Group disable option


#1

It would be nice to have a simple way to disable groups instead of only being able to limit the group to 1kb up & down. How about a simple way to just switch them off or even be able to make a rule to tie the switch to a particular WAN. If you need to use WAN x which is an Inmarsat Fleet Broadband at over $20/Mb then you definitely want ALL clients except mission critical devices off!

Anyone else like to see this feature?


#2

Hi Rexy,

Guessing you are discussing the available feature for the Individual Bandwidth limit for the group settings.

Can you please elaborate more for the use case and require setup for the your environment ?

Please include the below info in the use case for us to further consider the feasibility:

  1. Number of WANs
  2. How the WANs connections being utilize ?
  3. Type of users in the LAN network
  4. Requirements for the Individual Bandwidth limit over the WANs

Thank You


#3

Could be on Individual, but a simple On/Off maybe Red/Green selection of Manager/Guest/Staff (or however many groups you have) on the Group Bandwidth would probably be best. The default could be green for the group name, but if you click on the group name to disable (and hit apply) it goes red.

  1. Could be as few as two or three WAN’s up to any number but normally a B580 so say five
  2. Least cost routing and weighted balance
  3. Staff (crew), Guests (guests) and Managers (mission critical and owners devices)
  4. This is for yacht applications so if you are on a shore WAN hard connection at the dock with no limits then it is not an issue. If you are on a WiFi WAN then probably same thing. If you are on cell WAN’s then you throttle the group bandwidth (and maybe individual) because you may be be paying $300 for 50Gb. If you are VSAT then same thing since you could be paying $5,000 for 40Gb. If you are on Inmarsat Fleet Broadband then it is critical to disable most groups and clients because you are paying >$20/Mb!

#4

Hi Rexy,

Can i assume the WAN’s that require throttling are the backup WAN connection ? Or the actual requirement, you need those expensive WAN as the active WAN together with shore WAN hard connection at the dock ?

Thank You


#5

Correct, the expensive WAN would only be used offshore when away from the dock LAN, out of WiFi range, out of cell range and if you do not have another lower cost option. In this mode it is only used with select devices for operational emails and (or) weather information, basically anything “mission critical”.

The last thing you want in this situation are numerous guest or staff (crew) devices cloud syncing, triggering OS updates or doing frivolous things on the internet when you’re paying >$20/Mb! You can tell them to shut everything down, but they think closing a laptop, not using a browser on their phone or putting a tablet in standby is good enough. In reality, if WiFi is still on then all these devices are still pinging and maintain heartbeats which adds up quickly. These expensive WAN’s are only 250-500k so you don’t even want to be running IC2 unless you absolutely needed it because it alone uses something like 15-30k.


#6

Hi Rexy,

Base on the description given, i would think that this is more like the configuration that need to define for the device in-order to block/avoid the traffics using the expensive WAN. The configuration may involve WAN priority settings, outbound policy and firewall rules

Let’s put a example configuration as below:

LAN Users:
Staff (crew), Guests (guests) and Managers (mission critical and owners devices)

WAN :
WIFI WAN - Shore
WAN - Dock - Shore
Cellular - OffShore
VSAT - OffShore

WAN Priority settings:
Priority 1
WIFI WAN
WAN Dock

Priority 2 (standby) - Will Activated when Priority 1 WAN is down.
Cellular - OffShore
VSAT - OffShore

Outbound policy
Priority Oubound Policy – > Staff (crew), Guests (guests) Only use WIFI WAN & WAN Dock
Priority Oubound Policy-- > Manager use WIFI WAN , WAN Dock, Cellular, VSAT

Firewall Rules
Enable/schedule firewall rules to block Staff (crew), Guests (guests) internet access when Yacht/Ship is leaving from shore

What do you think for the above settings ?

Thank You


#7

I don’t see how you set groups in the priority outbound policy, could you please do some screen grabs. No need to schedule, staff and guest would never be allowed to use the expensive WAN so if we can just easily prevent that it would be good enough.

Thanks,


#8

Hi Rexy,

Let’s has the example setup below:

Available WAN
WAN1 - Shore
WAN2 - Shore
WAN3 - ExpensiveWAN

Users Network:
Staff - 192.168.1.0/24
Guest - 192.168.2.0/24
Manager- 192.168.0.0/24

Outbound Policy:

  1. Staff Outbound Policy
    Source IP: 192.168.1.0 /24
    Destination: Any
    Service: Any
    Algorithm: Priority (WAN1, WAN2)


  1. Guest Outbound Policy
    Source IP: 192.168.2.0 /24
    Destination: Any
    Service: Any
    Algorithm: Priority (WAN1, WAN2)


  1. Manager Outbound Policy
    Source IP: 192.168.0.0 /24
    Destination: Any
    Service: Any
    Algorithm: Priority (WAN1, WAN2,WAN3)


With the above outbound policies, if WAN1 & WAN2 is down, Staff & Guest will not have internet access. While for Manager, internet access still allowed using WAN3 (ExpensiveWAN)


Thank You


#9

And that is where the problem lies. Frequently these are simple networks with no VLAN’s or separate networks for each group, just a Peplink router (might be a simple B30) and a un-managed switch. Typically, staff are identified when they are the only ones onboard then reserved and imported to the Staff group. All DHCP are Guest and mission critical are imported in to Manager, all on the same network.

So we are back to disabling groups in the first place or only allowing groups access to certain WAN’s to begin with.

Thanks for the reply though and can my request be considered for a future feature? In the mean time, we’ll continue to cut the group down to 1Kbps but even that is not ideal when you have numerous devices that may not be switched off…


#10

Hi Rexy,

The suggested outbound policy can achieve what you need.

You only need to tweak with the outbound policy in-order to make sure Staff IP & Guest IP only use WAN1 or WAN2 connections while manager IP can use all the available WANs

For example:

Manager IP address:
192.168.0.2 (DHCP reserved IP)
192.168.0.3 (DHCP reserved IP)

Staff IP address:
192.168.0.4 (DHCP reserved IP)
192.168.0.5 (DHCP reserved IP)

Guest:
Other IP address for 192.168.0.0/24

Require Outbound Policy:
192.168.0.2 priority outbound policy (WAN1, WAN2, WAN3) - policy 1
192.168.0.3 priority outbound policy (WAN1, WAN2, WAN3) - policy 2
192.168.0.4 priority outbound policy (WAN1, WAN2) - policy 3
192.168.0.5 priority outbound policy (WAN1, WAN2) - policy 4
192.168.0.0/24 priority outbound policy (WAN1, WAN2) - policy 5

Thank You


#11

Thanks and that will achieve it with brute force, but we’re looking for the simplest way to do that with out multiple steps. People (staff, guest & managers) come and go all the time on these yachts plus the people administering the IT are not IT experts. They are looking for K.I.S.S. (Keep It Simple Stupid) methods to simply disable groups, or limiting groups to certain WAN’s is what is needed. A big selling point about Peplink is the ease of use compared to everything else out there so I hope you can continue this theme…

Best,


#12

I know where you come from. I do agree with K.I.S.S! We should always keep the thing simple and automated. I think we should provide a solution that not involved customer to do changes in the box. The Group disable option still need customer to enable/disable it manually. I am thinking others customer may have the similar request but need this to be done automatically.

Sit Loong has provided a great idea to automate the requirement. Do allow me to touch up a bit on Sit Loong’s solution. Please take note, this is just one-time implementation and expect to be configured by Peplink’s partner.

Assume you have connection below:-
Clients )))SSID = Owner, Vlan 10)))----------------------------------------------------(WAN1)—>
Clients )))SSID = Crew, Vlan 11))))) AP —> Managed switch —> Balance router (WAN2)—> Internet
Clients )))SSID = Guest, Vlan 12))))----------------------------------------------------(WAN3)—>

So, each group of client will associate to respective SSID. This will cater the problem of people come and go all the times. Then you may configure Outbound Policy according to Sit Loong suggestion here. Everything will be automated after Outbound Policies were configured.

This is just my 2 cents and hope this is help.


#13

Thanks for the input TK and I still say change the firmware to allow selecting which WAN’s the Groups have access to. Make it a hidden menu if you want, but this would absolutely be the simplest and safest way to do it. This will go hand in hand when you finally add more Groups!

Again, your method will work, but most of these installations do not have the need or room for managed switches. A B30 or M700 on an 80’ yacht might not have any switch, just a few AP’s or a few hardwired PC’s plus the M700 AP. They still have the potential to rack up a $20,000 (or higher!) air time bill if something unwanted gets access to the expensive link. That is every yacht captain/owners worst fear and it happens on a regular basis!

The current safest method to safeguard the expensive WAN is to multi-NIC the mission critical CPU’s which bypasses the Peplink router completely. I don’t think that is what any of us want…