Balance One - Outbound Policy Issues

Hello,

The current setup is a Peplink Balance One with the 5xWAN License.

We have 4 x FTTC connections to this (each of speed 80Mbit down/20Mbit up - PPPoE, using 4 x Openreach HG612 modems), and the environment is a medium-sized student residence that is yet to be at capacity (currently 10 or so students each with several devices). Therefore, setting up more complex balancing rules involving IPs and subnets will be very tricky as the devices aren’t static client devices.

Every room has an ethernet port (source - HP 1920-48G) however apart from one student, nobody is using these.

The building has a Ubiquiti Unifi WiFi setup (7 x UAP-AC-LR points + Cloud Key), all running off a HP 1920-24G PoE switch.

The IP network is in a /22 subnet/range so 1022 hosts max capacity.

Our issue is with the outbound policy and setting up an effective ‘persistence’ policy that won’t toy with the students’ connections to mainly streaming services, banking sites and HTTPS websites that don’t like being switched between IPs.

Firstly I tried the ‘High Compatibility’ policy however a few students complained of weird issues, and I myself couldn’t establish a solid browsing session to the UniFi site for AP management (unifi.ubnt.com) of which runs off HTTPS. This was purely through the web via the UniFi cloud and not connected locally to the device on port 8443. Trying to navigate various areas (settings, clicking anything pretty much) results in the page freezing. Whilst this is happening, I’m doing an external IP check/refresh on another tab and I’m seeing my external IP changing between the 4 IPs. This is why the site doesn’t browse without crashing. To settle this as being the issue, I disconnected 3xWANs and left 1 WAN connected, and this rectified my browsing of the UniFi site with everything working fluidly again (and any issues students were having, were suddenly rectified).

Afterwards, I set up a custom policy (in fact there was already a policy in place for HTTPS Persistence), and had the same issues as above again with the router unable to keep the web session to one WAN.

Is there a set of policies that anybody out there has made that I can pretty much plug into the Balance One rules, and have minimal issues? I have a reasonable networking understanding but not sure why this is happening. I don’t want to go down the path of having to set up outbound rules based on domains and IPs and set specific students to specific WANs if it can be avoided as this can get very time consuming, and these students have so many devices and their own bandwidth habits change day to day.

Most sites these days are running off HTTPS these days too.

Weighting isn’t required as all 4 WAN lines are of the same speed. Speedfusion isn’t required either as each WAN is of adequate speed for the most demanding of application (can handle 4k streaming). I’d just like the router to load balance between the connections and keep everyone flicking around between the least used. This will become a bigger issue once the student resident has more tenants (full capacity is 40) but as it stands right now with 10 students, the 1 x WAN connection I’ve left everyone on for the time being, is taking a real beating especially in the evenings so I’d need to resolve the outbound policy sooner rather than later, and I’m convinced I’m missing a trick so hoping somebody can help!

Thanks.

These issues are not usual. The default https pesistence rule found under outbound policies when set to custom normally works fine without any changes (unless you have a single firewall device on the LAN).

Please check each WAN connection settings and verify that you have set the upload and download speeds of each link.

Next go to status, client list. Do you see the students’ device(s) IPs listed there or just the unifi AP IPs? Are you buy any chance using a captive portal?

What is the target capacity / user count?

Are the Unifi running in router mode or access point mode? As Martin said you should be able to see the client devices, not just the access points.

Did you actually test turning off https persistence rule and seeing what impact it has? I turned it off as I used the fastest algorithm and have unstable WANs. I have yet to run into an issue with HTTPS persistence off but perhaps I am lucky? That said if you have 4x stable WANs, there could be a better way to configure.

Hello,

Apologies for the delayed response.

Each connection has been set to 80Mbit/20Mbit. The FTTC lines are near enough hitting max speed or thereabouts.

Yes, I see the client list, as well as the APs (that are static DHCP in the upper range of the subnet). A captive portal is being used but it’s a guest voucher system that I’m using. Everybody knows the passphrase, and then they’re taken to a portal to enter a voucher code that gives them 365 days, no bandwidth limits. I generated the one-time codes, distributed enough to the students for their devices, and they don’t need to enter them anymore whether they disconnect/reconnect on these existing devices anymore. This keeps anybody that shouldn’t be on the network, off the network at the landlord’s request.

Approx 50 users (each assumed to have anything between 3 and 5 devices - smartphone, tablet, laptop, TV). Currently we’re at approx a quarter of this capacity, and respect where it’s due, the 1 x VDSL 80mb/20mb line has been coping even with the demands of some students - some client devices are showing in the 50’s of GBs downloaded over the past month.

I’ve not tried this, too scared! Can you imagine the headache from the students when there’s a problem!

UPDATE:

So today I went in (last 2 weeks, the Peplink has been active on one connection only - no issues since), and I activated all 4 lines again on the Peplink, and set the Highest Compatibility rule in the outbound policy. I then sat there for a good hour and everything looked good. Checking the status log, and sessions were active across all 4 connections for many, many different applications from many of the student’s client IPs. I myself was browsing without any issues too. I also didn’t have that issue browsing the UniFi pages that I described above. I think that a restart of the UniFi gear last time round helped sort this as other things had also glitched up with the WiFi (clients being disconnected/reconnected etc). My browsing session seemed fine and I had my existing 20+ tabs open on my browser, most likely to be HTTPS - however, I was wired directly to the Peplink and not on the wireless. Next time, I will browse exclusively on the wireless - this is one thing in hindsight I didn’t do.

So this renders my UniFi portal issue in my main post solved.

So all good for an hour or so, and then I ended up getting a message from one student saying that her web browsing had gone funny. She was logged into Outlook Web and her screen was saying ‘can’t reach the internet - retry’. I’m assuming that disconnecting and reconnecting her WiFi would have rectified the session, maybe even closing and opening the browser but before I heard any more complaints I disconnected 3 lines again. However, for all I’d have known, there may have been no complaints. She may have also had this tab open since before the hour when it was just on the one connection, so it wasn’t able to refresh unless she closed/repoened the tab for a fresh HTTPS instance but I’ll check this next time with her.

I’ll go in on another daytime to play around again, and risk it for longer and wait for more complaints this time round. I myself had no problems browsing and I don’t think anybody else did either apart from this one girl and her Outlook Web tab.

This is a request to Peplink - are you able to reveal the rules that are stored under the ‘Highest Compatibility’ setting in the Outbound Policy? Is it a multitude of rules for ten’s of applications, or just a couple of rules? Just out of curiosity really.

Thanks!

Hello,

So just to post what I think is the solution for anybody load balancing multi WANs on a Peplink along with a UniFi setup on top, I had a suspicion of the issue (the UniFi Cloud Key acting unstable because of the 4 X WAN links, and eventually making a mess of the WiFi network) and I tried something which looks to have worked.

I set an outbound policy above the standard HTTPS Persistence rule - I added a rule enforcing the IP for the UniFi Cloud Key through just one of the WAN links, and this has stabilised everything now. I’m able to connect into the Cloud Key remotely without it acting intermittently when trying to access the UniFi settings, and also as a result, it’s not making a connect/disconnect mess of the WiFi network as it got confused with the 4 x WAN routes. As the UniFi system is heavily cloud based, this was clearly an issue.

The student hall is now getting occupied bit by bit, there must be more students in there now than there was when I made the initial post (since then I’ve just had everyone running off one WAN link whilst I tried things out), must be at least 20 students - half occupancy, with more to come.

The Peplink is now working great, load balancing everybody across 4 x FTTC 80mbit WAN links - throughput isn’t a problem, nobody’s complaining - all good! Solved!