Testing the Balance 20X with different modules

IT test lab, in Germany, tested the hardware and software capabilities of the Balance 20X (with FlexModule Mini). Their test reports are written in German, but we have translated them into English. With these reports, you can have a better understanding of how the commissioning process works. Check it now:

• Module 1: InControl 2
• Module 2: SpeedFusion
• Module 3: Captive Portal

You can also visit the original German version via the following links:

• Module 1: InControl2 von Peplink – Teil 1
• Module 2: [InControl2 von Peplink – Teil 2] (Im Test: InControl2 von Peplink – Teil 2)
• Module 3: [InControl2 von Peplink – Teil 3] (Im Test: InControl2 von Peplink – Teil 3)

Central Infrastructure Management with InControl 2 from Peplink

Management and Monitoring of Distributed Organizations via Browser

With InControl 2, Peplink offers its customers a central, web-based management tool for its routers. In a short series of articles, we will look at the scope of this tool and analyze how to carry out daily activities using this solution. The first part of the series deals with the commissioning of a Peplink-based infrastructure and gives an overview of the management tool’s functions.

Peplink distributor Vitel provided us with a “Balance 20X” router for the test. This is a relatively inexpensive entry-level Peplink model that costs around 400 euros and is designed for use in branches and subsidiaries. This also meant it was the ideal product to test. After all, in distributed environments where a central infrastructure management system can score highly, many such routers can be used to connect the individual branches to the company headquarters.

The Hardware’s Range of Functions

Specifically, Balance 20X routers have a gigabit WAN port, four gigabit LAN ports and an LTE modem. They manage a throughput of 900 Mbps and have a USB port as well as an integrated Wi-Fi access point. According to the manufacturer, they are suitable for use in environments with up to 60 users. OpenVPN and PPTP servers are also included, as is a bandwidth usage monitor. The manufacturer states that the device’s power consumption is 28 watts.

Commissioning the Router and Internet Access

During the test, we connected the router to our Deutsche Glasfaser fiber optic network connection on the WAN side and to our central Aruba Switch on the LAN side. We then waited for the product to boot up. It comes with the default IP address 192.168.1.1. Since our LAN was on a different subnet, we moved a client to the router subnet for the initial configuration and then accessed the local web interface of the Peplink solution via the URL https://192.168.1.1. Login was completed with the default credentials “admin/admin”. Immediately after the first login, users are required to enter a new password to access the router. This makes sense as it prevents routers with default passwords from being active on the network. After changing the password, a setup wizard appeared to help configure the WAN ports for internet access. In addition to the Ethernet port, mobile data networks using SIM cards and USB devices can also be set up at this point.

Since the router was configured with a WAN-DHCP-Client factory setting and our fiber optic connection had expected this configuration, the product was already online when we logged in. We were therefore able to limit ourselves at this point to specifying the time zone to be used and closing the wizard. The wizard also suggested that it would be useful to set up email alerts, which we did. After that, we were free to access the local configuration tool, so we first adjusted the router’s LAN configuration to match our subnet. All our devices were then able to access the Internet immediately.

The router had already connected with InControl 2 at this point, which was clear from the fact that the local web interface indicated at various points that the relevant settings were managed by InControl 2. As a result, we then accessed the Peplink management tool via the URL https://InControl2.peplink.com and logged in with the account details that Vitel had given us for this test.

Vitel had already linked our router with its serial number to our InControl 2 account so we could start working immediately. If the router is not yet connected with the online tool, this can be done via “Settings / Add Devices”. In most cases, devices are usually set up at the company headquarters and then sent to remote offices. In this case, local users simply need to connect them to their network and boot them up. They will then automatically connect to InControl 2, as we did, and can then be managed by the organization’s IT department. If required, there is also the option to push pre-built configurations (such as LAN settings) to the devices via InControl 2 so that local staff don’t have to access router management at all when commissioning the devices. As a result, the products are also suitable for use in environments where there are no employees with IT knowledge. This function is also beneficial in mass rollouts.

Configuring Central Functions such as Firewall and WLAN

After logging in to InControl 2, we started by creating a minimal firewall configuration that allowed all outgoing traffic and blocked all incoming traffic. This can be done by going to “Network Settings / Firewall Rules”. As is usual in such cases, the rules can be defined with parameters such as “Source”, “Destination”, “Protocol”, “Action” and the like, meaning that no administrator with limited experience in configuring firewalls should have any issues when using the management tool. Later in the test, we adjusted the firewall configuration to meet our specific requirements without encountering any problems.

(The router’s local configuration tool alerts users when certain functions, such as the firewall here, are being controlled via the web-based “InControl 2”.)

(When configuring firewall rules, a Protocol Selection Tool helps to select the correct protocol for the service in question. For example, if you select “ssh” using the tool, then “TCP” will automatically appear as the protocol entry. This is particularly useful for administrators who don’t deal with firewall configurations all the time.)

As far as the configuration of the WLAN is concerned, the administrators have the option, at group level, to specify SSIDs and radio settings that apply to all or specific routers within the company. They can also make Wi-Fi configurations at the router level that only apply to the device concerned in each case. For SSIDs, you can specify what the SSID should be called, on which devices it is active (all, only those selected, or all except explicitly stated components) and which security policy should be used. For the latter, the system supports “Open” and “WPA” (Personal or Enterprise), “WPA2” (Personal or Enterprise) and “WPA3” as well as combinations such as “WPA2/WPA3” or “WPA/WPA2”.

(Administrators can set up their WLANs via the SSID settings.)

Apart from that, layer 2 isolation can be activated, the SSID can be hidden, VLAN settings can be created, MAC filters can be set, and 2.4 or 5GHz frequency bands can be selected for the SSID. Schedules that define when the respective WLAN should be active conclude the SSID configuration together with an optional restriction of the maximum number of clients and settings for multicast.
In the test, we created two SSIDs at this point which were active in the 2.4 and 5 GHz bands respectively and worked on the “WPA2/WPA3-Personal” security configuration. We left the radio settings on “Auto” for channel selection and channel width, and set the transmission power to “maximum” and did not limit the number of clients. After that, we were able to connect our Wi-Fi clients and use the wireless LANs without any problems.

InControl 2’s Other Functions

To finish off the test, we should briefly discuss the other features of InControl 2. In general, there are two overviews of the tool. On the one hand, there is the group, i.e. configuration parameters that affect all routers in the organization, and on the other hand, there are settings that refer to specific devices only.

After logging in, administrators will see a group dashboard that informs them, among other things, about existing devices, internet availability, and events. Under “Reports”, administrators can view reports on wired and wireless devices with data such as bandwidth usage and the number of clients per day. There are also usage reports with hourly data usage and an overview of uploads and downloads. Other reports deal with the Captive Portal, which we will discuss in more detail in another installment of our test series.

(Comprehensive reporting features keep IT managers up to date with the status of their organization.)

The same applies to the VPN/SpeedFusion configuration, which is found in the next menu item and which we will examine in the next episode of this test report. It is also worth mentioning that ACLs can be defined here in addition to the configuration of the interfaces, and VLAN configuration can be performed.

Apart from that, the group overview still offers a searchable list of connected clients with IP address, name, manufacturer, SSID, etc. The “Settings”, which enable the general group configuration, complete the group management. Among other things, devices can be added here, templates for the LAN configuration can be created or distributed (these have already been mentioned), and automatic configuration rollbacks can be set up, which restore the old configuration if an administrator is “locked out” due to an incorrect setting and can no longer access the device concerned. This is a very useful function. Under Settings, you can also create report emails, set up notifications (by mail, HTTPS, or app), manage InControl 2 user accounts and carry out firmware management.

At this point, it makes sense to quickly talk about the app that was just mentioned. It’s available on Android and iOS and not only displays notifications (for example, when the internet connection is down), but also provides an overview of the routers and clients as well as the network status.

Overview of Individual Routers

As far as the device overview is concerned, the system offers a dashboard for each individual router with data about the respective device, uptime, and utilization among other things. Various reports about devices, bandwidth usage and so on can also be viewed again at the device level, and VPNs and WLANs can be configured. Together with the settings, which also offer tools such as Ping and Traceroute to help in finding problems, a list of clients concludes the scope of the InControl 2 web interface.

Conclusion

In this post, we’ve learnt how to integrate a Peplink router into the InControl 2 environment and how the commissioning process works to the point where our test environment’s internet access worked as we imagined. In the following task, we will look at more challenging scenarios such as establishing a connection to a remote station and bundling multiple WAN access points.
In general, we can certainly conclude that Peplink’s InControl 2 provides a very powerful management and monitoring tool with a clear structure that can really help administrators with their daily work in distributed environments.

Testing: Peplink InControl 2 Part 2 – PepVPN/SpeedFusion

Fast integration of distributed users

The second part of our Peplink test series explores establishing a secure connection to a remote site, configuring redundant WAN links, and aggregating connections. For this purpose, we used the existing Peplink Balance 20X and a Peplink FusionHub as a remote station.

Although the Peplink components support IPSec, this technology is generally deployed only in environments where this is required for compatibility reasons or where third-party devices also need to be integrated. More powerful and easier to configure: the so-called PepVPN. It can be utilized in three different scenarios. First, to establish a secure, encrypted connection between two Peplink routers. Second, for a connection to Peplink’s “Fusion Cloud”, which consists of a large number of dial-in nodes (the SpeedFusion Cloud Nodes) available in many data centers - for example on AWS - around the world, to which the routers can then connect. With this method, users always enjoy the best performance because it is possible, among other things, to determine the next dial-up node via the router’s GPS position. This plays an important role especially when connecting cars and airplanes.

The third possible scenario - also used in this test - is the establishment of a connection to the company headquarters via a Peplink FusionHub installed locally there. This hub is available to users free of charge for the integration of a remote station. It is supplied as a virtual machine and can be easily imported into a hypervisor such as VMware’s ESXi. After that, the administrators can manage the FusionHub via a web interface that has been built in the same way as the router. For today’s test, we used a SIM card in our Balance router to implement a second WAN connection in addition to our normal fiber-optic connection.

vitel-07-vitel-gmb-h.png1009×890 52.9 KB

For the test, we will first look at setting up a PepVPN with the help of the central management tool “InControl 2”, which was the focus of last week’s test series. If an administrator logs into InControl 2, they have the option to activate the VPN and create a corresponding profile under the menu item “PepVPN / SpeedFusion”. The next step launches a wizard that first wants to know the desired topology for the connection. For this purpose, “Star”, “Fully Meshed” and “Point-to-Point” are available. In this case, we opted for Point-to-Point. Then we select the components involved (i.e. routers, hubs, etc.), which must be registered with InControl 2 at this point.

As soon as this information has been entered, the wizard prompts for the profile options. At this point, the administrators first assign a name for the profile, optionally activate 256-bit AES encryption and, if required, activate bonding, i.e. the combination of several WAN connections for the profile. Additionally, functions such as “WAN Smoothing” and “Forward Error Correction” can be activated, the “Path Cost” can be defined and a “Link Failure Detection Time” between one second and 15 seconds can be set. Finally, the wizard displays a summary and activates the profile. This allows administrators to establish the WAN connections they need within a very short time; in the test, it only took us a few minutes.

vitel-06-vitel-gmb-h.png1099×601 39.3 KB

PepVPNs and SpeedFusion with the local management interface

While configuring the WAN connections via InControl 2 is quick and easy, the Peplink components are capable of even more. If additional configuration steps are to be performed for the PepVPNs, the administrators must access the local management tools of the routers or hubs. By the way, this poses no issue even remotely, as InControl 2 offers its users the option to use the management tool of the affected components directly via the cloud, so the administrators do not need to be on the LAN to do so.

The local administration tool gives them the option to create a VPN profile under “Network / PepVPN”, which is initially given a name and makes it possible to activate encryption. The connection is established using a local and a remote ID as well as a pre-shared key. In addition, NAT mode can be activated, via which the local DHCP server assigns an IP address to the remote network for use in the VPN. In addition, the option to specify the IP address of the remote station (in our case, this was the FusionHub), to set a bandwidth limit and the like is also available. Finally, the administrators define the “WAN Connection Priority”. This determines which WAN connection should be used and when. For example, the Ethernet-based WAN connection can be set as the default. If this fails, the system switches to an alternative connection after the time specified in the “Link Failure Detection Time”. In our system, “Cellular” or “Mobile Internet” were available to us, the latter being a connected USB device. If the bonding function is active, the option to bundle certain WAN connections by assigning them the same priority is also available.

vitel-05-vitel-gmb-h.png1108×859 57.1 KB

Summary and conclusion

After we entered the information required for our connection on both ends and the profile was active, we were able to work immediately via the new VPN connection. In operation, the system subsequently behaved as expected and we had a stable connection. During configuration, it was noticed that the hub’s management tool, as mentioned, was designed in the same way as the router’s, so there is no need to familiarize yourself with a different interface.

If required, the PepVPNs can be set up quickly and almost automatically via InControl 2. When configuring via this central management tool, it is especially noteworthy that the administrators do not have to deal with configuration parameters such as the IP address of the respective remote station since InControl 2 is already aware of them.

For higher requirements, even more functions can be used via the local interfaces. They enable the administrators to adapt their VPN connections exactly to their requirements. The final part of the test will focus on the captive portal of the Peplink solution.

Test Series: Peplink InControl 2 Part 3 - Captive Portal and Final Considerations

Social Wi-Fi from a central location

After seeing how Peplink routers can be centrally managed with InControl and how remote peers can be securely connected over the last few weeks, we now turn our attention to social Wi-Fi configuration. In this context, we took a closer look at the captive portal functionality of InControl 2. To conclude the series, we will also look at a few other points.

Captive portals enable granular control of access to Wi-Fi infrastructures. For example, they can be used to force users to accept the terms of use before being granted access to the WLAN. Alternatively, captive portals also allow only certain users to be admitted to the WLAN for specific periods of time.

To establish a captive portal for a WLAN with InControl 2 on a Balance 20X router, it is first necessary to create a VLAN under “Network Settings / VLAN Networks”. Afterwards, the responsible employees have to assign this via “Wi-Fi AP / Group-wide SSID Settings / VLAN Settings” to the SSID that is to be secured via the captive portal.

As soon as these preparatory measures have been carried out, the next step is to define a new captive portal under “Network Settings / Captive Portal”. This must first be given a name, and the IT managers must also specify the name of the company concerned. More interesting is the next point, which deals with the access mode. In this case, the system offers the alternatives “Social”, “Open Access”, “Guest Account”, “Token”, “E-Mail”, and “SMS”, which can also be used in combination.

“Social” signifies that users log on to the WLAN during operation with their accounts on the social networks “Facebook,” “Twitter,” “LinkedIn” or “Sina Weibo.” “Open Access” leaves access to the WLAN completely open; subscribers only have to press a login button on a welcome page. This makes sense mainly in connection with terms of use that have to be accepted and a daily quota. The latter, by the way, can be set by the administrators for each access mode. They are able to limit access in terms of time or data consumption, or to combine these two limitation options.

Access via “Guest Accounts” allows administrators to create guest accounts and then use them for the login process to the captive portal. These Guest Accounts can be created manually and imported from CSV files. They expire at a specific time, if desired, or after a pre-defined period of inactivity.

The next access mode enables tokens to be generated that are valid for a specific period of time and enable login to the WLAN. In contrast, in the access mode with e-mails, the responsible parties can request certain data from the users. This includes not only the mandatory e-mail address, but also optional information such as the name of the person concerned, the mobile phone number, the gender and the country of origin. This information can be selected individually. It is also possible to force users to click on a link in a confirmation e-mail to activate WLAN access.

And finally, the last access method enables access tokens to be sent via SMS. To do this, users must enter their mobile phone number on the captive portal page and then receive the token, which they can use to log in, directly on their smartphone.

After defining the access mode, IT managers are able to define how often users must log in. The options available here are “once”, “every day or after the quota is reset” and “every time they connect”. Additionally, in the captive portal configuration, specific networks can be allowed based on domains or IP addresses, and individual clients can be allowed (by MAC or IP address). Other than that, administrators can also define access control lists and enter a Google Analytics tracking ID.

The definition of the landing page that is first displayed to users after authorization completes the configuration of the captive portal. This contains a “Start Browsing” button and, once clicked, redirects the user to the page they originally accessed. Alternatively, it is also possible to always redirect all users to a specific page (for example, that of the hotel in question). If this is not necessary, the system can also send users directly to the page they originally wanted to see or directly to a page that the administrator specifies, so a landing page is optional.

In the “Preview and Customization” section, IT managers can customize the appearance of their captive portal with welcome text, logo, colors, and the like. In the test, we created several captive portals with open access, guest accounts, tokens, and e-mail. To activate these, the last step was to enter the desired captive portal in the VLAN where it is to be used, after which the portal is active and can be used. There were no problems during the test.

The captive portal function offers administrators a wide range of options for controlling user access to their WLAN networks. Thanks to an additional captive portal dashboard and extensive reporting functions, the responsible employees can still obtain precise information about user behavior with data usage, session time, and so on, even during operation

Summary and Conclusion

To conclude, let’s go over a few more features of the Peplink solution that we haven’t mentioned yet. These include, for example, the “Outbound Policies”. With them, the responsible employees are able to define exactly which data transfers should go over which connections. The definition is made according to protocol, source and destination. This makes it possible to send certain applications over specific WAN connections or VPN tunnels. Consequently, administrators can define exactly which information is transferred where.

Another interesting feature is that the Peplink systems have a free content blocking database for filtering Internet content, a function for blocking certain apps, and an IDS with DoS prevention. Apart from that, Peplink and Vitel still offer comprehensive warranty options under the name “Peplink Care”, which cover hardware, firmware updates, technical support and management, among other things. The latter, for example, can be handled entirely by Vitel if desired. With these options, every company designs its environment as it needs it.