unstable.
Packet Level Bandwidth bonding The packets of your session are distributed
across all your available links.
Layer 2 Tunneling SpeedFusion operates on Layer 2, bonding your available
links at the data link layer.
Easy, on-demand scalability Need more speed for mission-critical VPNs?
How about temporary bandwidth for a specific projects? With SpeedFusion
Bonding, you can plug in connections from any provider and get more speed,
whenever you need it.
Instant Bandwidth Control And you can unplug connections at any time,
keeping your costs under control.
HQ-to-Branch, on the field news Video Streaming, High Speed Public Transport
(eg. train): all of these applications need high bandwidth and reliable links to push
high volumes of data back to their HQ/Media Center/Control Center for
processing. SpeedFusion Bonding is able to combine multiple Internet lines into
one logical big pipe to carry the information over.
Slide 10
This table compares the features of IPSec, PepVPN, SpeedFusion Hot Failover,
WAN Smoothing, and Bandwidth Bonding.
Three level of SpeedFusion VPN solution. With this three-tier structure, its never
been easier to migrate to SpeedFusion and see why customers around the world
have replaced IPsec and other conventional VPN technologies.
Slide 11
We will now explore the application of SpeedFusion, with various case studies.
1) MPLS Replacement
2) Branch Network Connection
3) SpeedFusion 3G/4G Bonding
4) Video Transmission in the Air
5) Data Transmission over Water

6) Replace Expensive Satellite Connection
7) Mission Critical Video Surveillance
8) 100% Uptime for First Responders
9) Money Saving on Branch Network Connections
10)Flawless Connections in Remote Areas
Slide 12
Case Study - Town of Tonawanda. NY, USA.

MPLS Alternative
Load balance between 50 Mbps MPLS

FiOS and wireless PTP link
9 sites connected to central HQ
Replaced with Peplink SpeedFusion

bonded VPN
Winning Factors
92% savings
15x more bandwidth
To date, my devices have been up and

running continuously with no intervention for
114 days with zero issues. - Andrew W.
Pudlak, IT Manager
Slide 13
Case Study - Dawlish Railway. UK.

Fast-Deploy Temporary
Bandwidth
Temporary network required for

construction crew rebuilding severely
storm-damaged railway line.
SpeedFusion VPN using MAX HD products

back to a Balance 710 at HQ.
Winning Factors
8x 3G lines, Unbreakable Cellular

Bonding creates 25Mbps down
and 12Mbps up bandwidth.
Resilient to ISP outages.
Secure transmission of sensitive

data for the Prime Minister and
Cabinet officials.
The challenges of providing robust and reliable
connectivity in an environment like Dawlish cannot

be underestimated. - Jim Kernahan, co-founder
of Peplink partner Trellisworks.
Slide 14
Case Study - Osborne Construction. UK.

Unbreakable Cellular Bonding for
Anytime Anywhere Worksite
Connectivity
Deployed MAX HD2 LTE with SpeedFusion

bonding at all 16 constructions sites
3x Balance 1350; 2 in HA mode and 1 in

separate data center for site resilience
Winning Factors
Reliable network no matter where

the construction is set up
Reduced setup lead time from

months to days
Cost savings and predictable

budgeting
Previously we would need to install ADSL where

possible but the lead times are unpredictable and
could be anything from weeks to several months.
These delays add significant frustration and cost
to the project. -Phil Gilbey, Head of IT at
Osborne.
Slide 15
Case Study - Harrington Industrial Plastics. USA.

MPLS Alternative
43x Balance 380s at branches, 2x

Balance 1350s in High Availability
mode at HQ.
Replaced site-to-site MPLS links with

SpeedFusion VPN.
Winning Factors
Huge savings: USD 100,000

Annually.
Bandwidth: 4x increase from

previous configuration.
Rapid rollout: 43-branch

solution designed and
deployed in less than a year.
Yesterday I discontinued our last 3 MPLS

circuits. - Charles Miller, Systems Engineer
Slide 16
Case Study - Colgio Next. Itatiba, Brazil.

Apple Distinguished School. 500
iPads, Instant Concurrent Access To
Educational Content
600 users, both students and teachers

use the network for teaching and learning
Needed solution for network congestion

caused by concurrent network use
Winning Factors
Each AP 300M 5GHz handles 50+

users without issues
MediaFast aching ensures

lightning fast access to media-rich
content
The MediaFast and AP overcomes all our network
problems. The speed difference in content

retrieval is extremely impressive! - Alberto
Pamos, IT Director. Colgio Next.
Slide 17
Case Study - Mobile Mammography. LSU Health, USA.

Life-Saving Mammograms in
Rural Louisiana
4x bonded cellular from multiple carriers,

MAX HD2, HD4, BR1 and Balance 580
Enables high bandwidth X-ray transfers,

Unbreakable VoIP inside vehicle
Winning Factors
Unbreakable cellular connection in

rural area, transfer speed doubled
Large three dimensional X-ray

images take just minutes to
upload over an established
bandwidth of 22Mbps
This solution allows us to send images from
remote locations that typically have poor cellular

coverage - Dr. Jerry McLarty, LSU Health.
Slide 18
Case Study - A2SEA. Denmark.

SpeedFusion Bandwidth Bonding for
Leading Offshore
Wind Turbine Installation Vessels
FusionHub at datacenter, 10x MAX HD4

for installation vessels and 4x BR1 LTE for
crew ships
MAX proves to be much more stable and

performs well, replacing popular brand to
act as the ships network gateway
SpeedFusion combines all available

bandwidth and keeps the vessels
connected over Wi-Fi as WAN at the dock,
cellular close to land and satellite out at
sea.
Winning Factors
Slide 19
Maintain connections at all times,

all over the world.
Is ridiculously stable.
Highly cost-effective compared to

other popular alternatives.
Module 2: Peplink and

Pepwave Products Overview

owner.
Peplink is the leader in Internet load balancing and VPN bonding

solutions. Peplink Balance Multi-WAN Routers have been deployed
around the world, helping thousands of customers increase their
bandwidth, enhance their internet reliability, and reduce their costs.
Our complete product line accommodates business of all sizes,
providing an award winning Internet experience for customers.
Slide 21
We offer five major categories of products:

1. Multi WAN Router
2. Cellular Router
3. Caching Router
4. Virtual Appliance
5. Enterprise Access Point
6. Carrier Grade Access Point
7. SOHO Router
8. Cloud-Based Management
Peplink and Pepwave solutions cover different market segments, ranging from
SOHO, Mobile Office, Small Office, Branch Office, Regional Office, and HQ-level
Data Centers.
Slide 22
Target Market Segments for Balance Products

1) Power User and Home User
- Balance 20, 30, Balance One
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 25 max users recommended
2) Small Business
- Balance 210 & 310
- 2 to 3 WAN interfaces, with 1 USB for Mobile Internet dongle
- 50 max users recommended
- Comes with SpeedFusion Bonding, up to 2 SpeedFusion peers max
3) Mid-Size Business
- Balance 305, 380 & 580
- 19 Rack mount form factor
- Recommend up to 500 users max for 305 & 380, while 580 can support up to 1,000 users max
- Model 305 (with separate license) & 380 support 20 SF peers max, while 580 support 50 SF
peers max
- Default can act as WLAN Controller, support 10 Access Points default
- Can manage up to 50 (Model 305 & 380), and 100 (Model 580) AP with separate license
purchased
4) Large Enterprise
- Balance 710 & 1350
- 19 Rack mount form factor
- 710 can support 2,000 users max while 1350 can support up to 5,000 users max
- Model 710 support 300 SF peers max, while 1350 support 800 SF peers max
- Default can act as WLAN Controller, support 20 Access Points by default
- Can manage up to 250 (Model 710), and 500 (Model 1350) AP with separate license purchased
Please refer to http://www.peplink.com/products/balance/model-comparison/ for

latest technical specifications of Balance Multi-WAN routers. Alternately, you can
also refer to Balance product datasheet for the similar information, eg. Capacity,
Core Functionality, VPN Functionality, PPTP VPN Server, Number of
SpeedFusion and IPSec Tunnel, WLAN Controller Functionality, Access Point
Configuration, Advanced QoS Functionality, Hardware, etc.
Slide 23
Peplink Balance model VPN Functionality comparison chart.

NOTE:
- Specifications shown are based on firmware version 6.2.2
- When the Peplink Balance is configured as a PPTP Remote VPN server, it can support local
user authentication in addition to using RADIUS and LDAP servers.
- The Peplink Balance only supports site-to-site IPSec VPN.
- Please refer to http://www.peplink.com/products/balance/model-comparison/ for the latest
technical specifications of. Alternately, you can also refer to the Balance product datasheet for
similar information, eg. Capacity, Core Functionality, VPN Functionality, PPTP VPN Server,
Number of SpeedFusion and IPSec Tunnel, WLAN Controller Functionality, Access Point
Configuration, Advanced QoS Functionality, Hardware, etc.
Slide 24
Internet Load Balancing

By balancing Internet traffic over active links, Peplink Balance gives you extra reliability. Peplink
gives you seven Load Balancing Algorithms to fine-tune your network traffic.
The following types of Outbound Traffic Rules are available:
A. Weighted Balance
B. Persistence
C. Enforced
D. Priority
E. Overflow
F. Least Used
G. Lowest Latency
Inbound Load Balancing

Inbound Load Balancing distributes inbound data traffic over multiple WAN links to computers
behind Peplink Balance. Peplink Balance 210, 310, 380, 390, 580, 710, and 1350 have a built-in
DNS server that enables this functionality.
Authoritative DNS functionality is not available on Peplink Balance 20 and 30.
Inbound Load Balancing is configured via both of the following:
DNS records configured within Peplink Balance
External DNS records at an Authoritative DNS Server
Slide 25
Site-to-Site VPN Bonding in Mesh Scenario

All offices are connected to each other
Highly reliable network with bonded links and encrypted traffic
Communication between offices has never been faster
All offices deployed with Balance 380 model
Slide 26
Site-to-Site VPN Bonding in Star Scenario

Headquarters serve as central site
Bonded VPN for reliable and uninterrupted VPN services
Fast and convenient way to securely transfer data to transaction server
HQ installed with Balance 1350
Supermarket POS deployed Balance 380
ATM in Subway station equipped with Balance 210
Shopping Mall POS will need Balance 310
ATM in branch can installed with MAX Mobile Router
Slide 27
For existing Balance customers who wish to implement a WLAN solution, Peplink
can help save significant money and effort. From the model 305, 580 and
onwards, the Balance comes with built-in AP management. This makes deploying
Pepwave AP much easier and affordable.
In this example, the Balance Multi-WAN router can serves three roles: it is a WAN
load balancer, a Wireless LAN Controller, and when needed, a site-to-site VPN
termination point as well.
Slide 28
1) MAX Transit
- Has cellular connectivity and 11ac Wi-Fi.
- Specially built for Transportation Hotspot deployments.
- Multi-cellular router with optional SpeedFusion.
- Can be mounted on DIN Rail Mount
2) MAX 700
- 802.11 ac/a/b/g/n Wi-Fi Hotspot
- Rugged metal case is suitable for industrial-grade usage
- Supports up to 7 WAN links (2 Wired, 4 USB, 1 WiFi)
- Built with terminal block for reliable power sourcing, and a rugged 10V-32V DC power supply deployable in mobile
vehicle
- Ideal for on-the-field media streaming and live broadcasting deployment, that require bigger bandwidth
3) MAX On-The-Go
- Supports 4x USB modems
- 802.11 a/b/g/n Wi-Fi Hotspot
- This product is suitable for mobile offices that reside in rural areas without access to cable internet
- Upgradable to SpeedFusion WAN Smoothing
4) MAX Adaptor
- Houses 1x USB modem within an enclosure, dongle is hidden for a cleaner appearance.
MAX Routers power redundancy
For models which come with dual power sources (DC Jack & Terminal Block), it serves as input power redundancy. If
any of the power source is interrupted while the other is active, the MAX router will continue to operate without being
affected by the power disruption.
*Please note that redundant SIM does not equal two cellular modems. That is, only one SIM can be active at any time;
you will not be able to get better throughput or load balancing by filling both SIM slots.
Slide 29
1) MAX BR1
- Rugged metal case suitable for industrial-grade
usage
- 802.11 g/n Wi-Fi AP
- Comes with 2 SKU, 3G WAN and 4G-LTE modems
built-in
- Supports a redundant SIM with dual SIM slots,
providing failover functionality between them.*
- Built with terminal block for reliable power sourcing,
and a rugged 10V-32V DC power supply to be
deploy in mobile vehicle
2) MAX BR2 / BR4
- Affordable multi-cellular routers for situations where
bandwidth bonding is not required
- 802.11 g/n Wi-Fi AP
- Equipped with Fast Ethernet WAN ports
3) BR1 IP55 / BR2 IP55
- Rated for outdoor deployments
- 802.11 g/n Wi-Fi AP
- Supports Passive PoE Input
4) BR1 Slim
- Ruggedized Mi-Fi Hotspot
- 802.11 g/n Wi-Fi AP
- Powered by Dual redundant USB power banks for
Uninterrupted power supply
- Can be mounted on DIN Rail mount
5) BR1 ENT
- Suitable for failover between fiber connections and
LTE
- High throughput (200Mbps)
- GbE LAN and WAN Ports
- Absence of Wi-Fi meets stringent government and
enterprise security requirements
6) BR1 Pro
- One-device solution for branch office connectivity
- GbE WAN Port, and 4x GbE LAN Ports
- 802.11a/n or 802.11b/g/n Wi-Fi

For models which come with dual power sources (DC
Jack & Terminal Block), it serves as input power
redundancy. If any of the power source is interrupted
while the other is active, the MAX router will continue to
operate without being affected by the power disruption.
*Please note that redundant SIM does not equal two
cellular modems. That is, only one SIM can be active at
any time; you will not be able to get better throughput or
load balancing by filling both SIM slots.
Slide 30
1) MAX HD2
- Rugged metal case is suitable for industrial-grade usage
- Come with 2 variants, built-in 3G and built in 4G-LTE
modems
- Supports up to 6 WAN links (2 Wired, 2 Cellular, 1 USB, 1
WiFi)
- Built with terminal block for reliable power sourcing, and a
rugged 10V-32V DC power supply deployable in mobile
vehicle
- Ideal for on-the-field media streaming and live
broadcasting deployment, that require a bigger bandwidth
- If GPS is enabled, both SMA antenna ports (or either) can
be used to locate GPS signal and position
- The MAX HD2 automatically stores up to seven days of
GPS location data in GPS eXchange format (GPX). The
data can be reviewed using third-party applications by
downloading the GPX file.
2) MAX HD2 IP67
- IP67 waterproof enclosure ideal for outdoor applications
- 2x embedded cellular modems, each with redundant SIM
slots, securely installed inside the unit
- Come with 2 variants, 3G and 4G-LTE modems built-in,
with options of Verizon and AT&T, AT&T/Telcel/Rogers, and
Worldwide carrier
- Using 10V-30V DC power supply
- Ideal for machine-to-machine communication, surveillance,
military and other mission-critical applications outdoor, the
MAX HD2 IP67 is as comfortable on a construction site, oil
platform, disaster scene, or factory floor as it is on a
battlefield
3) MAX HD2 Mini

- Suitable for demanding vehicular applications and highthroughput enterprise failover; treat it is a higher-end
BR1 ENT.
- Same high-throughput and dual-cellular performance of
the HD2 in a smaller, ruggedized form factor
- Terminal block enables rs232 serial communications
- Capable of 802.3af PoE output, making it good for
remote deployments.
- Absence of Wi-Fi meets stringent government and
enterprise security requirements
4) MAX HD4
- Suitable for mobile command, disaster recovery,
situations where you absolutely must stay connected.
- Our most powerful cellular router yet. 4x cellular
modems, 8x SIM cards for ultimate throughput
- Supports dual redundant power supply for increased
operational resilience
- Connect 802.3af PoE on up to 8 Gbe LAN ports.
For models which come with dual power sources (DC Jack
& Terminal Block), it serves as input power redundancy. If
any of the power source is interrupted while the other is
active, the MAX router will continue to operate without being
affected by the power disruption.
*Please note that redundant SIM does not equal two cellular
modems. That is, only one SIM can be active at any time;
you will not be able to get better throughput or load
balancing by filling both SIM slots.
Slide 31
MAX Router Deployment Scenarios

SpeedFusion Bonding
- Deploy multiple low cost 3G connections
- Save money, enjoy higher bandwidth, avoid dead spots
- Seamless failover ensures reliable video stream from mobile sites to HQ
Hot Failover
- Everywhere LTE
- Ensures optimal performance by choosing the carrier with the best signal
- Saves money by using only one carrier at a time
-Hot failover ensure flawless video stream from mobile sites to HQ
GPS Fleet Tracking
- Homeland security
- Monitor and coordinate fleet vehicles wherever they may be
- Hot failover ensure flawless video stream from mobile sites to HQ
- On HD2 platform only, you can log the GPS data in GPX file format up to 7
days, and export it at later day for future review.
Slide 32
MediaFast caching downloads content just once, and delivers it as many times as
needed without incurring additional bandwidth.
This is particularly useful for eLearning where you have large amount of tablets
pulling the same content. This is also useful for events and conferences where
attendees will often draw from similar content.
1) MediaFast 200
- 2x GbE WAN Ports, 8x Gbe LAN Ports
- Capable of delivering 802.3af PoE Output
- Simultaneous Dual-Band 802.11a/b/g/n AP
- 120GB SSD
2) MediaFast 500
- 5x Gbe WAN ports, 3x Gbe LAN ports
- 240GB SSD
3) MAX HD2 / HD4 with MediaFast
- 2x / 4x embedded cellular modems, making it useful for remote areas with
limited wired Internet access.
- Capable of delivering 802.3af PoE Output
- 802.11a/n or b/g/n as WAN, 802.11a/n or b/g/n as AP
- 120GB SSD
With MediaFast, you can download content just once and deliver on-demand,
uninterrupted content anywhere at blazing speed. Cache iTunes/iTunes U and
other content manually or automatically by domain and file type. Keep content as
long as you like or purge it automatically by file type and age.
Features At A Glance
Network
- Bridge Mode, Router (NAT) Mode, Wireless Distribution
System (WDS), Support for PPPoE, Static IP, DHCP,
Management VLAN (802.1p), Spanning Tree Protocol
(802.1d)
- Support up to 16 Wireless Network SSIDs configured, and
it can broadcast up to 4 SSIDs concurrently
Per SSID: VLAN with QoS (802.1p/802.1q), Bandwidth
Control, MAC Address Filtering, Layer 2 Client Isolation,
Limit on Max. Number of Client
Per Client: VLAN with RADIUS, VLAN with VLAN Pool,
Bandwidth Control, Multicast Filter, IGMP
Snooping/Multicast Enhancement
AP Security: Open, WEP, 802.1x with Dynamic WEP,
WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Captive Portal Support: Supports External captive portal,
or Social Wi-Fi with Facebook login.
1) AP One AC Mini
3) AP One In-Wall
-
802.11 a/b/g/n, 2x2 MIMO Wi-Fi
2.4GHz Throughput: 300Mbps
5GHz Throughput: 300Mbps
Simultaneous 2.4GHz and 5GHz
4) AP One Flex 300M

-
802.11 b/g/n, 2x2 MIMO Wi-Fi
5) AP Pro 300M
-
802.11 a/n or b/g/n, 2x2 MIMO Wi-Fi
2.4GHz Throughput: 300Mbps OR
802.11 ac/a/b/g/n, 2x2 MIMO Wi-Fi
6) AP One 300M
2) AP One Enterprise
-
Slide 35
Pepwave AP One access points offer fast, affordable, and dependable wireless
networking without administration headaches. Ready for anything and built to go
anywhere, AP One access points deliver enterprise-grade Wi-Fi that drops in
quickly and immediately gets to work -- so you can get back to your work.
Minimize Wi-Fi management hassles with the AP One series and the Peplink
Balance with AP Controller. Fully integrated with the Peplink Balance, our AP
Controller makes it easy to configure, manage, update, and report on up to 500
AP One devices from a single intuitive interface. Prefer the flexibility of cloudbased administration? Our InControl remote management system gives you
complete control over every device on your network and in-depth reporting with
just a few clicks, all from a simple, yet powerful, web-based tool thats available
anywhere you have online access and a supported browser.
Professional Hotspots coupled with Balance AP Controller (or InControl cloud
management) feature, the AP One and AP One X can be deployed effectively as
a professional hotspot solution. No expensive controllers required.
Wireless Mobility Pepwave wireless solutions make wireless application in
high speed environments a budget friendly reality.
Service Provider Wi-Fi the AP One can help you deploy a carrier grade
wireless solution, install many for citywide Wi-Fi CPEs.
Industrial Networking AP One series allow the IP devices stay connected
wirelessly over long distances. It provides reliable wireless for data devices.
The Pepwave Surf SOHO is a professional-grade Wi-Fi router designed for home
office, small business, and power users. With its support for 4G LTE/3G, cable,
DSL, and other broadband connections, the Surf SOHO makes it possible to
deploy fast and secure 802.11abgn Wi-Fi hotspots anywhere.
The Surf SOHO also features built-in a long-range antenna, optional external
antennas, business-class VPN, cellular usage monitoring, and URL blocking. This
makes it an ideal networking solution for a wide range of mobile and office uses.
Slide 37
Unlimited Wi-Fi. Anytime, Anywhere Connectivity for Every Device.

Pepwave Surf combines enterprise-level performance and features with
outstanding durability and versatility. The Surf Pro, our carrier-grade outdoor
client solution, is ruggedized and features a high-gain, extended-range antenna,
making it ideal for video surveillance, traffic signal control, meter reading, and
other outdoor applications.
For indoor wired/wireless connectivity, there's our Surf On-The-Go, the ultimate
travel router. The Surf On-The-Go's Wi-Fi radio lets you connect an unlimited
number of wireless devices at once. Built-in Ethernet port ensures that no printer,
scanner, or other wired device gets left behind, and multiple connection profiles
make device management a snap.
4 Operating Modes
4G/3G USB Wi-Fi Router
Cable / DSL / Ethernet Wi-Fi Router
Wi-Fi Repeater
Wi-Fi Adapter for Wired Devices
3 WAN Modes
WiFi WAN
USB Cellular WAN
Wired WAN
Slide 38
1) FusionHub
3) InControl 2 Appliance
- Install onto private and public clouds

to grant the ability to form
SpeedFusion connections.
- Privately hosted version of InControl

2
- Amazon Web Services, VMware,

Citrix XenServer, Oracle VirtualBox,
and Microsoft Hyper-V.
- Can be used to provide Bandwidth
Bonded VPN as a service and
enable more reliable access to
cloud-based applications.
2) InControl 2
- Peplinks cloud-based device and
VPN management platform.
- Works with Balance, MAX, AP One,
and FusionHub.
- Form mesh, star, and point-to-point
PepVPN topologies.
- Configure Social Wi-Fi with
Facebook login and view insightful
client usage reports
- Track all your GPS enabled routers
and view route histories with
InControl fleet tracking.
- Can be hosted as a physical

appliance, cloud compatibility in
development.
4) Router Utility
- Monitor your entire network on your
mobile, receive push notifications for
important network events.
- Compatible with iOS and Android
The above diagram represents a classic use of FusionHub. The Balance 310s
and MAX HD2s at the remote site connect using Bandwidth-bonded VPN to
headquarters. At headquarters, you can install a Balance device to receive the
SpeedFusion traffic. Alternatively, if you want to use your existing infrastructure,
you can install FusionHub instead. One key advantage of FusionHub is that there
is no need to install additional physical devices, potentially bypassing lengthy
approval processes that could plague physical device installations.
InControl 2 is our cloud based device management, monitoring, and reporting tool
designed specifically for Peplink and Pepwave devices. It is accessible from any
Web-based browser. Any of our devices can now be registered for InControl 2.
With InControl 2, you get advanced administration tools, unprecedented device
visibility, and comprehensive reporting.
1) Social Wi-Fi with Facebook Login

-
Easy Portal Customization: Enter your Facebook profile, and InControl will customize your portal.
Set Time and Bandwidth Limits: Determine how many minutes and how much data each user could access your WiFi for.
Multilingual Support: Enter text in a different language, then enable your guests to choose their language.
Portal Page Customization: Specify which text and images to use for each design element.
2) GPS Fleet Tracking

-
Easily find any device using interactive maps. Point and click to see device details, such as cellular signal strength
and number of clients.
Track location over the past 24 hours or review any 24-hour period. Play back route histories in real-time or at high
speed to see exactly where a vehicle was at any point.
Use the color-coded tracking feature to monitor real-time vehicle speed. Drill down through tracking history data to
spot speed patterns.
3) SpeedFusion Management
-
Fully Automated SpeedFusion VPN Configuration and Deployment
Manage SpeedFusion settings from a central location
Get live SpeedFusion status information
Monitor bandwidth across site-to-site VPN links
Push SpeedFusion changes to devices immediately
Router Utility - Peplink Mobile Application

The RU (Router Utility) helps to monitor and control all your Balance and MAX routers* from any iOS or Android device.
It is ready when you are, wherever you are, the Router Utility app gives you instant insight into device status, events,
bandwidth usage, and more. With full support for push notifications, youll know immediately whenever theres an
important status change or performance issue, helping you to keep small glitches from becoming major problems.
Keep Traffic Moving with Anywhere, Anytime Green Light Checks.
Check the status of all your Balance and MAX routers with the Router Utilitys dashboard and traffic light
indicators. With just a quick glance, you get the peace of mind of knowing that your networks healthy. And if there is a
problem, its easy to drill down and inspect SpeedFusion VPN parameters, bandwidth statistics, CPU load, and more
from any iOS or Android device.
Monitor and Control from the Palm of Your Hand.
Check Device Status - Monitor WAN Status, External IP Addresses, and SpeedFusion VPN Links.
Inspect Event Logs - Keep an eye on router event logs using any iOS or Android device.
View Bandwidth Statistics - Get up-to-the minute insight on bandwidth usage and throughput across your WAN.
Maximum Mobile Control at Your Fingertips.
Our Router Utility gives you new ways to monitor and control your MAX mobile router anywhere you can use your
device.
See How Youre Connected - Just check the Router Utilitys dashboard on your device to instantly see which SIM and
cellular provider your MAX mobile router is using.
Adjust Connection Priorities on the Fly - Simply tap and swipe to connect your MAX to a Wi-Fi hotspot or change 4G
LTE/3G connection priorities.
Automatic Cellular WAN Status and SpeedFusion Alerts - Keep tabs on cellular WAN and SpeedFusion status with
push notifications on your iOS or Android device.
Slide 43
Module 3: Balance and MAX

Routers

owner.
This module will examine different real life deployment scenarios, and describe
how to configure the routers to achieve the desired result.
Slide 45
Physical hardware layout and control panel for Balance high-end model.
Below show some of the frequently used functions in Control Panel Navigation (base on Balance 380 model):
HA State: Master/Slave
> LAN IP
> VIP
System Status
> System
-> Firmware ver. (shows firmware version)
-> Serial number (shows serial number)
-> CPU load (shows current CPU loading, 0-100%)
-> LAN
---> Status (shows LAN port physical status)
---> IP address (shows LAN IP address)
---> Subnet mask (shows LAN subnet mask)
> Link status (shows Connected/Disconnected, IP address list)
-> WAN1
-> WAN2
-> WAN3
> Link usage
-> Throughput in (shows transfer rate in Kbps)
--->WAN1
--->WAN2
--->WAN3
-> Throughput out (shows transfer rate in Kbps)
---> WAN1
---> WAN2
---> WAN3
Maintenance
> Reboot > Reboot? (Yes/No) (to reboot the unit)
> Reset Admin Password? (Yes/No)
> Factory default > Factory default? (Yes/No) (to restore factory defaults)
> Remote Assistance
NOTE:
For model below 310, there is no feature to reset admin password through the Control Panel, it only available for models
from 310 and above.
Please refer to user manual, Chapter 6 Peplink Balance Overview for details of each model physical layout, LED
indicators, LCD Panel and Control (applicable to 310 and above), and Unit Label Appearance.
Slide 46
Out of the box, Peplink Balance come with below default settings:
IP: 192.168.1.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.1.10 192.168.1.250
In diagram above, the switch is optional for console into Peplink Balance. You
can plug the UTP cable directly from PC/Notebook into Balance LAN port for the
same purpose.
Slide 47
After entering the parameters correctly, you will be able to login to the Web
Admin page.
The Dashboard provides an overview of the condition on several key
parameters:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Slide 48
In Status page, there are a few items to take note of:

Router Name
Model
Hardware Revision
Serial Number
Firmware
Diagnostic Report Download
You can download a copy of the diagnostic report for your reference on the
status page
Bandwidth Statistic Display
In status page, you can view the following information:
Bandwidth usage on who consumed the most traffic
Top user running most number of sessions
Which user is running active Bittorrent traffic
Who is currently consuming most bandwidth on individual WAN.
Slide 49
Understanding Peplink Site-to-Site VPN

The proprietary Site-to-Site VPN of Peplink Balance (a.k.a VPN Bonding), is
specifically designed for a multi-WAN environment. The Peplink Balance can
aggregate the bandwidth of all WAN connections available for routing VPN
traffic. Unless all the WAN connections of one site are down, the Peplink
Balance can still keep the VPN up and running.
- Peplink Site-to-Site VPN encrypts traffic with the military-grade 256-bit AES
algorithm.
- Site-to-Site VPN is available with the Peplink Balance 210, 310, 380, 580, 710,
and 1350.
- The Peplink Balance 380/580/710/1350 supports multiple Site-to-Site VPN
connections among twenty or more locations, is designed for
Headquarters/Regional Offices.
- The Peplink Balance 210/310 supports two Site-to-Site VPN connections; ideal
for Branch Offices.
- Site-to-Site VPN connections can be established for all Dynamic IP/Static IP
scenarios. Please refer to the Requirement section for more information.
Being able to establish multiple VPN connections provides variety and flexibility
in deploying your network. You may choose to create a network in
a Mesh or Star topology, or you may even combine the two setups to create a
more complex network.
Slide 50
System Requirement for Site-to-Site VPN Configuration

When configuring a VPN connection, there are two aspects to consider:
Whether the WAN connection has a Dynamic IP or Static IP.
Whether the Peplink Balance unit has Public IP or is behind NAT.
This creates four WAN possible types you use to establish the VPN connection. Peplink Balance
supports all four types. However, to establish VPN connection using a Dynamic IP WAN
connections, you have to configure at least one Dynamic DNS.
WAN has Dynamic IP with Peplink Balance has Public IP.
WAN has Static IP with Peplink Balance has Public IP.
WAN has Dynamic IP with Peplink Balance is behind NAT.
WAN has Static IP with Peplink Balance is behind NAT.
The table above illustrates the system requirement for configuring Peplink Site-to-Site VPN
connection.
For users who have placed a firewall in front of the Balance:
In Firmware 5.1.x, Peplink proprietary Site-to-Site VPN used TCP port 32015, IP Protocol 47
and IP Protocol 99 for establishing VPN connections. if you have a firewall in front of the Peplink
Balance devices, you will need to add firewall rules for these ports and protocols. This will allow
inbound and outbound traffic pass-through the firewall.
In Firmware 5.4.x, by default SpeedFusion uses TCP port 32015 and UDP port 4500 for
establishing VPN connections and transmitting data. However, you can change the Data Port
assignment in your SpeedFusion profile to another value.
Another point to note, if both sides of the SpeedFusion VPN having the same LAN subnet, it will
prevent the SpeedFusion tunnel to establish, just like any other 3rd party VPN technologies.
Slide 51
SpeedFusion Configuration Guidelines

When configuring SpeedFusion VPN connection, there are few items to be aware:
LAN Subnet Avoid having same LAN subnet on either end of the SpeedFusion tunnel, this
will prevent the tunnel from establish a successful connection. Try to change either side of the
LAN subnet to different IP Address. Or putting a NAT device can be considered as well.
WAN Connection Priority - You can specify the priority of the WAN connections to be used
in making VPN bonding connections. A Wan connection will never be used when OFF is
selected. Only available WAN connections with the highest priority will be utilized. Grouping
WAN with similar characteristics like latency, packet loss to same priority can help bonding
performance.
SpeedFusion Bonding Efficiency To establish an reliable SpeedFusion Bonding VPN,

there are few parameters need to be considered, eg. good cellular signal strength, low latency
WAN, low packet loss, and buffer bloat in ISP will help to build an effective bonding VPN
tunnel.
Cellular Bandwidth Availability It is always good to subscribe to two different ISP/carriers

when you want to establish SpeedFusion 3G/4G Bonding with MAX router. Take for example,
when all modems connect to same cell (RF tower), total bandwidth is limited by the cell tower
backhaul's bandwidth. If the modems connect to different cells (RF tower) from different
carriers, theoretically this can provide you the double bandwidth as compare to one ISP.
Important Note to Users Upgrading to Firmware 5.4

The Bandwidth Bonding SpeedFusionTM in firmware 5.4 recommends the same firmware
version for all devices in the VPN network. The feature is backwards compatible with firmware
version 5.3 & 5.2.
Slide 52
With our new three-tier structure, its never been easier to migrate to
SpeedFusion. Once you use it, you will see why customers around the world
have replaced IPsec and other conventional VPN technologies.
Note:
1
With other VPN technologies, WAN failover terminates existing VPN

connections, creating costly downtime. SpeedFusion Hot Failover is completely
automatic and invisible, so you wont miss a beat when switching between
connections.
Slide 53
Possibly the Worlds Easiest VPN.

PepVPN is our core VPN engine. It is ideal for establishing a secure tunnel over
any WAN link. On top of all the benefits of IPsec and other conventional VPN
technologies, the PepVPN engine also offers:
Long-distance Ethernet cable With PepVPN, you can build secure and
seamless Ethernet tunnel over any IP connection (Layer 2 over Layer 3). It
virtually provides a long-distance Ethernet cable over any WAN link.
Seamless transition PepVPN and SpeedFusion share the same core VPN
engine. It means all your PepVPN and SpeedFusion devices will work flawlessly
together. It also allows you easily upgrade a PepVPN endpoint to SpeedFusion,
taking advantage of the added benefits without having to worry about
compatibility.
Works in any dynamic IP environment PepVPN is fully compatible with any
dynamic IP environment and NAT, allowing you to establish a VPN behind a NAT
gateway or firewall without worrying about static IP addresses.
Requirement:
The portrayed scenario shows a typical remote-to-HQ VPN connection, where SpeedFusion
PepVPN allows site-to-site VPN connections with auto-failover capability. WiFi WAN is primary
link for the VPN, when WiFi WAN down, WAN 5 (Wired WAN) will take-over the VPN connection
automatically. Users are transparent to this changes.
Slide 54
To create a SpeedFusion VPN tunnel, follow the steps below:

1) Go To Network > SpeedFusion, a SpeedFusion window appear to ask for Local ID, if this is
the first time creating SpeedFusion VPN.
2) Enter a Local ID, the remote VPN peer will use this ID to identify this unit during VPN
establishment.
3) Click Save button, then will click on the New Profile button to proceed.
Above steps apply to both remote and HQ Balance router configurations.
Pre-configuration Note:
If both sides running on Dynamic Public IP, then at least one WAN port of one of the two Balance
routers must subscribe to Dynamic DNS services and use the domain name assigned as the
Remote IP Addresses / Host Name in the VPN Profile section.
Slide 55
Above shown the VPN profiles at both HQ and Remote sites.

HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should be
same for both sides, eg. MY-MOTG.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) At the WAN Connection Priority window, choose the WAN links that should be included in
the SpeedFusion VPN tunnel, in this case WAN 1 & 2 are bond together.
4) Save and apply the changes.
Remote Site VPN Profile

1) At the VPN Profile window, enter a meaningful word for the Name, this name should be
same for both sides, eg. MY-MOTG.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite side.
3) For remote site, you need to enter at least one Public IP (or DNS/DDNS) of the HQ router
WAN link, if HQ has multiple WAN links with static Public IP, you can key in all the IPs.
4) Choose the WAN links that should be include in the PepVPN tunnel. Since this is PepVPN,
so it only support normal failover. WiFi WAN will set to Priority 1, while WAN 5 is Priority 2.
Note:
It is important to ensure the Remote ID correctly (either by router ID or Serial Number),
otherwise the SpeedFusion tunnel will not able established. If you see the error message(s)
similar to "Refused connection made from unknown peer (foobar)" or "Refused connection
made from unknown peer (XXXX-1234-ABCD), which indicate wrong ID/Serial No. entered at
any/both routers.
If the Encryption is accidentally turn-off in one of the router, the VPN tunnel will still be
encrypted in both directions, as the other router will trigger to turn on the encryption on both end.
Slide 56
Once the VPN profile has been created on both sides, and if the WAN links are
up, the routers will automatically initiate the VPN connection. If all the parameters
are correct, it will take only few minutes.
As shown in the screenshots, at the Dashboard page, the status of the VPN
connection will change to Established, indicating a successful VPN connection.
Slide 57
To verify which links are participating in the VPN connection, you can click on the
Status button in the SpeedFusion or PepVPN section as shown in the screen
capture.
It also lists the network(s) learned from other sides, via the built-in routing
protocol. HQ will see the 192.168.0.0/24 network from Remote router, and
Remote will learn 10.0.0.0/8 network from the HQ side.
In our screencaps, the HQ side router is using WAN 1 for the VPN connection,
while the remote site is using WiFi WAN as VPN link.
Slide 58
To ensure the end-to-end connectivity is up, a PING test to the other side host
(LAN IP) should receive a response as shown above.
Ping Test:
1) HQ side ping to Remote LAN IP: 192.168.0.11
Passed or Failed
1) Remote side ping to HQ LAN IP: 10.0.0.10
Passed or Failed
Slide 59
With PepVPN, the failover process is carried out automatically.

Failover Test:
1) Unplug WAN 1 at HQ, and/or
2) Disconnect the WiFi WAN at Remote
3) Observe the changes to the routers
Failover Test Result:

1) HQ side WAN 2 will take over, maintaining the VPN connectivity
2) Remote site WAN 5 will resume the VPN link
Ping Test:
Passed or Failed
Slide 60
SpeedFusion Hot Failover Unbreakable VoIP and VPN.

SpeedFusion Hot Failover is a premium add-on that manages multiple
redundant connections to keep VPNs and VoIP deployments up and running at
all times.
Easy setup Just add connections, you can even mix wired and wireless links
of different WAN technologies.
Unbreakable VoIP and VPN With other VPN technologies, WAN failover
terminates existing VPN connections, creating costly downtime. SpeedFusion
Hot Failover prevents this by maintaining secure tunnels over all available WAN
links. In case of a WAN failure, SpeedFusion Hot Failover will instantly and
seamlessly switch traffic to another available tunnel. This provides unbreakable
VPNs and VoIP sessions.
Requirement:
A customer with branch-to-HQ connections often run delay sensitive applications like VoIP, so it
needs a fast failover VPN connectivity to ensure the VoIP session not interrupted if any of the
WAN links break. The following set-up will fulfill this requirement:
- A MAX BR1 installed at branch level with Wired and WiFi WAN,
- A Balance 380 deployed in HQ with 2 wired WAN (eg. Metro-e) with static Public IP assigned at
each WAN link.
Slide 61
The user interface is same across the MAX router series. Assuming we are taking
the same HQ setup in previous example, the VPN profile creation process is the
same except the name changed to MY-MaxBR1. Here are the steps to creating a
VPN profile on the MAX BR1.
At the MAX BR1 router, go to Advanced > SpeedFusion to create the VPN
profile.
VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name
should be same for both sides, eg. MY-MaxBR1.
2) For the Remote ID, enter the SpeedFusion ID of the Balance at the opposite
side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all the IPs.
4) The MAX BR1 WAN link supports Hot-Failover, so the SpeedFusion VPN will
follow the state of the WAN link in order to maintain the VPN link, (eg. if WAN
1 active and WAN 2 standby, the SpeedFusion VPN will use WAN 1 as
primary link to forward VPN traffic, while keep WAN 2 in hot standby mode).
Slide 62
Once the VPN profile is created on both sides, and if the WAN links are up, the
routers will start negotiating the VPN connection. If all the parameters correct, the
VPN will come up in minutes.
As shown in the screenshots, on the Dashboard page, the status of the VPN
Failover Test:
1) Before starting the test, at the Remote site, launch the command prompt
window and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Unplug WAN 1 at Remote (MAX BR1)
3) Observe the changes at the routers
1) Remote site WiFi WAN will resume the VPN link
2) Any timeout during failover? Yes or No
Ping Test:
Passed or Failed
Slide 63
The SpeedFusion Hot Failover recovery process should have no timeout.

Recovery Test:
2) Plug back the WAN 1 at Remote (MAX BR1)
Recovery Test Result:
1) WAN 1 will resume the VPN link
Ping Test:
Passed or Failed
Slide 64
To monitor the SpeedFusion Hot-Failover and recovery process, you can view the
SpeedFusion Status window.
1) Go to DashBoard, Navigate to Status > SpeedFusion
2) Click on the blue triangle beside the MY-MaxBR1 to expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
Slide 65
SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Working hand-in-hand with Hot Failover and PepVPN, SpeedFusion Bonding
teams up all your connections to give you blazing throughput whenever you
need it.
Multi-provider bandwidth bonding SpeedFusion Bonding combines multiple
links from multiple providers into a single, superfast tunnel.
Automatic Hot Failover handoff SpeedFusion Bonding monitors connections
and automatically turns control over to Hot Failover when links become
unstable.
Easy, on-demand scalability Need more speed for mission-critical VPNs?
How about temporary bandwidth for a specific project? With SpeedFusion
Bonding, you can plug in connections from any provider and get more
bandwidth instantly. And you can unplug connections at any time, keeping
your connectivity costs under control.
Requirement
SpeedFusion VPN Bonding technology is particularly useful for customers with a higher volume
of VPN traffic between sites. It assures that the VPN link is aggregated as bigger pipe, and same
time provide the reliability.
In this example, we will install a Balance 310 at the branch level, while HQ maintains with
Balance 380. We also configure the Balance 310 to Drop-In mode, assuming the branch has
existing infrastructure setup.
Slide 66
We take the same HQ setup in previous example, the VPN profile creation
process is the same except the name is changed to MYKL-VPN. Here are the
steps to create VPN profile in MAX BR1.
At the branch router (Balance 310), go to Network > SpeedFusion to create
the VPN profile.
VPN Profile
should be same for both sides, eg. MYKL-VPN.
side.
3) For remote site, need to enter at least one Public IP (or DNS/DDNS) of the
HQ router WAN link, if HQ has multiple WAN links with static Public IP, you
can key in all that IPs.
4) Balance 310 is capable of VPN Bonding, so choose the active WAN links
from the WAN Connection Priority section to be bond by SpeedFusion
VPN, this example will use WAN 1 & 2 to forward VPN traffic.
Slide 67
Once VPN profiles have been created on both sides, and if the WAN links are
up, the routers will start negotiating the VPN connection. If all the parameters
are correct, the VPN be online in a minutes time.
As shown in the screenshots, at the Dashboard page, the status of the VPN
Failover Test:
2) Unplug WAN 2 at Remote router (Balance 310)
Ping Test:
Passed or Failed
Slide 68
To monitor the SpeedFusion Hot-Failover and recovery process, you can view
the SpeedFusion Status window.
1) Go to DashBoard, click on Status tab at the top, and the SpeedFusion tab
on the side
2) Click on the blue triangle beside MYKL-VPN (or the name of your VPN) to
expand the statistic
3) Monitor the changes on the WAN status during the failover and fallback
SpeedFusion Hot Failover recovery process should have no timeouts.

Recovery Test:
1) Before sttest start, at the Remote site, launch the command prompt window
and conduct a continuous ping to HQ LAN IP (10.0.0.10)
2) Plug back the WAN 2 at Remote router (Balance 310)
Recovery Test Result:
1) WAN 1 resume the VPN link
Ping Test:
Slide 69
Passed or Failed
Ethernet-easy WAN
Unlike traditional WAN technologies, PepVPN works with any IP connection,
sets up in minutes, and requires almost no maintenance. It connects sites,
regardless of the distance, with a lightning-quick 256-bit AES-encrypted tunnel.
It is 100% compatible with all your Peplink/Pepwave devices.
PepVPN is so fast and easy to use, its like having everyone on the same LAN,
connected by Ethernet cables. PepVPN eliminates the 100-meter limitation. In
fact, it eliminates any distance limitations, so go ahead and do business
anywhere you please across town, throughout the country, around the globe.
Requirement
Many companies need to mobilize a team at the project while keeping the team
connected to the company network. However, some systems in their company
dont work well in a routed environment or a VPN (eg. NetBIOS, Mainframe
base application, and even Vmware SRM). In these situations, the solution is to
extend the office network to the project site using SpeedFusion Long Distance
Ethernet VPN solution.
In this scenario, they are deploying a Balance 380 at HQ, and a MAX On-TheGo (MOTG) at the remote site. The HQs LAN IP (192.168.125.0/24) will be
extend to remote site, with DHCP enabled to assign IP to remote hosts.
Slide 70
Extending the HQ LAN to the remote site can be done using the SpeedFusion L2
approach. These screencaps show the VPN profiles at both HQ and Remote
sites.
HQ VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SFL2.
2) To enable Layer 2, first click on the ? at the top-right of the SpeedFusion Profile window and click on the link to
unhide the Layer 2 Bridging feature.
3) Tick the checkbox for Layer 2 Bridging, select the Bridge Port to LAN (default setting).
4) Since the HQ serves as the DHCP server end, tick on the checkbox of Preserve LAN Settings Upon Connected.
Remote VPN Profile
1) At the VPN Profile window, enter a meaningful word for the Name, this name should be same for both sides, eg. SFL2.
2) To enable Layer 2, first click on the ? at the top-right of the SpeedFusion Profile window and click on the link to
unhide the Layer 2 Bridging feature.
3) Tick the checkbox of Layer 2 Bridging, select the Bridge Port to LAN (default setting).
4) As remote site to follow HQ DHCP assignment, leave the checkbox of Preserve LAN Settings Upon Connected
unchecked, a warning message will display to remind that this site (Remote) LAN will follow HQ LAN IP assignment.
5) In order to manage this router (MOTG), you need to manually assign an unused HQ LAN IP to this router. Once
SpeedFusion is connected, you will be accessing this router via this new IP (192.168.125.5).
Slide 71
Once both sides VPN profile created, and if the WAN links are up, the routers will
start negotiating the VPN connection. If all the parameters correct, the VPN will
come up in a minutes time. The description on the SpeedFusion will change, with
the added wording Layer 2 beside SpeedFusion. At the remote router, a
warning message display at the bottom of the Device Information section.
Slide 72
To verify the SpeedFusion tunnel, you can view the SpeedFusion Status window.
1) Go to DashBoard, click on Status button at SpeedFusion section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that the Remote router IP is 192.168.125.5, as assigned in the VPN
profile
Remote Host Verification:
1) Open command prompt of the remote site notebook, check the ip with
ipconfig, you will notice the host grabbed 192.168.125.11 from HQ DHCP
server.
Ping Test:
Passed or Failed
Slide 73
SpeedFusion 3G/4G Bonding

As more business takes place outside the office, telecom providers have
responded by boosting the speed and reliability of their 3G networks. In addition,
they are rolling out innovations like 4G, LTE, and WiMax in an increasing number
of markets.
However, no matter how quickly cellular data bandwidth and quality improve,
mobile business always to demand more. From live video streaming and
conferencing to ever-larger file transfers and real-time collaboration, todays
mobile applications strain even the latest and greatest cellular technology to its
limits. The result is fluctuating data quality, unpredictable data rates, and
widespread frustration, in addition to costly overage charges
Requirement
In our previous case, the remote site area doesnt have any WiFi or Wired
Internet facility. So, the project team needs to use Cellular WAN to establish a
VPN back to the office. We can combine both 3G cellular lines into SpeedFusion
Bonded VPN to allow greater throughput and reliability. The remote site LAN IP is
192.168.0.0/24, and the HQ LAN IP is 192.168.125.0/24.
Slide 74
Assuming the HQ router has created the SpeedFusion profile named SF-L2, a
normal Layer 3 bonded VPN. Here are steps to creating a VPN profile in MAX
OTG.
At the branch router (Balance 310), go to Advanced > SpeedFusion to create
the VPN profile.
VPN Profile
should be same for both sides, eg. SF-L2.
side.
3) At the remote site, enter at least one Public IP (or DNS/DDNS) of the HQ
router WAN link, if HQ has multiple WAN links with static Public IP, you can
key in all the IPs.
4) MAX OTG is capable of VPN Bonding, so choose the active WAN links from
the WAN Connection Priority section to be bonded by SpeedFusion VPN,
this example will use WAN 1 & 2 to forward VPN traffic.
Slide 75
Once VPN profiles have been created on both sides, and if the WAN links are up,
the routers will start negotiating the VPN connection. If all the parameters correct,
the VPN will come up in a minutes time.
As shown in the screenshots, the Dashboard shows the status of the VPN
connection changing to Established, indicating that the VPN connection process
is successful. Also notice that both WAN 1 & 2 are up and connected to the
Internet.
Slide 76
To further verify the SpeedFusion tunnel, you can view the SpeedFusion Status
window.
1) Go to DashBoard, click on the Status button at the SpeedFusion section
2) Click on the blue triangle beside the SF-L2 to expand the statistic
3) Notice that both WAN 1 & 2 are connected to the SpeedFusion VPN, and
forwarding the traffic via the VPN tunnel
Load Sharing Test via multiple Ping commands:
1) Remote side launch at least 2 ping command to HQ LAN IP: 192.168.125.1
Passed or Failed
WAN 1 & 2 links Receive (RX) and Transmit (TX) counters increase?
Yes or No
Refer to next page for the traffic statistics
Slide 77
Realtime graph to show the traffic passing thru the SpeedFusion Bonded VPN
tunnel. In the event if the uplink direction experiencing link interruption, the
SpeedFusion graph will indicate packet loss.
Slide 78
Slide 79
SpeedFusion bonded VPN requires all transmitted data to be encapsulated in a

special UDP stream. This stream contains additional packet headers with all the
information needed to reconstruct the original data stream in the correct order at
the remote location.
SpeedFusion adds an additional 80 bytes of data to each packet sent over a

SpeedFusion connection, no matter what size the original data packet is. This
compares well to the 58 bytes of overhead required by IPsec, especially
considering that SpeedFusion provides advanced routing, load balancing, and
256 bit AES encryption within the tunnel.
As the chart on the left shows, when a SpeedFusion VPN tunnel is used to
transmit IMIX data (4084 bytes), an additional 960 bytes of SpeedFusion
overhead is required.
The SpeedFusion overhead is 19% of the total transmitted data (IMIX +
overhead). Since it uses a fixed number of bytes per packet transmitted (an
additional 80 bytes), SpeedFusion is much more efficient when transmitting
larger packet sizes.
Slide 80
Accounting for SpeedFusion bandwidth overhead and assuming that the traffic
passing across the links is similar to the previously mentioned IMIX standard, we
can calculate available real-world bandwidth at the remote site:
Download: 10Mb + 10Mb = 20Mbps - 19% = 16.2Mbps
Upload : 2Mb + 2Mb = 4Mbps - 19% = 3.24Mbps
It is important to explain SpeedFusion bandwidth overhead to your end users so
that they understand why they will not get full 20Mbps/4Mbps bandwidth when
using VPN bonding.
Remember, while conventional VPN technology such as IPsec has an overhead
of 14.6%. SpeedFusion provides bandwidth aggregation & WAN resilience for
only an additional 4% overhead.
SpeedFusion Isnt Just about Bandwidth Aggregation
The big benefit of SpeedFusion is VPN reliability and the highly availability connection it provides
(with packet level fail-over).
Customers can take advantage of this reliability and use a pair (or more) of low-cost DSL circuits
to achieve higher reliability and throughput than comparable private circuits often at up to 80%
less cost.
Slide 81
We always recommend the use of WAN links with similar bandwidth profiles from
different ISPs to allow for the best possible SpeedFusion throughput.
Using at least two different ISPs offers the benefit of provider diversity, which
means less chance of a technical (or even accounting/billing) error causing a
network outage. Provider diversity also lessens the impact of bandwidth sharing,
a common problem when using multiple circuits from a single provider.
Download : 20 + 20 = 40 - 19% = 32.4Mbps
Upload : 4 + 4 = 8 - 19% = 6.48Mbps
The above configuration example uses two DSL circuits from two different ISPs,
each circuit having a similar bandwidth profile, as the best use case for fixed line
SpeedFusion bonding.
Slide 82
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections

Another important factor to consider is the quality of the WAN links connecting SpeedFusion
enabled devices. Let's consider some of the typical drivers for using SpeedFusion in the first
place:
1) Internet Connection Bandwidth Availability SpeedFusion is often deployed by customers
who are limited to slow DSL or cellular connections at a given location. Typically, these
customers want to combine these slow links to create a faster aggregate connections between
locations.
2) Internet Connection Reliability We often see poor physical line quality at customer
locations, particularly DSL using old copper (and sometimes even lead) cable over a long run
from the nearest exchange or POP. These connections are inherently unreliable and can
sometimes be affected by rain ingress into the physical circuits, as well as temperature
changes. We also see customers who have no physical lines and want to use cellular
connectivity. Naturally, the quality, bandwidth availability, and reliability of cellular connections
vary depending on location.
3) Flexibility One of the benefits of SpeedFusion is that it is connection agnostic, so we often
see customers who want to use it to bond WAN links of different technology types, such as
3G/4G, VSAT, DSL, and leased lines. Obviously, the characteristics of these connections are
very different (VSAT has high latency, cellular connections have variable latency/bandwidth
depending on their location/signal strength, etc.).
4) ISP Diversity This is a big driver for customers who want to make sure that even if an ISP
has a service issue, they can still connect using a WAN link from another ISP. The same DSL
product from different ISPs can have quite different characteristics, with everything from
variable contention, latency, and bandwidth availability being factors.
Slide 83
The Effect of WAN Link Characteristics on SpeedFusion VPN Connections, Continued

The two main WAN link characteristics that are important are;
Packet Loss
When the SpeedFusion engine detects excessive packet loss on a WAN link, the link will fail its
health test and will not be used by SpeedFusion as an active link until it passes a subsequent
health test.
Latency
When latency characteristics are the same across connected WAN links, it has very little effect
on SpeedFusion bandwidth throughput. However, when the latency of WAN links vary
considerably, bandwidth throughput will be affected.
Example 1. If WAN1: 100ms, WAN2: 400ms, the resulting latency of SpeedFusion bonded link
will be 400ms, which follow the higher WAN.
Example 2. Or, if packets travel multiple SpeedFusion hops (site A-> site B-> site C), with 100ms
per link between 2 sites, then total latency will be 200ms from site A to site C (via site B).
Any variation of these characteristics have an effect on the amount of WAN link bandwidth that is
available for use by SpeedFusion.
Packet Loss in high latency environments
In the example above, there is a 3G connection which is highly susceptible to packet loss.
Because the latency across the SpeedFusion link is equalized to the link with the highest latency
(800ms), SpeedFusion will take longer to spot the packet loss (800ms+).
In certain conditions, such as a combination of regular timed packet loss and high latency on the
above 3G link, the TCP protocol method of retransmitting lost packets can have a drastic effect
on the available bandwidth over the VPN. This is another reason why we recommend that,
whenever possible, high latency links be used for failover and not as an active SpeedFusion
WAN link.
Recommended latency difference = Less than 150ms
Note: Using UDP traffic over SpeedFusion can provide higher throughput than TCP which has
restrictive flow control.
Slide 84
External Factors that Affect WAN Link Quality

Whatever WAN connections you are using, it is always a good idea to test each individually and
repeatedly to discover its maximum throughput in both directions. Remember, bandwidth
availability can vary throughout the
day, especially if using cellular or fixed lines with variable contention.
Cellular and Satellite Bandwidth Availability

The amount of bandwidth available on a 3G/4G or satellite data connection is dependent on a
number of factors:
Signal Strength Determined by the distance to the nearest cellular tower (or visibility of the
satellite) and the subsequent signal quality received.
Backhaul Bandwidth Availability From the cellular tower to the ISP's core network or from
the satellite ground station to the ISP's core network.
Device Contention At the tower or satellite you are connected to (determined by the
number of active subscribers on a tower or satellite at any given moment).
Fixed Line Contention

Most internet connections are provided as a contended service. This means that although your
provider has advised you will get up to 24Mbps broadband over DSL for example, depending on
how oversubscribed your DSL service is (literally how many people in your area are connected
to the ISPs service), the bandwidth that's actually available at any given moment could be
considerably less.
Slide 85
The Benefits of Using Multiple LTE Connections on Contended Cell

Towers
Many LTE providers use a process called windowing/time-slicing when multiple subscribers
connect to their LTE services.
In the first example, the third user only gets 1/3 (33Mbps) of the available bandwidth (100Mbps)
from the Cell Tower, but in second example, the third user with Pepwave MAX device (installed
with 2 LTE data SIM), able to gets half (50Mbps) of the available bandwidth from Cell Tower.
Multiple Cellular Connections Deliver a Larger Share of Available

Bandwidth
As the above diagrams show, adding an additional cellular connection does not always mean a
doubling of available bandwidth, especially if both connections are from the same ISP.
However, an additional cellular connection can provide the end user with a larger share of the
available bandwidth at a tower.
So, if there is multiple LTE carriers available, it is always recommended to connect to two
different cellular providers to gain bigger bandwidth share of your LTE connections.
Slide 86
Peplink Balance also support site-to-site IPSec VPN to 3rd peer device, eg.
Cisco and Juniper, but Peplink always recommend to establish SpeedFusion
VPN whenever possible, if both peers are Peplink routers.
Notes:
We advise you to only use IPSec Aggressive Mode when one of your device
has a dynamic IP address. You should choose Main Mode whenever possible
because Aggressive Mode is not as secure as Main Mode, although
Aggressive Mode is a little bit faster because of fewer packets exchange.
With PFS turned on, when 2 IPSec gateways start a new Phase 2 SA
negotiation, they will generate a new set of Phase 1 keys, so that if the
security key was compromised, the attackers will only be able to access the
data protected by that key. After the new SA is negotiated, all data will be well
protected and not affected by the previously compromised key.
You can only select Force UDP Encapsulation if you have turned on NATTraversal. This option is useful when you do not want NAT-T to automatically
detect a NAT connection, or if the remote peer failed to detect NAT. If
enabled, it will force Balance / MAX to tell the remote peer that UDP
encapsulation (Port 4500) is required (even you are connecting to internet
directly without NAT).
IPSec Tunnel will not be treat as WAN interface when configuring Outbound
Policy
Slide 87
In a new setup environment, where customer subscribes 2 Internet links, and

they do not need a dedicated firewall, then the Balance model will be a good
choice for providing Internet load balancing (outbound) while acting as the
security gateway (firewall)
Planning Your Network
A ISP #1 router/default gateway (210.10.10.1) connected to ISP #1.
A ISP #2 router/default gateway (20.2.2.1) connected to ISP #2.
Trusted LAN IP: 192.168.1.0/24
Peplink Balance WAN #1 IP: 210.10.10.2/24, WAN #2 IP: 22.2.2.2/24, LAN IP:
192.168.1.1/24
Peplink Balance Router Default Gateway IP: 210.10.10.1 for ISP #1, IP:
22.2.2.1 for ISP #2
Internal host (PC/Notebook) accessing internet will be load balancing across 2
Internet links.
Slide 88
Assumptions:
1) Both ISPs are providing static Public IP ranges.
2) All outgoing traffic will be load balance across both Internet links.
Part 1 Interface Configuration steps:
1) Go to Network > Interfaces > WAN, click on WAN 1.
2) Choose Static IP from the Connection Method drop-down list.
3) If you need to implement QoS, then make sure the Upload Bandwidth and
Download Bandwidth value follow the subscribed bandwidth.
4) Fill in the Static IP Settings area, with the ISP given details accordingly.
5) Go through steps 1 4 above for WAN 2 interface.
6) For LAN interface, if want to change to different IP range then the default
(192.168.1.1/24), then go to Network > Interfaces > LAN.
7) Fill in the IP address, subnet mask respectively.
8) DHCP service is enabled by default, change it if required, else can leave it as
it is.
Slide 89
Part 2 Configure Outbound Policy for load balance outgoing traffic:

1) Go to Network > Outbound Policy, click on Add Rule button, the Add a
New Custom Rule window will appear.
2) Give a name for the Service Name, in this example is All-Traffic.
3) Choose Any for Source, Destination, and Protocol base on the assumption
made above.
4) We have WAN 1 and WAN 2 active, so choose Weighted Balance from the
Algorithm drop-down list. This will allow 50:50 load balance between WAN 1
and WAN 2.
5) For WAN 3 and Mobile Internet, either to leave it as it is, or drag the pointer to
0, as it will not affect the connectivity.
6) Click Save button to save the configuration.
7) At the Rules window, drag the newly created service All-Traffic to below the
HTTPS_Persistence. This is to ensure the HTTPS _Persistence rule being
process before All-Traffic, as the policy being processed from top to bottom.
8) Save to apply the changes.
Done, now the Balance router is performing outgoing Internet traffic load
balancing between WAN 1 and WAN 2 in 50:50 ratio, and NAT the LAN IP to
WAN 1 and WAN 2 Public IP. You may proceed to configure the firewall rules if
needed, else you can leave it with the default policy.
Slide 90
Understanding Outbound Load Balancing

Peplink's load balancing algorithms help you easily fine-tune how traffic is distributed across
connections. Each deployment has a unique setup, and Peplink's enterprise grade load balancing
features can fulfill all of your special requirements. Create your own rule with the following
algorithms and you can sit back and enjoy the high performance routing that Peplink brings to you.
A flexible rule-based configuration design enables the fine-tuning of outbound traffic at a perservice level by allowing multiple rules to be configured. The following types of Outbound Traffic
Rules are available:
Weighted Balance
Persistence
Enforced
Priority
Overflow
Least Used
Lowest Latency
Outgoing Traffic Control via Firewall

Besides Outbound Policy, A firewall is a mechanism that selectively filters data traffic between the
WAN side (the Internet) and the LAN side of the network. It can protect the local network from
potential hacker attacks, offensive Web sites, and/or other inappropriate uses.
The Outbound firewall policy supports the selective filtering of data traffic on LAN-to-WAN, from
PPTP clients, and from SpeedFusion peers.
Outbound Firewall Rules can Block the following traffic types
Traffic coming from LAN clients
Traffic coming from PPTP clients
Traffic coming from SpeedFusion peers
Slide 91
There are 3 types of Outbound policies can be defined:

High Application Compatibility
With the selection of this policy, outbound traffic from a source LAN device is routed through the same WAN
connection regardless of the destination Internet IP address and protocol.
This provides the highest application compatibility.
Normal Application Compatibility
With the selection of this policy, outbound traffic from a source LAN device to the same destination Internet IP
address will persistently be routed through the same WAN connection regardless of protocol.
This provides high compatibility to most applications, and users still benefit from WAN link load balancing when
multiple Internet servers are accessed.
Custom policy
With the selection of this policy, outbound traffic behavior can be managed by defining custom rules.
Rules can be defined in a custom rule table. A default rule can be defined for connections that cannot be
matched with any one of the rules.
The default policy is Normal Application Compatibility.
"Default" custom outbound policy of Balance 580 is lowest latency, Balance sends tcp traceroute packets every 10
seconds to measure link latency. Change to any algorithm other lowest latency can stop the latency measurement
packet and reduce link usage.
Note:
HTTP packet has larger footprint than Ping packet, so this change can reduce link usage.
Slide 92
Weighted Balance
Assign more traffic to a faster link or less traffic to a connection with a bandwidth cap. Set a weight on the scale for each
connection and outgoing traffic will be proportionally distributed according to the specified ratio.
The amount of matching traffic that is distributed to a WAN connection is proportional to the weight of WAN connection
relative to the total weight. Use the sliders to change each WANs weight.
Example: With the following weight settings on a Peplink Balance 310:
WAN1: 10
WAN2: 10
WAN3: 5
Total weight is 25 = (10 + 10 + 5)
Matching traffic distributed to WAN1 is 40% = (10 / 25) x 100%
Note:
If the LAN user is running multiple Internet session like Bittorrent or Download Manager, that user can utilize all available
WAN's bandwidth at particular moment.
Slide 93
Persistence
Eliminate session termination issue for HTTPS, E-banking, and other secure websites. Specify a traffic type and it will be
routed through the same connection persistently based on its source and/or destination IP addresses. Traffic will keep
routing on the same connection until the session ends.
In general, different Internet IP addresses represent different computers. The security concern is that an IP address
change during a session may be the result of an unauthorized intrusion attempt. Therefore, to prevent damages from the
potential intrusion, the session is terminated upon the detection of an IP address change.
Peplink Balance can be configured to distribute data traffic across multiple WAN connections. Also, the Internet IP
depends on the WAN connections over which communication actually takes place. As a result, a LAN client computer
behind Peplink Balance may communicate using multiple Internet IP addresses. For example, a LAN client computer
behind a Peplink Balance 310 with three WAN connections may communicate on the Internet using three different IP
addresses.
With the Persistency feature of Peplink Balance, rules can be configured to enable client computers to persistently utilize
the same WAN connections for e-banking and other secure websites. As a result, a client computer will communicate
using one IP address and eliminate the issues.
There are two Persistent Modes. One is by source and the other by destination. The default Mode is By Source.
Slide 94
Enforced
Restrict outbound traffic to a particular connection. Select a connection and the specified traffic type will be routed
through it at all times, whether the link is up or down. For scenarios like accessing a server that only allows users from a
specific IP.
Starting from firmware 5.2, outbound traffic can be enforced to go through a specified SpeedFusion connection.
(Available on Peplink Balance 210+)
Slide 95
Priority
Route traffic to your preferred link as long as it's available. Arrange the connection priority order, and traffic will be routed
through the healthy link that has the highest priority in the list. Lower priority links will only be used if the current
connection fails.
Starting from firmware 5.2, outbound traffic can be prioritized to go through SpeedFusion connection(s). By default, VPN
connections are not included in the priority list. (Available on Peplink Balance 210+)
Slide 96
Overflow
Prevent traffic flow from slowing down when the connection runs out of available bandwidth. Drag and drop to arrange
the connection overflow order and the highest priority link will route traffic as long as it has not been congested. Once it
saturates, the lower priority links will start routing traffic.
Least Used
Help you choose the better connection with more free bandwidth. Traffic will be directed to the link with the most
available bandwidth among the selected connections. This option is useful for maximizing reliability and bandwidth
utilization.
Lowest Latency
Give you the fastest response time when using applications like online gaming. Traffic will be assigned to the link with the
lowest latency time among the selected connections. Latency checking packets are issued periodically to a nearby router
of each WAN connection to determine its latency value. The latency of a WAN is the packet round trip time of the WAN
connection. Additional network usage may be incurred as a result.
Lowest Latency will try TCP traceroute first. If no response from TCP traceroute, it will fallback to use ping
Note: The round trip time of a 6M down /640k up link can be higher than that of a 2M down /2M up link. It is because
the overall round trip time is lengthened by its slower upload bandwidth despite of its higher downlink speed.
Therefore this algorithm is good for two scenarios:
All WAN connections are symmetric; or
A latency sensitive application requires to be routed through the lowest latency WAN regardless the WANs available
bandwidth.
Slide 97
In addition to physical WAN interfaces, Peplink Balance allows you to redirect the designated traffic to VPN tunnel, eg.
SpeedFusion VPN tunnel. For example, a customer with centralized Internet access can force all branch Internet traffic
go thru the VPN tunnel back to HQ (and probably web content filtering/security assessment) before reaching Internet
sites. Another example would be customer internal applications (email, CRM, etc) that should be redirect via a secured
VPN tunnel to access servers in HQ, rather going through unsecure Internet.
Slide 98
Configuration Example - Restricting IPSec VPN Traffic to the WAN1 Lnk

To configure Peplink Balance to restrict IPSec VPN traffic to WAN1, add the following per-service
Enforced rules:
1) Rule to specify UDP Port 500 traffic:
Service Name: UDP500_on_WAN1
Source & Destination IP: Any
Protocol & Port: UDP 500
Algorithm: Enforced
Enforced Connection: WAN1
1) Rule to specify UDP Port 4500 traffic:
Service: UDP4500_on_WAN1
Source & Destination IP: Any
Protocol & Port: UDP 4500
Algorithm: Enforced
Enforced Connection: WAN1
With these rules enabled, Peplink Balance will route IPSec VPN traffic with NAT-T (that require
UDP ports 500 and 4500) to WAN1 regardless of its up/down status. In the event the WAN1 is
down the specified traffic will simply be dropped rather than routed via the other WAN links.
Slide 99
Expert Mode
Expert Mode is available for advance users. To enable the feature, click on the help test balloon
and click the link turn on Expert Mode.
Under Expert Mode, a new special rule - "SpeedFusion Routes" is displayed on the Custom Rules
table. It represents all SpeedFusion routes learned from remote VPN peers. By default, this bar is
on the top of all custom rules. That means traffic for remote VPN subnets will be routed to its
corresponding VPN peer. You can create custom Priority or Enforced rules and move them
above the bar to override the SpeedFusion Routes.
Upon disabling the Expert Mode, all rules above the bar will be removed.
Slide 100
Drop-in Mode allows Peplink Balance to be deployed in a network without

incurring any configuration changes to existing network devices. It simplifies the
installation of a Balance to an existing network by transparently and seamlessly
working with routers and firewalls. The process is done in 2 phases. In the 1st
phase, you can transparently insert the Balance into existing setup. In the 2nd
phase, you will be able to add Internet links without modifying existing network
equipment settings.
Phase 1 Insert Peplink Balance into existing environment
Suppose you have a migration plan similar to the following environment.
Currently, you have:
A router/default gateway (210.10.10.1) connected to ISP1.

A firewall (210.10.10.10) protecting your users on trusted LAN.
We will be installing the Peplink Balance transparently in between the router and
the firewall. Then we will add more ISP connections to the network.
In this example, we assume:
Router (Default Gateway) IP: 210.10.10.1

Firewall IP: 210.10.10.10, default gateway pointing to IP: 210.10.10.1
Peplink Balance IP: 210.10.10.5 (for WAN 1 and LAN, bridge)
WAN1 Subnet Mask: 255.255.255.240
Slide 101
First, start with setting up Drop-in Mode:

1)
2)
3)
4)
5)
Go to Network > Interfaces > LAN.

Fill in the IP address, Subnet Mask as 210.10.10.5 and 255.255.255.240 respectively.
Enable the Drop-In by click on the Enable box.
Key in the Defauly Gateway as 210.10.10.1 (ISP router IP).
Save and apply changes.
Then configure the DNS Servers for WAN 1:

1) Go to Network > Interface > WAN, click on WAN 1.
2) Fill in the DNS server IP(s). The DNS server information in the screenshot above is used for
example only.
3) Save and apply changes.
Done.
1) You may now install the Peplink Balance to the production network.
2) Notice that some routers and firewalls may have problems updating their ARP tables.
Resetting these devices may be necessary.
3) You have just completed the Drop-in mode configuration of the Peplink Balance. You should
verify the network with single WAN before moving to the next step of connecting additional
internet connections.
NOTE:
1) Existing network equipment settings are not affected
2) Router (Default Gateway) IP: 210.10.10.1, remain unchanged
3) Firewall IP: 210.10.10.10, default gateway still pointing to IP: 210.10.10.1
Slide 102
Phase 2 - Connecting additional WANs to the Balance

To install additional Internet connections:
1)
2)
3)
4)
Go to Network > Interfaces > WAN

Select a free WAN interface. For example, WAN 2 in this case.
Enter information for this WAN connection.
Save changes and activate the changes.
Your Balance should now aggregate and load balance across the two links.
Please repeat Step 1 to 4 for more internet connections.
Slide 103
How to set up Inbound Load Balance under Drop-in Mode

Once the Drop-in mode with multi-WAN links is successfully set up, we can proceed with
Inbound Load Balancing. This will allow the internal server(s) to be publicly accessible.
Prerequisite
This task assumes that you already have a good understanding of Drop-in Mode. If not, please
read the guide on Drop-in Mode before proceeding further.
Scenario
We will use an example throughout this note. Suppose you currently have a network similar to
the following:
Peplink Balance installed and connected to three ISPs, using Drop-in Mode
Static IP address ranges (subnets) from the ISPs
A firewall protecting your trusted LAN
Hosts and servers on the trusted LAN are using private IP addresses
Conceptually, we enable NAT on WAN2 and WAN3 to masquerade IP addresses of ISP A to
achieve inbound load balancing.
In this example, we assume:
ISP A
Network: 210.10.10.0/24
Router A (Default Gateway) IP: 210.10.10.1
ISP B
Network: 22.2.2.0/24
Router B (Default Gateway) IP: 22.2.2.1
ISP C
Network: 33.3.3.0/24
Router C (Default Gateway) IP: 33.3.3.1
Peplink Balance (Interface addresses)
WAN1 and LAN: 210.10.10.5
WAN2: 22.2.2.5
WAN3: 33.3.3.5
Firewall IP: 210.10.10.10
Trusted LAN Network: 192.168.0.0/24
NAT Mappings (at Firewall)
210.10.10.20:SMTP -> 192.168.0.20:SMTP
210.10.10.30:SMTP -> 192.168.0.30:SMTP
Drop-in Mode already configured and working in previous scenario, so no changes on the
existing router and firewall.
Our Target:
We want to map IP addresses from ISP B and ISP C to logically point to the mail servers.
Slide 104
Define Additional Public IP addresses of ISP B and ISP C

1) Go to Network > Interfaces > WAN > WAN2 > Additional Public IP Settings
2) Add the public IP addresses assigned to you by ISP B
3) You can add a series of IP addresses easily using the tool. (But remember to remove the
default gateway and Balance IP addresses from the auto-generated list by the tool.)
4) Repeat the same step for WAN3 (if applicable for you).
Purpose: To tell Balance what IP addresses are available for inbound use.
Define Inbound Servers

1) Go to Advanced Network > Inbound Access > Servers
2) Add the two mail servers
3) Notice the use of IP addresses from ISP A here. To Peplink Balance, it only sees IP
addresses on its LAN interface.
Slide 105
Define Inbound Services

1) Go to Network > Inbound Access > Services
2) Add a new service rule, tying up IP addresses of ISP B and ISP C to existing server(s).
3) The screenshot essentially describes the following:
Map 22.2.2.20:SMTP -> 210.10.10.20:SMTP
Map 33.3.3.20:SMTP -> 210.10.10.20:SMTP
4) Notice that no mapping is required for ISP A. (Uncheck it)
5) Repeat the same step for other service(s).
6) Save and apply changes.
Slide 106
How to set up Inbound Load Balance via built-in DNS (Drop-in Mode)
Peplink Balance has a built-in DNS server for inbound link load balancing. You can delegate a
domains NS/SOA records, e.g. www.mycompany.com, to the Peplink Balances WAN IP
address(es). The Peplink Balance will return healthy WAN IP addresses as an A record when a
DNS query for the host name is received.
It can also act as a generic DNS server for hosting A, CNAME, MX, TXT and NS records.
The Peplink Balance can perform this in two methods, either in Non Drop-in or Drop-in Mode.
PTR records are created along with A records pointing to Custom IPs. For example, if you
created an A record www.mydomain.com pointing to 11.22.33.44, then a PTR record
44.33.22.11.in-addr.arpa pointing to www.mydomain.com will also be created. When there are
multiple host names pointing to the same IP address, only one PTR record for the IP address will
be created.
Inbound Load Balancing is configured via:
DNS records configured within Peplink Balance
External DNS records at an Authoritative DNS Server
To illustrate this, we will use the previous example, changing the server from mail to web, and
only using single server for simplified illustration. The steps to define the server(s) and service(s)
are the same as the previous example, so we will start with the DNS settings.
Slide 107
To define the DNS records to be hosted in Peplink Balance, go to the setup page located at:
Network > Inbound Access > DNS Settings, as shown in above.
Slide 108
Step 1: Configure DNS Server

Click the Edit button to choose the IP addresses that the DNS server should be listening on. This
will result in a pop-up screen.
There, select the desired WAN link(s) and respective WAN Interface IP addresses. Multiple
addresses in the list can be selected by holding the CTRL key while clicking on the addresses.
Click Save to continue.
Slide 109
Step 2: Define the Default SOA / NS

From Network > Inbound Access > DNS Settings, click on the Edit button, create the Default
SOA / NS record, and map the WAN 1, 2 & 3 interface IP to the Name Server respectively.
Slide 110
Step 3: Select Connection Priority

From Network > Inbound Access > DNS Settings, click the Edit button to configure Default
Connection Priority. In the resulting pop-up, you will see a list of WAN Interfaces with priority,
please choose the desired WAN priorities and click Save to continue.
In the above example, WAN 1, 2 & 3 are the DNS query answering interface, so it should be
selected. And we are assuming all three WAN links are equally healthy.
Slide 111
Step 4: Creating DNS Records

From Network > Inbound Access > DNS Settings, enter a domain name in the Domain Name
field and click the Add New button.
Click on the New A Record button to create A Record for the web server.
Slide 112
As the A Record window appears, enter the name of the server (eg. www) which will be auto
associated with the previous defined domain name (.mypeplink.com).
Check on the IP at the respective WAN interfaces, these will be mapped to www.mypeplink.com.
Only the highlighted IP addresses in the lists receive responses to a DNS query.
(Multiple items in a list can be selected by holding CTRL and clicking on the
items.) In case a WAN link is down, the corresponding set of IP addresses will not
be returned. However, the IP addresses in the Custom IP field will always be
returned.
Click Save and Apply the changes.
Slide 113
Domain Delegation
This diagram is useful for users who want to delegate a sub-domain to be resolved and managed
with the Peplink Balance (Assuming they host their domain at an ISP or domain registrar).
In order for Internet users to look up the host name (e.g. www.mypeplink.com) using the Peplink
Balance, you have to point NS records of it in the domain (e.g. mypeplink.com) to the Peplink
Balances WAN IP addresses. If you are using ISC BIND 8 or 9, add these lines in the zone file of
mypeplink.com:
www
www
www
balancewan1
balancewan2
balancewan3
IN
IN
IN
IN
IN
IN
NS balancewan1
NS balancewan2
NS balancewan3
A 210.10.10.5
A 22.2.2.5
A 33.3.3.5
Where 210.10.10.5, 22.2.2.5 and 33.3.3.5 are the WAN IP addresses of the Peplink Balance in
this example. The IP values here are for illustration only and would likely be different for you. In
order to host the complete domain on your own DNS server with the Peplink Balance, contact the
DNS registrar to have the NS records of the domain (eg. mypeplink.com) point to your Balances
WAN IP addresses.
Slide 114
Testing
From a host on the Internet, use an IP address of Peplink Balance and nslookup to lookup the
corresponding hostname. Check if the returned IP addresses are the desired addresses for the
host name. Above is a sample Windows nslookup.
The IP values here are for illustration only and would likely be different for you. In the lab example,
it show return three IPs (210.10.10.30, 22.2.2.30 & 33.3.3.30) when you query for
www.mypeplink.com.
Slide 115
Continuous Failover Support Using Master and Slave Setup

Background
1+1 backup enables failover to happen when the master device goes out of service. This
requires a pair of Peplink Balance devices operating in active-standby mode. When the master
device is down, the slave device takes over and handles all the LAN traffic.
The Peplink Balance series supports failover between two Balance devices based on Virtual
Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets are sent out from
the master device to VRRP-specific IP multicast addresses. The slave device assumes the
master devices responsibilities when these messages have not been heard from for a predefined time interval.
In the above example, a VRRP Group 20 is assigned to the HA pair. The virtual IP address (VIP)
is 210.10.10.2. However, the default gateway for the firewall should remain unchanged, as
Internet router IP: 210.10.10.1, as this is Drop-In Mode. A unique VRRP group identifier is used
for each HA pair subsequently set up on the same LAN. Balance devices have to be on the
same subnet to support VRRP and the same VRRP group identifier must be used on the HA
pair.
Additional Ethernet switches are required to separate each ISP connection so that Master and
Slave Balance devices can both be connected. More than one Ethernet switch must be used in
order to prevent a single point of failure, which would otherwise defeat the purpose of the 1+1
backup concept.
In this example, Master Peplink unit will use 210.10.10.3 as its LAN IP, Slave Peplink unit will
use 210.10.10.4 as its LAN IP. Both Master and Slave units use the same VIP 210.10.10.2.
The the master unit goes down, the failover will place with a typical recovery time of 10-15
seconds. After the Slave unit changed its role to Master, all WAN connections will be reestablished again.
Slide 116
VRRP for Master Configuration

1) Go to Network> Misc. Settings > High Availability of the Master unit. Select Enable.
2) Enter the following and then click Save:
A. Group Number: (use the same number for HA pair, eg. 20)
B. Preferred Role: (select master or slave)
C. Virtual IP: (210.10.10.2)
(Note: VIP and LAN Administration IP have to be from the same network. Devices behind the
Balance liked firewall will need to configure their default gateway pointing towards VIP.)
3) Click Apply Changes to activate settings
VRRP for Slave Configuration configuration sync.

1)
2)
3)
4)
Click and choose Slave as the Preferred Role.

Check the box to enable the Configuration Sync. feature.
Enter the serial number of the master unit.
Before applying the changes, it is required to change the LAN IP address and set it as a
different one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP
address.
5) Click Save and then Apply Changes to activate settings.
6) Once the Configuration Sync succeeds, you will find the successful message in the event
log of the slave unit.
NOTE:
The failover takes place with a typical recovery time of 10-15 seconds. After the Slave unit
changed its role to Master, all WAN connections will be re-established again.
Two Balance units should connect to the Internet in the same mode. For example, they
should be both in NAT mode or both in Drop-in mode.
Slide 117
NOTE:
Once the slave unit is configured to automatically synchronize configuration from the master unit,
the web admin of slave unit will be locked. Changes can only be made after you have disabled the
Configuration Sync. Function, sample captured screen above.
In HA mode, configuration synchronization only happen from Master unit to Slave unit,
configuration will not be obtained from Slave unit to Master unit.
Slide 118
VRRP for Slave Configuration manual

Alternatively, you may configure the slave unit manually.
1) Go to System > Configuration of the MASTER unit. Click Download under Download
Active Configurations and save the configuration file for the Slave unit.
2) Go to System > Configuration of the SLAVE unit. Choose the configuration file exported in
step 1 under the Upload Configurations from High Availability Pair and click Upload.
3) Before applying the changes, change the LAN IP address and set it as a different one from
Master unit. Go to Network > LAN of the Slave unit and change LAN IP address. Click Save
to save changes.
4) Go to Network > High Availability and change the Preferred Role from Master to Slave.
5) Click Save and then Apply Changes to activate settings
Slide 119
LAN Bypass Feature

Available in Peplink Balance 580, 710, 1350, and 2500:
LAN Bypass is a fault-tolerant feature that protects you in the event of a power outage.
When used with Drop-in Mode, such failure would be completely transparent to the network.
In the above example, WAN1 and LAN1 ports are bridged together when the power runs out.
Note:
Starting from firmware version 5.0, Drop-in mode can be configured on any WAN ports.
Please be noted that still only one WAN port can be configured in Drop-in mode.
If you have selected the LAN Bypass port (which is currently available on WAN1 of Balance
1350 and WAN5 of Balance 580) as the WAN for Drop-in Mode, High Availability feature will
be DISABLED automatically.
When the LAN Bypass feature is enabled, the High Availability feature will be automatically
DISABLED.
Slide 120
Balance Router As Wireless LAN Controller

In this section, we will cover the Balance router WLC configurations, all other settings of AP will be
cover in another module (Wireless Access Point).
For model 305 onwards, the Balance comes with built-in WLC. This is useful for deploying a
centrally controlled AP setup at significantly lower costs. The Balance can serve as a AP
Controller for Managing Pepwave AP Devices, as well as multiple SSIDs. The Balance and the
Pepwave AP can automatically discover each other using DNS and DHCP protocols.
Requirement
The customer has a Balance router installed and operating in their network. Recently, they have
purchased two units of Pepwave AP One. The customer wants to integrate these APs into their
existing LAN for their staff, while creating Guest access which would allow visitors to only access
the Internet.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Captive Portal with Open security
The Balance router, acting as the WLC will need to configure above settings and push the policy
to the AP(s).
Slide 121
Getting Started Enable AP Management

The AP Controller for managing Pepwave APs can be enabled by this option. When this option is
enabled, the AP Controller will wait for management connections originating from APs over the
LAN on TCP and UDP port 11753. It will also wait for captive portal connections on TCP port
443. An extended DHCP option "CAPWAP Access Controller addresses" (field 138) will be
added to the DHCP server. A local DNS record AP Controller" will add to the local DNS proxy.
1) Select AP from the top menu. Choose AP Controller from the left menu, and then select the
check box to enable the feature.
1) To manage access points located in a remote network, enable AP Management.
1) You can set up a list of recognized access points with Permitted AP. Input the serial number
of the AP you want to manage in the box.
1) Click Save, and then click Apply Changes.
Slide 122
Creating Wireless Networks (SSID) for Staff

1) Choose Wireless SSID from the left menu. Click the New SSID button displayed on the
bottom of the page.
1) In the SSID Settings dialog box, enter the SSID (Network Name) used to identify the Wi-Fi
network. Enter Staff as the SSID, as this will be used for internal access.
1) Under Wireless Security Settings, select WPA/WPA2 - Personal for home or small business
use. Enter an authentication password of at least 8 characters in the Shared Key field. If you
are managing the network of a larger company, you may consider using WPA/WPA 2 Enterprise, which allows you to use a separate RADIUS server to handle the wireless
networks authentication. Assign the WPA/WPA2 PSK as staffwlan for this example.
1) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless
network.
1) Repeat the above steps to add more wireless networks and/or specify additional name and
network permissions for various user groups. Next we will create Guest SSID.
Wireless Security Settings
This setting configures the wireless authentication and encryption methods.
Available options are: Open - No Encryption, Static WEP, 802.1X (RADIUS), WPA/WPA2 Personal and WPA/WPA2 Enterprise( RADIUS).
Selecting Open - No Encryption disables encryption.
Slide 123
Creating Wireless Networks (SSID) for Guest

1) Choose Wireless SSID from the left menu. Click the New SSID button displayed on the
bottom of the page.
1) In the SSID dialog box, enter the SSID (Network Name) used to identify the Wi-Fi network.
Enter Guest as the SSID, as this will be used for visitor Internet access.
1) Under Wireless Security Settings, select Open (No Encryption)
1) To further customize network permissions, you can also change Guest Protect, Bandwidth
Management, and Firewall Settings. As this is for visitor usage, click on the Block All
Private IP checkbox to protect internal LAN (assuming the LAN IP range is using private IP
range).
1) Click OK at the bottom of the dialog box, and then click Apply Changes to save the wireless
network.
To show a splash screen for your Wi-Fi service, which is useful for Wi-Fi service offered to guests
in restaurant, hospitality, and other settings,enable Captive Portal for the VLAN that the SSID has
been assigned to. You can access VLAN settings by navigating to Network > LAN, clicking on the
(?) icon, and clicking the affected VLAN. Please remember to configure your captive portal.
Slide 124
Creating AP Profiles
1) Navigate to AP > Profile. Click the New AP Profile button displayed on the bottom of the
page.
1) In the AP Profile dialog box, enter a name for the device configuration profile, eg. Office.
1) Select up to four wireless networks to include in the AP profile, check on the Guess and
Staff SSIDs to be included in this profile.
1) Optimize your devices radio performance by adjusting the options in AP Advanced Settings.
For example, you can select a different 2.4 GHz Wi-Fi radio channel in order to ensure the
best signal strength and eliminate potential channel conflicts.
1) Change your AP Ones device security settings, such as passwords, under Web
Administration Settings. Set the password to public, which is default for AP One.
1) Click Save at the bottom of the dialog box, and then click Apply Changes to store the AP
profile.
Note:
You can select up to maximum of 16 Wireless Networks in an AP Profile when using Balance
router as WLC.
Slide 125
Managed AP Status in Dashboard

1) AP One devices in the network will be automatically discovered. The number of APs detected
will be shown on the Dashboard and Access Point section of Status.
1) To manage access points located in a remote network, enable Manage Remote AP.
1) You can set up a list of recognized access points with Access Point to be Managed. In this
case, one unit has been connected.
Slide 126
Verify From AP Web Console

1) You can verify the AP management by accessing the AP web console page using web
browser. The AP login details as follows:
IP Address: IP address defined for the AP
Username: admin (set by WLC)
Password: public (set by WLC)
1) In the AP tab, the real time status shows that the AP is connected to WLC.
Slide 127
Applying AP Profiles
1) Navigate to AP > AP Status.
1) Select the check box for the AP One device you wish to configure.
1) Select AP Profile from the drop-down menu located in the lower right corner.
1) In the AP Profile dialog box, select a previously created AP profile (eg. Office for this
case) and Click OK.
1) The selected AP profile will be sent to your AP One devices automatically.
Slide 128
Creating a Captive Portal
A captive portal is a great opportunity to build your brand while providing Wi-Fi
service to hotel guests, coffee shop patrons, students, and other users. You can
create a customized portal start page using one of two captive
portal modes, in this example we will use the Open Access mode.
1) Navigate to the Network > Captive Portal.
1) Click Enable and enter your host name..
1) Click the Access Mode section, a Captive Portal Mode:
Open Access Mode -- No user name or password will be required on the portal
page. To limit the amount of time a guest can use the network, enter the allowed time
in Free Access Quota. Click Save to store your changes.
User Authentication Mode -- The portal page will require users to login using either
a RADIUS server or an LDAP server.
1) Click pen icon next to the Portal Page Customization section.
1) To upload an image for the portal page, first click Choose File. Select the desired image from
your system and click Upload. If no image is select, then the default image of the AP One will
be used.
1) Customize your portal page with a Message and Terms & Conditions.
1) Specify where the customer will be redirected after successful authentication with a Custom
Landing Page if desired.
1) Click Preview to review your design, and click Publish to save your portal page and make it
available to guests.
Slide 129
Testing Guest Access

The Guest SSID is meant for visitors, so it only allows access to resources
outside of the company network.
1) On your notebook, try to connect to the Guest SSID broadcasted from the AP One. It should
have Open security without any WPA/WPA2 key required.
2) Once connected, open the command prompt and use ipconfig to check your notebook IP
address.
Ping Test:
1) Ping to Gateway IP: 192.168.0.1
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
3) Ping to Google DNS IP: 8.8.8.8
Passed or Failed
Slide 130
Testing Guest Access to Internet

1) On your notebook, open your web browser and enter www.google.com in the URL.
1) You will be redirected to the Captive Portal page, where you will need to review the T&C and
click Agree to proceed.
1) This will depend on how you configure the Custom Landing Page. If you have none
configured, then you will be redirected to your designated page, www.google.com.
Slide 131
Once the wireless client access is granted, you will able to access Internet sites. However the
Guest SSID access will not be allowed to access to internal LAN hosts.
Ping Test:
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
Passed or Failed
Slide 132
Testing Staff Access

The Staff SSID is equivalent to internal LAN access, thus it has the same
access rights as wired LAN users.
1) At your notebook, try to connect to the Staff SSID broadcasting from the AP One. Key in
staffwlan when Windows prompts you for your WPA/WPA2 key.
2) Once connected, open the command prompt, use ipconfig to check your notebook IP address.
Ping Test:
Passed or Failed
2) Ping to AP One IP: 192.168.0.11
Passed or Failed
Passed or Failed
Web Browsing Test:
1) At your notebook, open your web browser, enter www.google.com in the URL. The page can
load? Yes or No
Slide 133
Balance Router Other Configurations

In addition to the key features mentioned in previous sections, the Balance Router offers other
useful features:
-
QoS
Service Passthrough
Service Forwarding
System settings.
The following tasks will be based on this diagram.
Slide 134
Example:
The Balance router has built-in standard firewall functionality, thus it can be used
as firewall in the environment that doesnt has any firewall. Assuming the
company wants to prevent their staff from accessing social websites, eg
facebook.com, the Balance firewall rule by domain name can be configured.
The steps as follow, with foobar.com as the example domain name:
1) Go to Network > Firewall > Access Rules, Select Domain Name in the Destination field.
2) Enter foobar.com in the empty field.
3) Click Save and apply the changes.
Example
String
Matching
Example
foobar.com
*.foobar.com
foobar.com
www.foobar.com
mail.foobar.com
foobar.*
*.foobar.*
foobar.com
foobar.co.uk
www.foobar.co.uk
After a firewall rule by domain name is created, all traffic from that domain will be allowed or
denied according to your settings.
TIP: If you are trying to block outgoing HTTP access to a website using a domain name, consider
using the Web Blocking feature.
Slide 135
The Balance router has QoS features, allowing you to control the traffic based
on its user groups (predefined 3 groups Manager, Staff, Guest), as well as by
application. You can apply different bandwidth and traffic prioritization
policies on each user group in the Bandwidth Control and Application sections.
In this scenario, we have implemented an IP Telephony system in the branch
office, and we have deployed an IP Telephony server reside in HQ. To optimize
the voice quality over the Internet links, QoS is essential for ensure the VoIP
traffic can be smoothly delivered across sites.
To assign the user group:
1) Go to Network > QoS > User Groups under QoS, either click on existing Subnet or Add
button to create a new subnet/IP range.
2) From the Group drop down list, select the desired group (Manager, Staff, Guest), click
Save.
To enable QoS based on application:

1) Go to Network > Application under QoS, click Add button in the Application section to
define the application requiring QoS.
2) At the Add / Edit Application window, choose the appropriate Category and Application
from the drop down list, eg. VoIP, click OK to save.
3) Once application defined, it will appear in the Application section, assign the Priority to this
application (High, Normal, Low).
NOTE:
Please refer to user manual, Chapter 18 QoS for detailed QoS settings.
Slide 136
Assuming your business partner is running systems that only allow access from IPSec Clients in
your office environment. In such a situation, you would need to enable Service Passthrough
Support in your Balance router. By default, the router has enabled IPSec NAT-T, if the IPSec is
running on custom ports, then you can define the ports accordingly.
Step to enable IPSec passthrough:
1)
2)
3)
Go to Network > Service Passthrough under Misc. Settings, check the Enable box under IPSec NAT-T.
Check the Define box if its running custom ports, and fill in the ports accordingly.
Click Save and apply the changes.
Passthrough for other services (eg. SIP, H.323, FTP & TFTP) can be enabled in this page as well.
Slide 137
Enable SMTP Forwarding

There are situations where the ISP will block SMTP forwarding from different
ISPs. Thus, the Balance router allows you to control the right ISP links to forward
your SMTP service.
When this option is enabled, all outgoing SMTP connections destined for any
host at TCP port 25 will be intercepted. These connections will then be redirected
to a specified SMTP server and port number. SMTP server settings for each
WAN can be specified after selecting Enable.
Step to enable SMTP Service Forwarding:
1) Go to Network > Service Forwarding under Misc. Settings, check the Enable box under
SMTP Forwarding.
2) A window appear with listed WAN connection, check to Enable the respective WAN and enter
the associated SMTP Server name/IP.
Enable DNS Forwarding

When this option is enabled, all outgoing DNS lookups will be intercepted and redirected to the
built-in DNS name server.
If any LAN device is using DNS name servers of a WAN connection, you may want to enable this
option to enhance the DNS availability without modifying the DNS server setting of the clients. The
built-in DNS name server will distribute DNS lookups to corresponding DNS servers of all
available WAN connections. In this case, DNS service will not be interrupted even if any WAN
connection is down.
Slide 138
System Settings Admin Security

There are two user accounts available for accessing the Web Admin. Usernames are admin and
user. They represent two user levels- admin has full administration access, while user is a readonly account. The read-only account can only access the device's status information and cannot
make any change on the device.
Administrative Settings configuration is located at: System >Admin Security
NOTE:
Authentication and Accounting by RADIUS server for Web Admin (Available on Peplink Balance
210+). With this feature enabled, Web Admin will authenticate using an external RADIUS server.
Authenticated users are treated as "admin" users with full read-write permission. Local "admin"
and "user" accounts will be disabled. When the device is not able to communicate with the
external RADIUS server, local accounts will be enabled again for emergency access.
Authentication options will be available once this feature is selected.
Slide 139
Some of the System settings are crucial to the operation, eg. InControl, Remote Assistance, and Email Notification.
InControl Cloud Management
When this check box is checked, the device's status information, usage data, and configuration will be sent to Peplinks
InControl system. You can sign up for an InControl account at https://incontrol.peplink.com/. You can register devices
under your account, monitor device status and usage reports, as well as download backed up configuration files.
Default: Enabled
(Post usage data): Disabled
Email Notification
The feature Email Notification allows email to be sent to the listed recipient email addresses when the following events
take place:
Email notification test
A new firmware version is available
Health status changes for any WAN connection
VPN status changes
Bandwidth usage has reached 75% of the allowance
Bandwidth usage has reached 95% of the allowance
Click the button Test Email Notification and click Send Test Notification to send a testing email.
Remote Assistance
When you face some serious technical issue with the Balance router, where you need Peplink Technical Support to
check on the device, you can turn on this feature, go to Status > Remote Assistance under System Information
window.
Diagnostic Report
Normally when you report problem related to the Balance router to Peplink Technical Support, it is good to attach the
Diagnostic Report together so the support team can analyze the report to understand the router condition. To generate
the report, go to Status > Diagnostic Report under System Information. Click on the Download button to save the file.
The report filename usually carry the format as below:
YYYYMMDD_Model No._SSSSSSSSSSSS_diag.report
with:
YYYY 4 digits represent year
MM 2 digits represent month
DD 2 digits represent day
Model No. The Balance Model, eg. B380
SSSSSSSSSSSS 12 digits serial number
Slide 140
Support Information page

Another way to turn on the Remote Assistance will be through the Web Admin URL, which shown
above, http://<your peplink ip>/cgi-bin/MANGA/support.cgi.
Diagnostics Report also can be obtain in this page, besides from Status page.
In this page, the router Ethernet connections negotiated speed and duplex status was shown, in
which it aids in troubleshooting tasks, like debugging connectivity issues.
Additional Support Resources
1) If you need to access the products
http://www.peplink.com/support/downloads/.
user
manual
or
firmware,
please
visit
1) To access our knowledge base, please visit http://www.peplink.com/knowledgebase/ to find

out more about our product deployment scenario in various environment and requirement.
1) To log case with Peplink support, you can send your case to priority.support@peplink.com.
Slide 141
Out of the box, the Pepwave MAX router comes with the following default
settings:
IP: 192.168.50.1/24
Username: admin
Password: admin
LAN DHCP: Enabled
DHCP IP Range: 192.168.50.10 192.168.50.250
In the diagram, the switch is optional as a console into the Pepwave MAX
Routers. You can plug the UTP cable directly from PC/Notebook into MAX Router
LAN port for the same purpose.
Generally, the Web Admin UI is similar to Balance router, making to easier for
users who have experience with the Balance router UI.
Slide 142
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard provides a status overview of the MAX Router:
WAN interfaces connectivity status
LAN interface connectivity status
System Uptime
System CPU Load, in %
Device Throughput, in Mbps
Depends on the model, BR1 & HD2 provide the GPS map status too
A unique feature on the MAX router interface is that you can configure the WAN interfaces on the
Wan Connection Status page. You can do so by clicking the Details button of each of the WAN
interface bar. Alternately, you can go to Network > WAN to reach to same setting page.
In this page, you can also assign different priority levels to the WAN interfaces by dragging the
interface bar up or down. If all WAN interfaces are assigned with same priority, then it will perform
load balancing for the WAN traffic.
Note:
Depending on model of MAX routers, only MAX HD2, MAX 700, and MAX OTG (U4 & U4-SF) will
allow WAN load balancing, the other models will allow WAN failover.
Slide 143
Cellular Interface Settings

The settings are similar across different interfaces. However, for cellular interface, there is extra
feature you need to take note of.
When you click on the Details button of any of the active Cellular WAN interfaces, you will reach
the Connection Details setting page shown above. If the mobile broadband provider or the data
plan has a quota limit (eg. 2GB/month), then you need to enable Bandwidth Allowance Monitor
and set the data limit on this WAN to 2GB. At the same time in the Action section, you can set the
MAX router to notify you via email if the usage hits 75% of quota. Lastly, you can further control
the WAN condition to either continue or disconnect this particular WAN link if usage hits to 100%
of that month.
Health Check Method SmartCheck
SmartCheck will trigger DNS lookup health check if there is no return packet after an outbound
packet was sent for 10 seconds. Since it is not an active algorithm (send hc packet in constant
interval), it saves bandwidth.
If the Cellular WAN has limited data usage/quota, and you want to reduce the Cellular WAN
utilization, you can:
1) Choose SmartCheck as Health Check Method
2) Set Standby State of Cellular WAN to "Disconnected" instead of "Remain Connected
3) Increase the value of Health Check Interval
Saving Bandwidth with Smart Check

Smart check will trigger a DNS lookup health check if there is no return packet
after an outbound packet was sent for 10 seconds. Since it is not an active
algorithm (it does not send hc packet in constant interval), it saves bandwidth.
Slide 144
MAX routers come with various connectivity options, allowing you to set it up in
different ways to suit customer requirements. In the following scenarios, we will
exploring three most common MAX routers deployment setups.
1) Branch Network Connections
3 WAN + 2 LAN
2) Mobile Command
2 WAN + 2 LAN
3) Public Transport
1 WAN + 2 LAN
Lets take a look at each of these scenarios in detail, and what configurations
need to be done to achieve the objective.
Slide 145
Branch Network Connections

In this environment, we have a fast food businesses with many outlets throughout the country.
Each of these outlets need to connect back HQ in order to update business transactions data. At
the same time, the outlet also needs to provide WiFi to their customer.
Requirements
1) WAN
The outlet will need a cable broadband as primary WAN link, backed up by a WiFi WAN and a Cellular
WAN.
2) LAN
The wired LAN will be serving the outlet internal LAN, while WiFi AP can serve both internal staff as well
as their guest.
Slide 146
Configuration for the WAN/LAN interfaces are the same as for the Balance
routers, please refer to previous section if you need instructions.
This screenshot shows the MAX BR1 router configured with a wired WAN as
primary link, followed by a WiFi WAN as first standby, and Cellular as secondary
standby WAN link.
Slide 147
WAN Failover #1 Wired WAN Failed

The MAX router has built-in intelligent and link health checks to enable a fast
failover process. All the standby link(s) are in hot-standby state. That is, if the
primary link fails, the MAX router will redirect the traffic to the standby WAN links.
Failover Test:
1) Before starting the test, take a Windows machine, launch a command prompt window and
conduct a continuous ping to Internet host IP (eg. 8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1)
3) Observe the changes of WAN Connection Status
4) Which is the active WAN link now? Wired WAN or WiFi WAN or Cellular WAN
6) How many timeout during failover?
Slide 148
WAN Failover #2 Wired WAN & WiFi WAN Failed

Assuming a worse scenario where the first two WAN links are faulty, the MAX
router still can operate with the 3rd WAN Celllular broadband link.
Failover Test:
1) Before starting the test, take a Windows machine, launch a command prompt
window and conduct a continuous ping to Internet host IP (eg. 8.8.8.8).
2) Unplug the wired WAN of MAX router (BR1), and change the WiFi WAN
WPA/WPA2 Key to simulate 2 WAN links failed
3) Observe the changes of WAN Connection Status
6) How long was the timeout during failover?
Slide 149
WAN Link Recovery

MAX router has fast and smooth recovery mechanism that no timeout when the
primary WAN link(s) service restored.
Recovery Test:
1) Before starting the test, at the Remote site, launch the command prompt window and conduct
a continuous ping to HQ LAN IP (10.0.0.10)
2) Plug back the Wired WAN & enter the correct WiFi WAN WPA/WPA2 Key for the MAX BR1
router
3) Observe the changes at the routers WAN Connection Status
6) How long was the timeout during failover?
Slide 150
Mobile Command
In this example, we have a police patrol driving in an urban area. The MAX BR1 router can be
installed in these vehicles, allowing them stay connected to their control center while they are on
the move. This is accomplished with 2 different WAN options.
Requirement
1) WAN
The police vehicle can use WiFi WANas primary WAN link, backed up by a Cellular
WAN.
2) LAN
The wired LAN will be used for fixed machines, while the WiFi AP can serve the
policemen any handheld devices.
Slide 151
We have gone through the configuration steps of the WAN/LAN interfaces in the
Balance router section, so we will skip that step.
The screenshot shows the MAX BR1 router configured with WiFi WAN as the
primary link, followed by Cellular as the standby WAN link.
Slide 152
Public Transport
Public transport systems often travel long distances, so WiFi WAN may not able to cover the
entire path. The only available WAN option would be Cellular broadband. If bus companies want
WAN resiliency, the BR1 has 2 SIM slots and 1 embedded modem so they can put in second SIM
card for Cellular failover purposes.
Requirement
1) WAN
The bus needs to be equipped with Cellular WAN.
2) LAN
The wired LAN will be used for machine in the bus, and the WiFi AP can serve the
passengers handheld devices.
Slide 153
We have gone through WAN/LAN configuration in the Balance router section, so

we will skip the explanation there.
Above screenshot shows the MAX BR1 router configured with Cellular as the
primary and the only WAN link.
Slide 154
As mentioned earlier, the LAN/WAN interface settings are similar to Balance

router.
Slide 155
The difference between Balance and MAX router is that non-interface related
settings are placed in the Advanced section. You can configure WiFi Settings,
SpeedFusion VPN, Port Forwarding, etc in this panel.
Slide 156
The System and Status menus are identical to those for the Balance router.
For further details on these settings, please refer to the relevant firmware user
manual.
Slide 157
Enabling MediaFast Content Caching

To enable MediaFast, navigate to Network > MediaFast, and then click the
checkbox beside enable under the MediaFast menu. Likewise, click the enable
checkbox under Secure Content Caching to enable HTTPS caching. To receive
cached content, clients need to install the appropriate certificates. Please refer to
the next slide for full details.
Control Which Domains to Cache
You can control which domains to cache by using three radio buttons beside the
Domains / IP Addresses menu item.
If you select Cache All, then content from all domains will be cached.
If you select Whitelist, then only content from the domains you specify will be
cached.
If you select Blacklist, then content from all domains will be cached except for
the ones you specify.
Control What Content to cache
You can control what types of files you can control under the Cache Control sub
menu. Use the checkbox beside the Content Type menu items to control what
kinds of files you wish to cache.
How Long to Cache Specific File Types
Under the Cache Lifetime Settings menu item, you could determine how long (in
days) to keep specified file extensions.
To receive cached content from HTTPS sites, client devices need to install the
appropriate certificates. To install the appropriate certificate, connect your client to
the LAN side of your MediaFast router. Then use your client device to navigate to
cert.peplink.com. There, you will receive device-specific instructions for installing
the certificate.
With MediaFast, you can cache entire websites at regular intervals. To do so,
navigate to Network > MediaFast > Prefetch Schedule. Under the Prefetch
Schedule submenu, click New Schedule, and a new menu called MediaFast
Schedule will pop-up.
In that new menu, you can name the schedule and toggle its activation.
In the URL menu item, you can set the web domain(s) you wish to cache
(http://www.peplink.com in this example).
In the Depth menu item, you can select how many levels away from the
homepage you wish to cache. The number of levels refers to the number
of backslashes following the address. For peplink.com:
www.peplink.com would have a depth of 0
www.peplink.com/products/max-cellular-router has a depth of 2.
http://www.peplink.com/products/max-cellular-router/outdoor/ has a
depth of 3.
In the Time Period menu item, you can select the time period in which
MediaFast will attempt to cache.
In the Repeat menu item, you can determine on what days of the week the
Mediafast will cache the website.
In the above example, the MediaFast will cache www.peplink.com/products/maxcellular-router, but not http://www.peplink.com/products/max-cellularrouter/outdoor/. It will attempt to cache from 20:00 to 04:00, 8 hours in total. After
the 8 hours is up, it will stop caching. It will repeat this caching procedure only on
weekdays.
MDM enables you to remotely manage any connected iOS devices, performing
tasks such as installing apps and applying configuration profiles. To use your
MediaFast as an MDM, you need configure your MediaFast Router and each
Client.
Configuring MDM on the Router
Navigate to Network > MDM Settings. On the MDM Settings submenu, click the
check box beside the Enable menu item.
The Account Settings menu item enables you to configure the username and
password used to access the MDM page. If you select Follow Web Admin
Account, then the MDM admin page (http://mdm.peplink.com:8182/) will be
accessible using the same username/password combo you use to access your
web UI (default: admin/admin). Alternately, you can set a Custom username and
password used to access the MDM admin page (http://mdm.peplink.com:8182/).
Configuring MDM on Clients
You can find a step-by-step walkthrough at
http://www.peplink.com/knowledgebase/how-to-enroll-device-to-mdm-server/,
follow it to enroll or unenroll your iOS device.
You can access detailed reports of your content caching from your Web UI by
navigating to Status > MediaFast.
The Storage Usage section illustrates the amount of space each type of
content occupies.
The Bandwidth Summary section displays the total bandwidth consumption,
as well as the bandwidth saved over the course of the last day, week,
month, and year.
The Bandwidth Details section contains detailed bandwidth usage and
savings information organized by web domain, content type, file extension,
and clients.
Caching MediaFast Information can also be accessed from InControl by

navigating to Reports > MediaFast Reports.
If you do this while you are viewing an organization, you will get the MediaFast
report for the entire organization.
If you do this while viewing a group, you will get the MediaFast report for the
group.
If you do this while viewing an individual device, you will get the MediaFast
report for the individual device.
Please note that the MediaFast-enabled device needs to be running Firmware
6.2.2 or later for the report to be visible on InControl 2.
The Information displayed is similar to what youll find on the Web-UI report (hard
disk contents, bandwidth consumption, usage details). However, there are some
advantages to viewing the Medifast report using InControl 2:
Group and Organization level reports: In addition to viewing MediaFast
related information for each device, you can also view it on a group and
organization level, giving you a bigger picture of your network.
Searchable Databases: In the InControl 2 report, each summary contains a
search field, enabling you to find specific file categories, devices, file
extensions.
Downloadable CSV Output: In the InControl 2 report, you can download the
complete information for each report in a CSV format for further analysis.
Module 4: Wireless Access

Points

owner.
This module will examine different real life deployment scenarios, and how to
configure the access points to achieve the desired results.
Slide 165
Features At A Glance
Network
- Bridge Mode, Router (NAT) Mode, Wireless Distribution System (WDS), Support for PPPoE, Static IP, DHCP,
Management VLAN (802.1p), Spanning Tree Protocol (802.1d)
- Support up to 16 Wireless Network SSIDs configured, and it can broadcast up to 4 SSIDs concurrently
Per SSID: VLAN with QoS (802.1p/802.1q), Bandwidth Control, MAC Address Filtering, Layer 2 Client Isolation, Limit on
Max. Number of Client
Per Client: VLAN with RADIUS, VLAN with VLAN Pool, Bandwidth Control, Multicast Filter, IGMP Snooping/Multicast
Enhancement
AP Security: Open, WEP, 802.1x with Dynamic WEP, WPA-PSK/RADIUS, WPA2-PSK/RADIUS
Captive Portal Support: Supports External captive portal, or Social Wi-Fi with Facebook login.
1) AP One AC Mini
4) AP One Flex 300M
802.11 b/g/n, 2x2 MIMO Wi-Fi
5) AP One 300M
-
2) AP One Enterprise
3) AP One In-Wall
-
Slide 166
Hardware Overview
Slide 167
Hardware Overview
Slide 168
Setting up the AP One for the 1st time:

1) Default settings
IP: 192.168.0.3/24
Username: admin
Password: public
LAN DHCP: Disabled
2) Connect a PC to the backbone network. Configure the IP address of the PC to be between
192.168.0.4 and 192.168.0.254, with a subnet mask of 255.255.255.0.
1) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome
2.0 or above. Connect to https://192.168.0.3.
1) Enter the default admin login ID and password, admin and public respectively.
After logging in, the following information main page will appear. Click System, located under
Configure on the left, to begin setting up your access point.
Slide 169
After entering the parameters correctly, you will be able to login to the Wed
Admin page.
The Dashboard, provides basic device info:
Model
Firmware Version
Uptime
Click the Status item on the top menu bar to see an overview of System
Information:
AP Name
Location (user define for the AP physical location)
Serial Number
MAC Address
Network IP Information (details will be display if default settings changed)
System Time
Slide 170
We will begin by defining network settings (eg. Management IP information, AP

Mode etc).
Steps to configure network settings:
1) Navigate to Network > WAN
1) Enter the necessary IP addressing information.
1) If you want the AP to keep the default Management IP after reboot, click the
checkbox to enable Keep Default IP, else uncheck the box.
1) If this AP is managed using a static IP, select Manual on the IP Address
Mode, then enter Static IP Address.
1) Click Save button, to save the modified settings.
1) Click Apply Changes to activate the changes.
Slide 171
Pepwave AP One series has an unique feature: it can operate in either Layer 2
(Bridge) or Layer 3 (Router) mode.
A. Router Mode
- When using Router mode, your Pepwave access point can be used as a DHCP server for
devices located behind it in the network, and provide routing between the wired and wireless
networks
- In this example, putting AP One in router mode would be separate the wireless LAN from wired
LAN segment, either for security control & enforcement, or broadcast isolation purpose.
B. Bridge Mode
- This would be typical WLAN deployment, where the AP bridge between the wired and wireless
networks in the same broadcast domain.
To select the AP Mode;

1) Go to Network > WAN
2) Check on Advanced AP mode setting
3) Select Bridge or Router in AP Mode field
4) Once the Router mode is choose, you are allow to choose the Router
deployment as NAT or IP forwarding.
Slide 172
LAN Settings
Manual Router Settings are available only when AP Mode is set to Router.
1) Go to Network > LAN to access the LAN settings page.
1) Under DHCP Server Settings, assign the IP Range of the wireless segment. This IP address
range will be assigned to wireless client. The IP address of the AP will be the default gateway
for the wireless clients.
Slide 173
When AP One set to bridge mode, the LAN Settings are disabled, and the
wireless client will get the IP address assigned by the wired LAN DHCP server.
The packets will transparently pass through the AP One to reach to the wired
LAN.
Slide 174
In a normal office WLAN deployment scenario, the AP will host at least 2 different
sets of users, namely internal and external.
Requirement
The customer has purchased one unit of Pepwave AP One recently. They want to enable wireless
access for their staff and visitors. Staff will have full access to internal networks and the Internet,
and visitors only have Internet access.
LAN IP: 192.168.0.0/24
Staff SSID: same access right as wired LAN user
Staff Login Method: WPA/WPA2 PSK
Guest SSID: only allow to access Internet
Guest Login Method: Open Authentication with no security
Lets look at the tasks needed to accomplish the objective.
Slide 175
To create the SSID:

1) Go to AP > Wireless SSID, click on the New SSID button on the Wireless SSID tab.
1) It will open the Wireless SSID Setting Details page.
1) In Wireless Network SSID field, define the SSID, eg. Guest.
1) Broadcast SSID checked box enabled by default.
1) Assign the Security Level from choices of Open, WEP, 802.1X, WPA2 - Personal,
WPA2 - Enterprise, WPA and WPA2 - Personal and WPA and WPA2 - Enterprise. For
Guest SSID, choose Open.
1) Click Save & Apply changes.
Next two slides will show you the advanced SSID configurations.
Slide 176
To create the Guest SSID:

As mentioned earlier, visitors are only allowed to access the Internet, so we need
to prevent them from reaching internal networks:
1) Enable Guest Protect under Wireless Network SSID for Guest.
1) If this AP One has established a SpeedFusion VPN tunnel, and you dont want the Guest
traffic through it, tick on the checkbox for Block PepVPN as well.
You can also block custom subnets using the Custom Subnet setting, or prevent
all with exception via the Block Exception setting.
One more step is needed to complete the Guest SSID configuration, as shown
in next page.
Slide 177
It is normal to have different groups of visitors needing to access Internet at the

same time, so you may want to prevent them seeing each other for visitor privacy
purposes:
1) Click on the AP tab under Wireless SSID for Guest SSID.
1) Leave other settings as it is, select the checkbox for Layer 2 Isolation to turn on the feature.
1) Click Save and Apply Changes.
Once this feature turned on, each of the wireless client in Guest network will not
able to access each other.
Next, get a machine to test the configuration.
Slide 178
Testing Guest Access

1) On your notebook, try to connect to the Guest SSID broadcasted by the AP One. It should
have Open security without any WPA/WPA2 key required.
2) Once connected, open the command prompt, use ipconfig to check your notebook IP
address, or you verify via the Windows Wireless Network Connection Status.
Ping and Access Tests:

1) Ping to Gateway IP: 192.168.0.1 & Google DNS IP: 8.8.8.8
Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com)
Passed or Failed
Slide 179
To create the Staff SSID:

1) Go to AP > Wireless SSID, click on the New SSID button.
1) In SSID field, define staff SSID as Staff, assign the Security Level to WPA
and WPA2 - Personal, the key is staffwlan.
1) Make sure Guest Protect under Wireless SSID for Staff SSID is not
enabled.
1) If this AP One has established SpeedFusion VPN tunnel, and you want to
include Staff traffic forward to the tunnel, uncheck the checkbox for Block
PepVPN.
For internal staff access, layer 2 security should not be apply:

1) Leave other settings as it is, make sure the checkbox clear for Layer 2
Isolation.
1) Click Save and to Apply Changes.
Next, get a machine to test the new testing.
Slide 180
180
Testing Staff Access

1) At your notebook, try to connect to Staff SSID that broadcast from AP One. It should be
WPA/WPA2 security, the key is staffwlan.
address, or you verify via the Windows Wireless Network Connection Status.

Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com) & internal website
(eg. Gateway web console, http://192.168.0.1)
Passed or Failed
Slide 181
WPA/WPA2 Enterprise (For Enterprise network)
Go to AP > Wireless SSID to edit the SSID settings required for Radius
Authentication
2) Change security setting using WPA2 Enterprise or WPA/WPA2 Enterprise
1)
3) Make sure radius server settings are configured.

Note: The AP One does not have a built-in Radius server, an external Radius server is required
for Radius server integration.
Slide 182
Captive Portal
1) Go to AP > Wireless SSID to edit the require SSID settings for Captive
portal authentication
2) Enable Captive portal authentication for Open Access or Radius
3) Make sure radius server settings are configured.
Note: External Splash Page server required
Reference:
http://www.peplink.com/knowledgebase/configuring-an-external-splash-page-for-captive-portal/
Slide 183
Reference: http://www.peplink.com/knowledgebase/how-to-set-up-social-wi-fi/
1.
2.
Make sure you are running Firmware 6.2.2 or AP Firmware 3.5.2. You can find your
Firmware status and update your Firmware onSystem > Firmware.
If you have disabled InControl 2 management, please re-enable it. For MAX devices,
you can find the settings on System > InControl. For Pepwave APs, you can find the
settings on System > Controller. Click the Controller Management checkbox to
enable InControl management.
Requirements:
To set up a Social Wi-Fi Hotspot, you will need the following items:
An InControl 2 account.
A Facebook homepage.
A supported device running Firmware 6.2.1 or above or AP Firmware 3.5.2.
Supported devices:
Peplink devices that have built-in Wi-Fi AP capability can deliver Social Wi-Fi, including:
Balance: One
MAX: 700, OTG, BR1*, BR2, HD2*, HD4
MediaFast: HD2, HD4
AP One: AP One, Mini, AC Mini, 300M, In-Wall, Flex 300M
AP Pro: AP Pro, 300M, Duo
*With the exception of the BR1 ENT, and the HD2 Mini
1.On your organization dashboard, click on the group you will use. Navigate to Wi-Fi AP >
Group-wide SSID Settings.
2. Click Add New SSID, and the following menu will appear: (Refer to next page)
1.
After naming your SSID, Scroll down to Captive Portal Settings, click the Captive
Portal checkbox.
2.
Click the Facebook tab, then Enable.
3.
For your Facebook Page ID, enter your companys Facebook Page.
4.
Refer to next page on how to get your Facebook Page ID
1.
The last part of your facebook page URL is your Facebook Page ID.
2.
If a number string appears at the end of the URL, that will also work. Either way,
Copy it and return to InControl.
1.
Enter your Facebook Page ID or number string into the Facebook Page ID text
field, setup any usage limitations if needed, and press the Save Changes button to
finish your configuration.
1.
If you wish, you could also click the Preview link next to the Captive Portal checkbox
to preview your captive portal:
Wireless distribution system (WDS) are useful to for deployment sites where area
cables cannot reach, and for temporary deployments. Using WDS, it is possible
to wirelessly connect Access Points, and in doing so extend a wired infrastructure
to locations where cabling is impossible or inefficient to implement.
Note:
WDS may also be considered a repeater mode because it appears to bridge and accept wireless
clients at the same time (unlike traditional bridging). However, with this method, throughput is
halved for all clients connected wirelessly.
Requirement
The customer is expanding their head office, and the cabling work can only be completed in a
months time. However, the staff need to move-in to the new office immediately. In response, the
IT manager will setup a WDS using an additional AP One (AP #2), to wirelessly connect back to
existing the AP One (AP #1).
Information needed to setup WDS
Both AP WDS LAN MAC Addresses
Encryption type: None or AES
Radio Selection
For AES
Passphrase
Encryption Key
Lets look at the tasks needed to accomplish the objective.
Slide 190
To set up the WDS on both APs:

1)
2)
3)
4)
Navigate to AP> WDS, the and the WDS Profile window will appear.
Click Add button to add the WDS connection.
Key in the WDS LAN MAC Address of the peer AP.
If AES is enabled, then enter any wording for the Passphrase, eg. wdskey. Click the
Generate Key button to create the Encryption Key
Once the settings are applied, it will take a moment for both APs to recognize
each other, initiate and negotiate the WDS connection. Go to status page to verify
the WDS status.
Slide 191
To verify the WDS status on both AP:

1) Go to Status > WDS Info
2) If WDS is established, then you will able to see the peer AP details in this window, the
information includes:
Peer MAC Address
Local MAC Address
Encryption
Type
Signal
TX/RX Bytes (Packets)
Slide 192
Testing Access Through WDS

1) On your notebook, try to connect using the SSID configured on the AP #2, (Staff for this
case).
2) Once connected, open the command prompt and use ipconfig to check your notebook IP
address. You can also verify via the Windows Wireless Network Connection Status.

Passed or Failed
2) Open web browser and access Internet web sites (eg. www.google.com) & internal website
(eg. Gateway web console, http://192.168.0.1)
Passed or Failed
To verify client connections at AP #2:

1) Go to Status > Client List and Connected Clients will be displayed.
2) If clients associated, you will able to see the their details in this window in accordance to
SSID, the information includes:
MAC Address
Manufacturer
IP Address
Type
Signal
Duration
TX/RX Rate
TX/RX Bytes (Packets)
TX Errs
193
RX Errs
Slide 193
Requirement
A company wishes to install an AP in their office, but they aware that other tenants in the same
floor who have already installed a WLAN infrastructure. They want to know which wireless
spectrum (channel) will have the least interference.
The AP One series is capable of discovering nearby wireless networks and reporting information
regarding each network. That way, you can choose the least affected channel (if no free channels
are available) for your AP.
Slide 194
To enable the nearby network discovery:

1) Go to AP > Settings > Advanced Features submenu.
2) Click on Discover Nearby Networks checked box to enable the feature.
Slide 195
To enable the nearby network discovery:

1) Go to AP > Settings > Advanced Features submenu.
2) Click on Discover Nearby Networks checked box to enable the feature.
To view the nearby networks discovered:
1) Go to Status > Rogue AP > Suspected Rogue APs.list will displayed

2) If detected, there will be list of AP shown, with following details:
SSID/BSSID
Encryption
MAC Address
Channel
Signal
Last Seen
Slide 196
If you need the AP provide higher power output to cover bigger area, you can
enable the Power Boost feature:
1) Go to AP > Settings > Output Power menu item.
2) Click on the Boost checkbox to enable the feature.
Note:
Enabling the power boost feature will increase the output power from 400mW to 2W. Please
enable only if local regulations permit.
Slide 197
There are other settings like SpeedFusion, SNMP, Web Administration in

Configure menu, Tools and Commands. For further details on these settings,
please refer to the relevant firmware user manual.
Slide 198
Module 5: Surf Series

owner.
This module will examine different real life deployment scenarios, and provide detailed
instructions on how to utilize the major features of the Surf On-The-go.
Slide 200
1st time setup steps on Surf On-The-Go:

1) Default settings
LAN IP: 192.168.20.1/24
Admin ID: (No ID by default)
Admin PW: (No password by default)
DHCP Enabled
DHCP Range: 192.168.20.10 192.168.20.250
WLAN AP: Enabled
SSID: PEPWAVE_#### (where #### is the suffix of MAC Address of SOTG)
1) Connect a PC to SOTG Ethernet port, it will be assigned with IP address between

192.168.20.1 to 192.168.0.20, with a subnet mask of 255.255.255.0.
1) Using Microsoft Internet Explorer 6 or above, Mozilla Firefox 2.0 or above, or Google Chrome
2.0 or above, connect to https://192.168.20.1.
1) As there is no login security enabled by default, you will be redirect to Dashboard page.
Slide 201
Dashboard Page
At the Dashboard page, you will see the devices current WAN connection status. It also displays
a real-time graph displaying Network Data Usage and Signal Timeline (if WiFi or Cellular is
active).
You can change the WAN connection type by clicking the Switch WAN Mode icons (WiFi,
Cellular, Wired)
Status Page
You can view the device status in this page, detail information included:
Firmware version
Hardware version
Model
Serial Number
Supported Mode (operating radio frequency, a/b/g/n)
etc
If WAN link is active, you will see the relevant information like IP Address, Subnet Mask, Gateway,
etc.
Slide 202
Your Surf On-The-Go supports three WAN connection

modes, giving you maximum connectivity on the road, at
the office, or at home.
Wi-Fi Mode
Connect to the Internet via Wi-Fi Hotspot (and backup by Cellular),
and provide a Local Access Point and Ethernet Connection. e.g. WiFi Services from ISP, Hotel, RV Park, Marina.
Cellular Mode
Connect to the Internet using a 4G (WiMAX / LTE), 3G USB Modem,
and provide a Local Access Point and Ethernet Connection. e.g.
Traveler, Remote Area.
Wired Mode
Connect to the Internet via an Ethernet cable (and backup by
Cellular), through a DSL/Cable Modem, or Router, and provide a
Local Access Point. e.g. Home, Hotel
Slide 203
Wi-Fi WAN Mode

Wi-Fi Mode makes it easy to share Wi-Fi service provided by hotels,
restaurants, marinas, RV parks, and more. Once connected to Wi-Fi, your Surf
can serve as a local access point for an unlimited number of devices. You can
also connect printers, game consoles, and other wired devices to the Surf using
its Ethernet port.
Slide 204
WiFi Mode Configuration Steps

1) Connect to the Web Admin Interface. Click Wi-Fi, and then Settings.
1) In the Wireless Settings section, change Wireless Network Name (SSID) from the default
value of MySSID to the SSID specified by your wireless Internet service provider. Otherwise,
you may change this field to a blank value, and then select an SSID from the resulting list,
which also includes corresponding encryption types and signal strengths. With the MAC Clone
function, you can use the Ethernet client MAC address as Surf's WAN MAC
address.
1) From the Authentication drop-down menu, select the authentication type required by your
Wi-Fi Internet service provider. Then, if applicable, enter the Encryption Key value provided by
your ISP.
1) In the AP Settings section, select Configure Manually. In the AP SSID field, enter the
network name used to identify the home Wi-Fi network. The default AP SSID value is
PEPWAVE_####, change to MY-MOTG.
1) From the Authentication drop-down menu, select WPA/WPA2-Personal. In the Encryption
Key field, enter an authentication password of at least 8 characters, eg. motgwlan. To store
your settings, click the Save button that appears on the lower right.
1) Navigate to the Dashboard page, which displays connection details and signal strength level.
1) Upon successful connection, all of the LEDs on the Surf should be lit as follows:
PWR Solid Green
RDY Yellow
ENET Solid Green
Wi-Fi Displays a varying number of lit signal bars depending on the strength of the
received signal
If there is any open WiFi Hotspot available, you can configure the Surf OTG to enable the
Connect to Any Open Mode AP feature, which it will connect to these Hotspot automatically.
When needed, you can use the Ethernet client MAC address as Surf's WAN MAC address by
enabling the "MAC Clone" under Wi-Fi WAN Settings.
Slide 205
Testing Client Access

1) At your notebook, try to connect to MY-MOTG SSID that broadcast from Surf OTG. It should
be WPA/WPA2 security, the key is motgwlan.
2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP cable
from notebook to switch.
addresses obtain IP on both Wireless and Ethernet adapters.

Passed or Failed
Passed or Failed
Slide 206
Cellular WAN Mode

This mode allows you to connect your Surf to a 3G or 4G(WiMAX/LTE) USB
modem and share the connection with all your devices wirelessly and/or using
the Surfs Ethernet port. Cellular Mode is an ideal choice for travelers
or those living/working in remote areas without broadband service.
Slide 207
Cellular Mode Configuration Steps

1) Connect to the Web Admin Interface. Click Cellular, and then Settings.
1) Click Cellular Settings on the left. In general, selecting Auto Operator Settings is sufficient
to connect to the Internet. If not, select Custom Operator Settings to manually enter settings
specified by your cellular service provider (typically APN and Dial Number). When nished,
click Save on the lower right.
1) Refer to previous example for WLAN AP settings, SSID is MY-MOTG and WPA/WPA2 key
is motgwlan.
1) Navigate to the Dashboard page, which displays connection details and signal strength
PWR Solid Green
RDY Yellow
ENET Solid Green
received signal
Slide 208

2) Same time, to verify the Surf OTG Ethernet port is on LAN mode, plug connect UTP cable
from notebook to switch.
addresses obtain IP on both Wireless and Ethernet adapters.

Passed or Failed
Passed or Failed
Slide 209
Wired WAN Mode

Wired Mode lets you connect the Surf to a DSL/cable modem or router, and it
will serve as WiFi Hotspot or AP to let you connect clients wirelessly. Ideal for
small remote office, caf or power home user environment.
Slide 210
Wired Mode Configuration Steps

1) Connect one end of an Ethernet cable to the Surf On-The-Go and the other end to your
Internet source.
1) Refer to previous example for WLAN AP settings, SSID is MY-MOTG and WPA/WPA2 key
is motgwlan.
1) Connect to the Web Admin Interface. Click Wired, and then Settings.
1) In the WAN IP Settings section, select a method the Surf will use to obtain IP address:
Congure Manually - After selecting this option, manually enter a static IP address.
Obtain an IP Address using DHCP - Obtain an IP address automatically.
Obtain an IP Address using PPPOE Connect to Internet service using PPPoE.
1) Navigate to the Dashboard page, which displays connection details and signal strength level.
PWR Solid Green
RDY Yellow
ENET Solid Green
received signal
Slide 211

2) Since the Surf OTG operating in Wired Mode, the Ethernet port has become WAN interface,
thus no DHCP Server service available through this interface.
addresses obtain IP on Wireless adapters.

Passed or Failed
Passed or Failed
Slide 212
WAN Connection Failover

The Surf OTG provides WAN failover if its running in WiFi and Wired Mode, with
Cellular as the standby WAN link. This feature adds WAN reliability that would
normally be available only in enterprise setups.
Slide 213
WAN Failover Configuration Steps (Wired WAN Mode)

1) Connect to the Web Admin Interface. Click Wired, and then Settings.
2) Ensure the Wired radio button selected in the WAN Mode.
3) At the Fail Over Settings section, click on the Enable radio button to turn the Cellular WAN
as backup link for Wired (or WiFi) WAN Mode.
4) Click Save button at the bottom of the page to save and apply the changes.
At the Dashboard, Cellular 1 icon will appear below the Wired WAN, depending
on the Cellular settings, if you choose disconnect then it will be remained
disconnected (icon dimmed) when primary WAN link active. If you select
remained connected in the Cellular settings, the cellular will establish connection
and remain in hot-standby mode (icon turned green).
Slide 214
Wired Failed, Cellular WAN Take-over

1) Unplug the UTP from Surf OTG Ethernet port
2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN failed, it will automatically bring up the Cellular
WAN. As shown in the screen capture, Cellular 1 is active (green icon) with
signal strength status display.
Slide 215
Testing Client Access After Wired WAN Failover

addresses obtain IP on Wireless adapters.
Ping & Traceroute Tests:

1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia www.google.com.my
Passed or Failed
2) Traceroute Internet web sites (eg. www.google.com.my)
Note down the path taken
Slide 216
Testing Client Access After Wired WAN Service Restored

1) Plug back the UTP cable to Surf OTG Ethernet Port.
2) Notice the Dashboard WAN link status.
Surf OTG detected Wired WAN restored, it will forward traffic on the Ethernet port
again, at same time put Cellular WAN in standby mode by disconnecting from
cellular connection.
Ping & Traceroute Tests:
1) Ping to Gateway IP: 192.168.20.1 & Google Malaysia www.google.com.my
Passed or Failed
2) Traceroute Internet web sites (eg. www.google.com.my)
Note down the path taken and compare when Wired WAN failed
Slide 217
Surf OTG Advanced Settings

Keep AP
Broadcasts a Wi-Fi SSID even if there is not an active Internet connection. Disabling this will
require you to configure the device with an Ethernet cord. Enabling this feature is highly
recommended.
AP Transmit Power Adjustment
Reduce or increase the power of the Wi-Fi AP. This will not affect the power of the connection to a
Wi-Fi WAN.
Broadcast SSID
When disabled, computers will not automatically see the APs SSID, and must be manually
configured to connect to the network. Default is Enable (recommended).
Client Isolation
When enabled, computers using the APs SSID cannot communicate directly with each other. This
is a good security feature to enable when allowing untrusted users to use your connection. Default
is Disable.
Multicast Enhancement
Convert mulitcast packages to unicast packages, improving multicast traffic performance in most
situations. Default is Enable.
Multicast Rate
With Multicast Enhancement disabled, this will set multicast traffic to a fixed rate. Changing this
setting is recommended only for advanced users.
Slide 218
Surf OTG Other Settings

There is other settings available on the Surf OTG, such as Cellular Settings, WiFi WAN Profile
Settings, PepVPN, Web Administration (turn on login ID and password), Port Forwarding, QoS,
Firmware upgrade, and System settings.
For further details on these settings, please refer to the relevant firmware user manual.
Slide 219
Module 6: Cloud-Based
Networking

owner.
This module will examine different real life deployment scenarios, and provide detailed instructions
on how to utilize the major features of the Surf On-The-go.
Slide 221
What is FusionHub?
2.
Session Persistence
Combine any type of connection from
multiple ISPs to create a highly
available connection between your
device and your FusionHub. This
connection will provide unbreakable
VPN.
Packet-Level
Seamless
Failover
Hot failover to bandwidth
limited
link
(Cellular,
Satellite)
3.
Deploy on Any Cloud Server

Use FusionHub in private, public, and
hybrid clouds. Deploy FusionHub
anywhere at a moments notice.
Establish as many FusionHubs as you
need to support your customers.
Deploy FusionHub in private
or public cloud.
Centralized
managed
by
InControl2
FusionHub is the new virtual SpeedFusion

appliance from Peplink. With FusionHub, you
can
establish
SpeedFusion
connections
between cloud servers and physical Peplink
devices.
What Can You Do With FusionHub?
Make SpeedFusion connections to your
datacenter or cloud servers.
See the Web domains your clients visit and
the applications they use.
Integrate datacenters and cloud servers into
existing
physical
SpeedFusion
networks.
Why FusionHub?
1.
Bandwidth Bonding
Connect to your cloud server with the
combined speed of all your WAN links.
Enjoy faster Internet access by using
your
servers
high-throughput
connection.
Faster Remote Streaming
Bond different WAN links to
increase bandwidth
New in firmware 6.2.2!

WAN Smoothing Support
FusionHub 6.2.2 Supports WAN Smoothing,
making it useful for deployments where you
require consistent 2-way connectivity such as
videoconferencing or VoIP.
Slide 222
FusionHub runs on nearly all mainstream virtual machine software, the supported Hypervisors
including:
1. Amazon Web Services
2. VMware (ESXi Server, Workstation, Player)
3. Citrix XenServer
4. Oracle VirtualBox
5. Microsoft Hyper-V
Please refer to Peplink FusionHub website for details on each Hypervisor installation instructions,
the URL as below:
http://www.peplink.com/support/downloads/fusionhub-binary-installation-guide/
Slide 223
Hardware Specifications
1. Minimum Requirements for VM Host Hardware*
Intel Core i5 processor
4GB RAM
100GB hard drive
1. Recommended VM Host Hardware for 1Gbps of SpeedFusion VPN Throughput*
Xeon E3-1270V2 @3.5GHz
8GB RAM
500GB hard drive
* Not applicable for AWS instances.
Slide 224
The recommended AWS Instances sizing for FusionHub deployment:

2 peers / 50Mbps: t1.micro
20 peers / 50Mbps: m1.small
100 peers / 100Mbps: m1.small
500 peers / 250Mbps: m1.large
1000 peers / 500Mbps: m1.large
Currently, the only means to acquiring FusionHub for AWS is through private sharing. You would
need to provide the following information to trial@peplink.com. Peplink will then share the AMI
image to your account:
InControl2 account username
Amazon EC2 region (e.g. Oregon)
12-digit Amazon ID
Slide 225
FusionHub deploys in Enterprise Networks could combines multiple commodity links from different
ISPs to create an unbreakable connection to your most important enterprise applications.
Key Benefits:
1.
Faster Applications: Access your applications using combined bandwidth.
2.
Session Persistence: Maintain session integrity even when WAN connections break.
3.
Pay as You Grow Pricing: Save on initial capital expenditures. Grow your network
affordably.
Common FusionHub Applications in Enterprise Networks:

1.
Branch Office VPN: Remotely access head office resources with the same bandwidth
and reliability as a local user.
2.
Faster Internet via Datacenter: Route remote site traffic over SpeedFusion for
centralized Web filtering or to take advantage of high-speed Internet links at the main site.
3.
Upload HD Video on 4G LTE: Bond multiple 4G LTE connections for fast HD video
uploads to your cloud-based datacenter.
Slide 226
In MSP deployment model, running multiple instances of FusionHub in your datacenter or cloud
infrastructure to provide each customer with their own SpeedFusion-enabled cloud server.
Key Benefits:
1.
Add Value to Your Existing Services: Add SpeedFusion to your services to make them
faster.
1.
Solve Connectivity Issues: Use bandwidth bonding to provide fast Internet to places
with poor Internet access.
1.
Offer Unbreakable VPN: Provide highly available redundant site-to-site VPN connectivity
using cheap commodity Internet connections.
You are the deploying FusionHub in MSP through Peplink SpeedFusion Alliance Programme:
1.
Offer SpeedFusion as a Service (SaaS): Run multiple FusionHub virtual appliances to

provide separate SpeedFusion WANs for your customers.
1.
Unlimited Scalability: Run as many FusionHubs as you need and manage them using
InControl 2. Pay as you grow with price based on throughput and the number of peers
connected.
* More on Peplink SpeedFusion Alliance Programme can be found at the below URL:
http://www.peplink.com/partners/speedfusion-alliance/
Slide 227
This is an example of FusionHub for Enterprise (Single VM Instance).

Branch Office VPN: Remotely access head office resources with the same bandwidth and
reliability as a local user. Data, voice, and video communications between these locations are kept
confidential across the public Internet.
Slide 228
This is another example of FusionHub for Enterprise (Single VM Instance).

Faster Internet via Datacenter: Combining multiple low speed Internet links at remote office into
SpeedFusion tunnel, towards the Datacenter. This setup could route remote site traffic over
SpeedFusion for centralized Web filtering or to take advantage of high-speed Internet links at the
main site.
Slide 229
As an MSP, you can run multiple instances of FusionHub in your datacenter or cloud infrastructure
to provide each customer with their own isolated SpeedFusion-enabled cloud server.
Offer SpeedFusion as a Service (SaaS): Run multiple FusionHub virtual appliance to provide
separate SpeedFusion WANs for your customers.
Slide 230
Peplink FusionHub securely connects one or more branch offices to your company's main
datacenter or to other branches. Data, voice, and video communications between these locations
are kept confidential despite going across the public Internet.
SpeedFusion Bandwidth Bonding is specifically designed for multi-WAN environments, and
FusionHub enables public and private clouds to connect to endpoint devices (e.g. Balance, MAX)
using SpeedFusion.
When supporting multiple VPN connections, FusionHub can act as a central hub that connects
branch offices. For example, if Branch Office A and Branch Office B make VPN connections to
Headquarters C, both branch office LAN subnets and the subnets behind them (e.g., static routes)
will also be advertised to Headquarters C and the other branches. In this example, Branch Office
A will be able to access Branch Office B via Headquarters C.
The local LAN subnet and subnets behind the LAN will be advertised to the VPN. All VPN
members (branch offices and the datacenter) will be able to route to local subnets. Note that all
LAN subnets and subnets behind them must be unique. Otherwise, VPN members will not be able
to access each other.
All data can be routed over the VPN using the 256-bit AES encryption standard. In the following
sections, three FusionHub application examples illustrate how to set up your devices.
Slide 231
Real World Deployment - Example #1:

Offices interconnect
In this example, the hosts located at Office A want to communicate with the host located at
Headquarters.
Slide 232
Real World Deployment - Example #2:

Remote Access to Central Server
To set up the scenario shown above, we need to configure a MAX HD2 at Site A, a MAX BR1 at
Site B, and FusionHub (two network adapters are needed) at the Datacenter.
Slide 233
FusionHub - Web Admin

The User Interface (UI) of FusionHub is similar to those found in Balance or Max router.
The default WAN connection method for
your network, the FusionHub IP address
Web admin address will appear on
http://10.8.8.252). Enter the Web admin
address field.
FusionHub is DHCP. If the DHCP server is available in

will be automatically obtained by the DHCP server. The
the FusionHub console automatically (i.e., Admin:
address (i.e., http://10.8.8.252) in your Web browser's
If there is no DHCP server in your network, set your computers IP address to 169.254.x.x (x
denotes any integer from 2 to 253), using a subnet mask of 255.255.0.0.
Default Admin ID: admin
Default Password: admin
Slide 234
When FusionHub is first installed, only the WAN Interface will be available. The default WAN
connection method for FusionHub is DHCP.
WAN Interface - Connection Method:
Static
DHCP (default)
PPPoE
The configuring the WAN Interface of the FusionHub is similar to doing so for Balance / MAX
routers except that fewer parameters will need to be configured.
Slide 235
The FusionHub - LAN Interface is not enabled by default, you need to add a network adapter at
the FusionHub virtual machine.
After adding one or more network adapters to the FusionHub virtual machine, power on the virtual
machine, and then reconnect to the FusionHub Web admin interface. Navigate to Network > LAN,
and you will able to see the LAN Interface.
By enabling Route PepVPN traffic to LAN, all traffics from remote SpeedFusion will be route to
defined Gateway.
Note: FusionHub virtual machines support a maximum number of two network adapters. By
default, Network adapter 1 is set as the WAN port, and Network adapter 2 is set as the LAN
port.
Slide 236
Layer 3 Isolation - Enable this option if you want to block layer 3 network traffic between PepVPN
peers, this will not affect the connectivity between the peers and and the local network.
NAT Remote Connection - If enabled, remote PepVPN connections will be NAT'd to
FusionHub's IP Address before being delivered to the local network.
Slide 237
WAN Smoothing
WAN Smoothing utilizes multiple WAN links to reduce the impact of packet loss and get the lowest
possible latency at the expense of extra bandwidth consumption. This is suitable for streaming
applications where the average bitrate requirement is much lower than the WAN's available
bandwidth.
Off - Disable WAN Smoothing.
Normal - The total bandwidth consumption will be at most 2x of the original data traffic.
Medium - The total bandwidth consumption will be at most 3x of the original data traffic.
High - The total bandwidth consumption depends on the number of connected active tunnels.
Default: Off
Slide 238
To ensure that important data travels through FusionHub with high priority, enable Application
QoS. Choose the application you wish to prioritize, and then set the priority accordingly (eg. Low,
Normal & High).
Slide 239
To enhance security using external certificates, FusionHub supports self-signed certificates for
SpeedFusion and for the Web Admin. If you have certificates that signed by a CA, you may import
them here.
Slide 240
Each license key can associated with one FusionHub instance only. If you re-use a license key
without "releasing" it on InControl 2, FusionHub will report "License key already in use".
For details steps in migrating the license, you may refer to URL below:
http://www.peplink.com/knowledgebase/how-to-migrate-your-fusionhub-licence-to-a-new-vm/
Slide 241
Introducing InControl 2
InControl 2 is our cloud based device management, monitoring, and reporting tool designed
specifically for Peplink and Pepwave devices.
Any of our devices can be registered on InControl 2. Once your device is registered, you can get
advanced administration tools, unprecedented device visibility, and comprehensive reporting.
Slide 242
To be managed by InControl 2, the device needs

to fulfill the following prerequisites:
1.
Hardware Requirement
Peplink Balance*
Peplink MediaFast
Pepwave MAX
Pepwave AP^
Pepwave Surf#
Peplink FusionHub
Note:
* Not available in hardware revision 1 of
the Balance 210 and 310; and hardware
revision 1 of the Balance 30.
^ Supports devices running Firmware
3.4.1 and above.
# Supports the Surf SOHO only.
2.
Software Requirements
Running Firmware 6.1 or 3.4.1 or
later.
In-warranty
or
covered
by
InControl 2 Subscription.
3.
Warranty vs Subscription
Firmware 6.1 and 3.4.1 is free for inwarranty devices, but you will need to
purchase a warranty to upgrade out-ofwarranty devices. If you are unsure of
your devices warranty status, check by
adding the device to InControl 2. Even if
the device cannot be managed by
InControl 2 (e.g., the device runs older
firmware), it will still show the devices
warranty status.
For following out-of-warranty devices, 1year and 2-year InControl 2 subscriptions
are also available on our online cart. For
out-of-warranty devices that are not listed
below,
please
purchase
TotalCare/SmartCare instead.
InControl 2 subscriptions are applicable
for:
Balance 20, 30, 50, One
MAX On-The-Go, BR
Surf SOHO
AP One AC Mini, 300M, In-Wall, Flex
AP Pro
FusionHub Essential, FusionHub Pro
If the device sits behind a firewall, please
enable traffic for UDP port 5246 and TCP
port 443, in order for the device to reach
InControl 2.
Slide 243
InControl 2 - Management Options

Just like FusionHub, the InControl 2 also comes in 2 variants for customers to choose from:
1.
Peplink Hosted Model

This is the most common model. It is a service hosted in public cloud, made up of system clusters with HA and
redundancy, ensuring that its services are available 24x7x365.
If your devices are in-warranty running Firmware 6.1 and above (or Firmware 3.4.1 and above for AP One),
InControl 2 is free of charge.
2.
Privately Hosted Model

For large enterprises, or government agencies with regulations regarding data privacy and confidentiality. We
offer InControl 2 as an appliance to host in their own network.
The Private Hosted Model comes with 2 variants:
InControl 2 Hardware Appliance: It is recommended for environments that want to manage 1,000 or
fewer Peplink devices.
InControl 2 Virtual Appliance: For networks that have > 1,000 Peplink devices to be managed, you can
deploy the InControl 2 Virtual Appliance, a software base system designed to run on a cloud
infrastructure.
There are various User Roles in InControl 2, each carrying different access rights and authorities:
Dashboard Viewer: These users can only for view the organization dashboard. Useful for publicly accessible
accounts.
Group Viewer: These users can read information for the specified group, but cannot make changes.
Group Administrator: These users can access the specified group, reading and making changes.
Organization Viewer: These users can read information for the entire organization, but cannot make changes.
Organization Administrator: These users can access the entire organization, reading and making changes.
In the Private Hosted Model, or sometimes called as MSP Model, there is additional role, MSP Administrator, who has
the access rights to managing all organizations under that particular private InControl 2 system.
Slide 244
InControl 2 - Dashboard
When you first login to InControl 2 to start managing Peplink devices, you will be see the
Overview Dashboard page.
This page displays several pieces of useful information about the devices managed by your
Organization.
1.
Access Level
4.
Indicates which access level currently you are

working at. There are three access levels:
Organization Level: Reports here describe
your entire organization. Decisions here
also tend to affect the whole
organization.
Group Level: Reports here describe the status
of the device groups that you define.
Device Level: Here, you can obtain the most 5.
detailed reports and configuration
options regarding each device. This is
also the level which enables you
remotely access the devices web admin.
2.
A One-glance view of your entire Organization.

The [Service Expired] and [Service Expiring Soon]
categories change dynamically according to the
device warranty status. The [Service Expiring
Soon] notification will display the number of
managed devices whose warranty will expire within
60 days.
Groups Summary
Lists each group, their Online Devices, their Total
number of Devices, and Clients connected to all
Online Devices. Click the up-down arrow to sort by
that statistic.
Organization Identification
6.
This area displays the Organization that you have
logged into, along with your login credential. It also
gives you shortcut access to Organization-related
settings, as well as quick access to your Groups.
3.
Organization Summary
Associated Setting Options

This area indicates the relevant settings available
on the current access level, it will change
according the level you access.
Slide 245
User Feedback Button

If you have any comments, suggestion, or
problems to report, click on the <Feedback>
button. You will be able to enter a short
description, as well draw free-hand on the current
screen. When you click the <Submit> button, the
system will send a notification immediately to
InControl 2 team for review.
InControl 2 - Device Management

InControl 2 provides various tasks to centrally manage Peplink devices:
1.
Add, Delete, Move, Rename

Once you have registered a new device, you can add it to the group of your choice. You
can also move it to new department (Group), and rename the device same time if needed.
2.
Firmware Policy
You can utilize InControl 2 to automate the firmware management. You can push
firmware based on a schedule or push firmware immediately to the designated Group.
Please note that InControl 2 will push the Firmware onto devices even if the device is
already running newer Firmware. If your device is running a Firmware version not
available on InControl 2, we recommend that you disable automated firmware
management.
3.
Configuration Backup
Whenever it detects configuration changes, InControl 2 will automatically backup the
device configuration. You can find the device configuration backup in the Device Details
page.
4.
Configuration Cloning
IC2 allows you to clone the configuration from a Master device, and replicate (via push
method) the settings to other devices in the same Group. To use this feature, please
ensure that all the devices in the Group are the same model, running the same and
firmware version.
Slide 246
InControl 2 - Fleet Management

InControl 2 provides full fleet management when used in combination with our vehicle-mounted,
GPSenabled devices, such as the MAX HD2 and the BR1.
Track your devices wherever they are using our interactive maps. Check vehicle speed, cellular
coverage, and traffic conditions. Play back route histories in real-time.
1.
Locate
Easily find any device using interactive maps. Point and click to see device details, such
as cellular signal strength and number of clients.
2.
Track
Track location over the past 24 hours or review any 24-hour period. Play back route
histories in real-time or at high speed to see exactly where a vehicle was at any point.
3.
Monitor
Use the color-coded tracking feature to monitor real-time vehicle speed. Drill down
through tracking history data to spot speed patterns.
Slide 247
InControl 2 - Centralized SpeedFusion Management

InControl 2 supports SpeedFusion VPN configuration and management. Just create a
SpeedFusion profile and apply it to all devices in a group. InControl 2 then automatically
configures SpeedFusion VPN settings on all devices, giving you a centrally managed
SpeedFusion deployment in minutes.
Fully Automated SpeedFusion VPN Configuration
Fully Automated SpeedFusion VPN Configuration and Deployment
Manage SpeedFusion settings from a central location
Get live SpeedFusion status information
Monitor bandwidth across site-to-site VPN links
Push SpeedFusion changes to devices immediately
Now, you can provision SpeedFusion VPN in various topologies within IC2, namely:
1.
2.
3.
Hub and Spoke

Partial Mesh
Fully Meshed
Do take note that the SpeedFusion settings provisioned in IC2 will override any manual
PepVPN/SpeedFusion configuration performed at the devices. So, if you have already configured
PepVPN/SpeedFusion manually, then we recommend that you turn off the SpeedFusion
Management at IC2.
Slide 248
InControl 2 - Centralized Wi-Fi Management

InControl 2 enables the provisioning of Wi-Fi settings of compatible Balance, MAX, and AP
models. Please note that IC2, will overwrite any manual Wi-Fi configurations performed at the
device level.
There are a few key Wi-Fi settings that can be configured and pushed to the devices.
1.
Wireless SSID
Define SSIDs and relevant wireless security settings.
2.
Wireless Radio
Configure the wireless radio related settings, eg. frequent channel, transmit power, etc.
1.
Captive Portal
Define the captive portal for certain wireless networks. For details of the captive portal
settings in IC2, please refer to Module 4 - Wireless AP.
Slide 249
InControl 2 - Reports and Monitoring

As a part of the centralized management features, IC2 provides reports and monitoring
capabilities to its users.
The available reports in IC2 include Device Reports, Wi-Fi Reports, Captive Portal Reports,
DPI Reports (only available to FusionHub), Client Reports, Event Log, Device Status.
You can select your range of periods such as: Real Time, Today, Yesterday, Last 7 Days, Last
Month, and Custom.
Slide 250
InControl 2 - Organization Settings

InControl 2 has few levels of system administration, the highest level is Organization Settings.
Changes here will affect the entire organization. Few of the important tasks include:
1.
Manage User and Access Roles

Create, rename, delete User ID, change email ID, and change user role (from
Organization Administrator, down to Dashboard Viewer).
1.
View Device Warranty / Subscription Expiration Date

At the Warranty & License page, you can view the devices warranty & IC2 subscription
date.
1.
Manage FusionHub License Key

IC2 allows users to manage the FusionHub license key. You can delete, release, and
import the full FusionHub licenses, or generate FusionHub Evaluation License Keys for
testing purposes.
Please refer to FusionHub section in this module for more details.
Slide 251
InControl 2 - Group Settings

InControl 2 allows the delegation of device management down to the group level. This feature
gives a flexibility to assign device administration to different persons, while preventing
unauthorized access. The example above illustrates, a Managed Service Provider setting up a
muti-tenant environment.
Group Settings provide detailed control and management of the devices.
1.
Manage User and Access Role - Group Level

Create, rename, delete User ID, change email ID, and change user role (from Group
Administrator, down to Dashboard Viewer).
1.
Email Notification Settings

You can enable email notifications when any device in the group goes off-line.
1.
Manage Device Web Admin Password

The Group Administrator could centrally maintain or change the Web Admin password of
managed devices from IC2. This features also allow password restoration, just in case a
device Web Admin password has been accidentally changed.
Slide 252
InControl 2 - Operation Log

InControl 2 has built-in audit trail feature, which logs down every transaction performed by each
user.
Slide 253

Peplink Certified Engineer - Training Program

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Peplink Certified Engineer - Training Program

Uploaded by

Copyright:

Available Formats

Training Materials

Last updated: 14-09-2015

Private and Confidential Not for Distribution

Module 1: Unbreakable VPN

Last updated: 14-09-2015

Private and Confidential Not for Distribution

In this chapter, we will focus on how SpeedFusion functions, its

Private and Confidential Not for Distribution

A well-designed VPN provides a business with the following benefits:

- Improved security for exchanging data

Examples of VPN usage, accessing resources only available in HQ (File or Print

Private and Confidential Not for Distribution

Peplinks Unbreakable VPN uses multiple WAN connections to keep VPNs up

SpeedFusion VPN is useful for Public Transport, Video Streaming, Mobile

Private and Confidential Not for Distribution

Introducing the Worlds Easiest VPN

Private and Confidential Not for Distribution

SpeedFusion Hot Failover Unbreakable VoIP and VPN

Private and Confidential Not for Distribution

WAN Smoothing Packet-level Quality Optimization

Private and Confidential Not for Distribution

SpeedFusion Bonding Packet-Level Bandwidth Bonding.

Private and Confidential Not for Distribution

Private and Confidential Not for Distribution

5) Data Transmission over Water

Private and Confidential Not for Distribution

Case Study - Town of Tonawanda. NY, USA.

Load balance between 50 Mbps MPLS

9 sites connected to central HQ

Replaced with Peplink SpeedFusion

15x more bandwidth

To date, my devices have been up and

Private and Confidential Not for Distribution

Case Study - Dawlish Railway. UK.

Temporary network required for

SpeedFusion VPN using MAX HD products

8x 3G lines, Unbreakable Cellular

Resilient to ISP outages.

Secure transmission of sensitive

The challenges of providing robust and reliable

connectivity in an environment like Dawlish cannot

Private and Confidential Not for Distribution

Case Study - Osborne Construction. UK.

Deployed MAX HD2 LTE with SpeedFusion

3x Balance 1350; 2 in HA mode and 1 in

Reliable network no matter where

Reduced setup lead time from

Cost savings and predictable

Previously we would need to install ADSL where

Private and Confidential Not for Distribution

Case Study - Harrington Industrial Plastics. USA.

43x Balance 380s at branches, 2x

Replaced site-to-site MPLS links with

Huge savings: USD 100,000

Bandwidth: 4x increase from

Rapid rollout: 43-branch

Yesterday I discontinued our last 3 MPLS

Private and Confidential Not for Distribution

Case Study - Colgio Next. Itatiba, Brazil.

600 users, both students and teachers

Needed solution for network congestion

Each AP 300M 5GHz handles 50+

MediaFast aching ensures

The MediaFast and AP overcomes all our network