Central Infrastructure Management with InControl 2 from Peplink
Management and Monitoring of Distributed Organizations via Browser
With InControl 2, Peplink offers its customers a central, web-based management tool for its routers. In a short series of articles, we will look at the scope of this tool and analyze how to carry out daily activities using this solution. The first part of the series deals with the commissioning of a Peplink-based infrastructure and gives an overview of the management tool’s functions.
Peplink distributor Vitel provided us with a “Balance 20X” router for the test. This is a relatively inexpensive entry-level Peplink model that costs around 400 euros and is designed for use in branches and subsidiaries. This also meant it was the ideal product to test. After all, in distributed environments where a central infrastructure management system can score highly, many such routers can be used to connect the individual branches to the company headquarters.
The Hardware’s Range of Functions
Specifically, Balance 20X routers have a gigabit WAN port, four gigabit LAN ports and an LTE modem. They manage a throughput of 900 Mbps and have a USB port as well as an integrated Wi-Fi access point. According to the manufacturer, they are suitable for use in environments with up to 60 users. OpenVPN and PPTP servers are also included, as is a bandwidth usage monitor. The manufacturer states that the device’s power consumption is 28 watts.
Commissioning the Router and Internet Access
During the test, we connected the router to our Deutsche Glasfaser fiber optic network connection on the WAN side and to our central Aruba Switch on the LAN side. We then waited for the product to boot up. It comes with the default IP address 192.168.1.1. Since our LAN was on a different subnet, we moved a client to the router subnet for the initial configuration and then accessed the local web interface of the Peplink solution via the URL https://192.168.1.1. Login was completed with the default credentials “admin/admin”. Immediately after the first login, users are required to enter a new password to access the router. This makes sense as it prevents routers with default passwords from being active on the network. After changing the password, a setup wizard appeared to help configure the WAN ports for internet access. In addition to the Ethernet port, mobile data networks using SIM cards and USB devices can also be set up at this point.
Since the router was configured with a WAN-DHCP-Client factory setting and our fiber optic connection had expected this configuration, the product was already online when we logged in. We were therefore able to limit ourselves at this point to specifying the time zone to be used and closing the wizard. The wizard also suggested that it would be useful to set up email alerts, which we did. After that, we were free to access the local configuration tool, so we first adjusted the router’s LAN configuration to match our subnet. All our devices were then able to access the Internet immediately.
The router had already connected with InControl 2 at this point, which was clear from the fact that the local web interface indicated at various points that the relevant settings were managed by InControl 2. As a result, we then accessed the Peplink management tool via the URL https://InControl2.peplink.com and logged in with the account details that Vitel had given us for this test.
Vitel had already linked our router with its serial number to our InControl 2 account so we could start working immediately. If the router is not yet connected with the online tool, this can be done via “Settings / Add Devices”. In most cases, devices are usually set up at the company headquarters and then sent to remote offices. In this case, local users simply need to connect them to their network and boot them up. They will then automatically connect to InControl 2, as we did, and can then be managed by the organization’s IT department. If required, there is also the option to push pre-built configurations (such as LAN settings) to the devices via InControl 2 so that local staff don’t have to access router management at all when commissioning the devices. As a result, the products are also suitable for use in environments where there are no employees with IT knowledge. This function is also beneficial in mass rollouts.
Configuring Central Functions such as Firewall and WLAN
After logging in to InControl 2, we started by creating a minimal firewall configuration that allowed all outgoing traffic and blocked all incoming traffic. This can be done by going to “Network Settings / Firewall Rules”. As is usual in such cases, the rules can be defined with parameters such as “Source”, “Destination”, “Protocol”, “Action” and the like, meaning that no administrator with limited experience in configuring firewalls should have any issues when using the management tool. Later in the test, we adjusted the firewall configuration to meet our specific requirements without encountering any problems.
(The router’s local configuration tool alerts users when certain functions, such as the firewall here, are being controlled via the web-based “InControl 2”.)
(When configuring firewall rules, a Protocol Selection Tool helps to select the correct protocol for the service in question. For example, if you select “ssh” using the tool, then “TCP” will automatically appear as the protocol entry. This is particularly useful for administrators who don’t deal with firewall configurations all the time.)
As far as the configuration of the WLAN is concerned, the administrators have the option, at group level, to specify SSIDs and radio settings that apply to all or specific routers within the company. They can also make Wi-Fi configurations at the router level that only apply to the device concerned in each case. For SSIDs, you can specify what the SSID should be called, on which devices it is active (all, only those selected, or all except explicitly stated components) and which security policy should be used. For the latter, the system supports “Open” and “WPA” (Personal or Enterprise), “WPA2” (Personal or Enterprise) and “WPA3” as well as combinations such as “WPA2/WPA3” or “WPA/WPA2”.
(Administrators can set up their WLANs via the SSID settings.)
Apart from that, layer 2 isolation can be activated, the SSID can be hidden, VLAN settings can be created, MAC filters can be set, and 2.4 or 5GHz frequency bands can be selected for the SSID. Schedules that define when the respective WLAN should be active conclude the SSID configuration together with an optional restriction of the maximum number of clients and settings for multicast.
In the test, we created two SSIDs at this point which were active in the 2.4 and 5 GHz bands respectively and worked on the “WPA2/WPA3-Personal” security configuration. We left the radio settings on “Auto” for channel selection and channel width, and set the transmission power to “maximum” and did not limit the number of clients. After that, we were able to connect our Wi-Fi clients and use the wireless LANs without any problems.
InControl 2’s Other Functions
To finish off the test, we should briefly discuss the other features of InControl 2. In general, there are two overviews of the tool. On the one hand, there is the group, i.e. configuration parameters that affect all routers in the organization, and on the other hand, there are settings that refer to specific devices only.
After logging in, administrators will see a group dashboard that informs them, among other things, about existing devices, internet availability, and events. Under “Reports”, administrators can view reports on wired and wireless devices with data such as bandwidth usage and the number of clients per day. There are also usage reports with hourly data usage and an overview of uploads and downloads. Other reports deal with the Captive Portal, which we will discuss in more detail in another installment of our test series.
(Comprehensive reporting features keep IT managers up to date with the status of their organization.)
The same applies to the VPN/SpeedFusion configuration, which is found in the next menu item and which we will examine in the next episode of this test report. It is also worth mentioning that ACLs can be defined here in addition to the configuration of the interfaces, and VLAN configuration can be performed.
Apart from that, the group overview still offers a searchable list of connected clients with IP address, name, manufacturer, SSID, etc. The “Settings”, which enable the general group configuration, complete the group management. Among other things, devices can be added here, templates for the LAN configuration can be created or distributed (these have already been mentioned), and automatic configuration rollbacks can be set up, which restore the old configuration if an administrator is “locked out” due to an incorrect setting and can no longer access the device concerned. This is a very useful function. Under Settings, you can also create report emails, set up notifications (by mail, HTTPS, or app), manage InControl 2 user accounts and carry out firmware management.
At this point, it makes sense to quickly talk about the app that was just mentioned. It’s available on Android and iOS and not only displays notifications (for example, when the internet connection is down), but also provides an overview of the routers and clients as well as the network status.
Overview of Individual Routers
As far as the device overview is concerned, the system offers a dashboard for each individual router with data about the respective device, uptime, and utilization among other things. Various reports about devices, bandwidth usage and so on can also be viewed again at the device level, and VPNs and WLANs can be configured. Together with the settings, which also offer tools such as Ping and Traceroute to help in finding problems, a list of clients concludes the scope of the InControl 2 web interface.
Conclusion
In this post, we’ve learnt how to integrate a Peplink router into the InControl 2 environment and how the commissioning process works to the point where our test environment’s internet access worked as we imagined. In the following task, we will look at more challenging scenarios such as establishing a connection to a remote station and bundling multiple WAN access points.
In general, we can certainly conclude that Peplink’s InControl 2 provides a very powerful management and monitoring tool with a clear structure that can really help administrators with their daily work in distributed environments.