Peplink PEPWAVE MAX HD2 Dual 4G LTE Mobile Router User Manual

June 1, 2024
Peplink PEPWAVE

MAX HD2 Dual 4G LTE Mobile Router

Product Information

Specifications

  • Product Name: MAX HD2
  • Manufacturer: Pepwave
  • Firmware Version: 8.2.1 (Oct 2022)
  • Supported Features: SpeedFusion, QoS, High Availability, USB
    Modem Support, VPN, DPI Engine, NetFlow, Wi-Fi Monitoring, DNS over
    HTTPS, and more

Product Usage Instructions

Installation

Preparation: Ensure proper network construction
and configuration before installation.

Mounting the Unit

Mount the unit on a wall or in a car using the IP67 Installation
Guide or PDX Accessory Kit Installation Guide.

Connecting to the Web Admin Interface

Access the web admin interface by visiting https://www.peplink.com.

Configuring Interfaces

  • LAN Interface(s): Configure basic settings,
    port settings, and captive portal settings.

  • WAN Interface(s): Configure Ethernet WAN,
    Cellular WAN, Wi-Fi WAN, WAN connection settings, health check,
    bandwidth allowance monitoring, public IP addresses, and dynamic
    DNS settings.

  • Advanced Wi-Fi Settings: Configure advanced
    Wi-Fi settings for optimal performance.

Additional Features Configuration

  • MediaFast Configuration: Set up content
    caching, prefetching, and view statistics.

  • ContentHub Configuration: Configure ContentHub
    for websites and applications.

  • Firewall and Security: Configure
    outbound/inbound firewall rules, content blocking, and security
    settings.

  • Remote Access: Set up L2TP, OpenVPN, PPTP for
    remote user access.

Frequently Asked Questions (FAQ)

Q: How can I access the web admin interface?

A: You can access the web admin interface by visiting the URL
provided in the user manual or by entering the device’s IP address
in a web browser.

Q: What are some key features supported by the MAX HD2?

A: Some key features supported include SpeedFusion, QoS for
VoIP, High Availability via VRRP, USB Modem support, VPN
capabilities, DPI Engine, NetFlow monitoring, Wi-Fi Air Monitoring,
and DNS over HTTPS.

MAX Series
User Manual
Pepwave Products: MAX HD2
Pepwave Firmware 8.2.1 Oct 2022
COPYRIGHT & TRADEMARKS Specifications are subject to change without notice. Copyright © 2021 Peplink Pepwave Ltd. All Rights Reserved. Pepwave and the Pepwave logo are trademarks of Peplink International Ltd. Other brands or products mentioned may be trademarks or registered trademarks of their respective owners.

Table of Contents
Introduction and Scope
Glossary
Product Features Supported Network Features Other Supported Features
MAX Transit Pro E Overview
Advanced Feature Summary Drop-in Mode and LAN Bypass: Transparent Deployment QoS: Clearer VoIP Per-User Bandwidth Control High Availability via VRRP USB Modem and Android Tethering Built-In Remote User VPN Support SIM-card USSD support KVM Virtualization DPI Engine NetFlow Wi-Fi Air Monitoring SP Default Configuration SpeedFusion Cloud Relay DNS over HTTPS (DoH)
Installation Preparation Constructing the Network Configuring the Network Environment
Mounting the Unit Wall Mount Car Mount IP67 Installation Guide PDX Accessory Kit Installation Guide
Connecting to the Web Admin Interface

Home Page

2

7
8
9 9 12
13
15 15 15 16 16 17 17 18 18 19 19 19 19 20 20
21 21 21 22
23 23 23 23 24
31
Copyright @ 2021 Peplink

SpeedFusion Cloud Activate SpeedFusion Cloud Service Enable SpeedFusion Cloud Connect Clients to Cloud Link Wi-Fi to Cloud Optimize Cloud Application
Configuring the LAN Interface(s) Basic Settings Port Settings Captive Portal
Configuring the WAN Interface(s) Ethernet WAN Cellular WAN Wi-Fi WAN WAN Connection Settings (Common) WAN Health Check Bandwidth Allowance Monitoring Additional Public IP address Dynamic DNS Settings
Advanced Wi-Fi Settings
MediaFast Configuration Setting Up MediaFast Content Caching Scheduling Content Prefetching Viewing MediaFast Statistics
ContentHub Configuring the ContentHub Configure a website for ContentHub Configure an application for ContentHub
Docker
KVM
Bandwidth Bonding SpeedFusionTM / PepVPN PepVPN The Pepwave Router Behind a NAT Router

Home Page

3

33 33 36 44 45 47
48 48 60 61
64 67 76 81 84 85 88 89 89
91
95 95 97 99
100 100 100 103
105
105
107 108 116
Copyright @ 2021 Peplink

IPsec VPN IPsec VPN Settings GRE Tunnel
Outbound Policy Outbound Policy Adding Rules for Outbound Policy
Port Forwarding UPnP / NAT-PMP Settings
NAT Mappings
QoS User Groups Bandwidth Control Application
Firewall Outbound and Inbound Firewall Rules Content Blocking
Routing Protocols OSPF & RIPv2 BGP
Remote User Access L2TP with IPsec OpenVPN PPTP Authentication Methods
Miscellaneous Settings High Availability Certificate Manager Service Forwarding Service Passthrough UART GPS Forwarding Ignition Sensing Ignition Sensing installation

Home Page

4

118 118 122
124 125 126
136 138
139
141 141 142 142
145 146 151
153 153 155
160 160 160 161 161
163 163 166 167 170 172 174 175 175
Copyright @ 2021 Peplink

GPIO Menu NTP Server Grouped Networks Remote SIM Management SIM Toolkit
AP AP Controller Wireless SSID Wireless Mesh Settings
AP Controller Status Info Access Point (Usage) Wireless SSID Mesh / WDS Wireless Client Nearby Device Event Log
Toolbox
System Settings Admin Security Firmware Time Schedule Email Notification Event Log SNMP SMS Control InControl Configuration Feature Add-ons Reboot
Tools Ping Traceroute Test

Home Page

5

177 178 179 180 182
184 184 184 189 190
196 196 198 200 201 202 204 204
205
206 206 210 212 213 214 217 218 220 221 222 223 223
224 224 225
Copyright @ 2021 Peplink

PepVPN Test

225

Wake-on-LAN

226

CLI (Command Line Interface Support)

226

Status

227

Device

227

GPS Data

229

Active Sessions

230

Client List

232

WINS Client

233

UPnP / NAT-PMP

233

OSPF & RIPv2

234

BGP

235

SpeedFusion Status

235

Event Log

238

WAN Quality

239

Usage Reports

240

Real-Time

240

Hourly

241

Daily

242

Monthly

243

Appendix A: Restoration of Factory Defaults

245

Appendix B: FusionSIM Manual

246

Appendix C: Overview of ports used by Peplink SD-WAN routers and other Peplink

services

258

Appendix D: Declaration

260

Home Page

6

Copyright @ 2021 Peplink

Introduction and Scope
Pepwave routers provide link aggregation and load balancing across multiple WAN connections, allowing a combination of technologies like 3G HSDPA, EVDO, 4G LTE, Wi-Fi, external WiMAX dongle, and satellite to be utilized to connect to the Internet.
The MAX wireless SD-WAN router series has a wide range of products suitable for many different deployments and markets. Entry level SD-WAN models such as the MAX BR1 are suitable for SMEs or branch offices. High-capacity SD-WAN routers such as the MAX HD2 are suitable for larger organizations and head offices.
This manual covers setting up Pepwave routers and provides an introduction to their features and usage.
Tips Want to know more about Pepwave routers? Visit our YouTube Channel for a video introduction!

Home Page

7

Copyright @ 2021 Peplink

Glossary

The following terms, acronyms, and abbreviations are frequently used in this manual:

Term

Definition

3G

3rd generation standards for wireless communications (e.g., HSDPA)

4G

4th generation standards for wireless communications (e.g., LTE)

DHCP

Dynamic Host Configuration Protocol

DNS

Domain Name System

EVDO

Evolution-Data Optimized

FQDN

Fully Qualified Domain Name

HSDPA

High-Speed Downlink Packet Access

HTTP

Hyper-Text Transfer Protocol

ICMP

Internet Control Message Protocol

IP

Internet Protocol

LAN

Local Area Network

MAC Address Media Access Control Address

MTU

Maximum Transmission Unit

MSS

Maximum Segment Size

NAT

Network Address Translation

PPPoE

Point to Point Protocol over Ethernet

QoS

Quality of Service

SNMP

Simple Network Management Protocol

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

VPN

Virtual Private Network

VRRP

Virtual Router Redundancy Protocol

WAN

Wide Area Network

WINS

Windows Internet Name Service

WLAN

Wireless Local Area Network

Home Page

8

Copyright @ 2021 Peplink

1 Product Features
Pepwave routers enable all LAN users to share broadband Internet connections, and they provide advanced features to enhance Internet access. Our Max BR wireless routers support multiple SIM cards. They can be configured to switch from using one SIM card to another SIM card according to different criteria, including wireless network reliability and data usage.
Our MAX HD series wireless routers are embedded with multiple 4G LTE modems, and allow simultaneous wireless Internet connections through multiple wireless networks. The wireless Internet connections can be bonded together using our SpeedFusion technology. This allows better reliability, larger bandwidth, and increased wireless coverage compared to use only one 4G LTE modem.
Below is a list of supported features on Pepwave routers. Features vary by model. For more information, please see peplink.com/products.
1.1 Supported Network Features
1.1.2 WAN Ethernet WAN connection in full/half duplex Static IP support for PPPoE Built-in cellular modems USB mobile connection(s) Wi-Fi WAN connection Network address translation (NAT)/port address translation (PAT) Inbound and outbound NAT mapping IPsec NAT-T and PPTP packet passthrough MAC address clone and passthrough Customizable MTU and MSS values WAN connection health check Dynamic DNS (supported service providers: changeip.com, dyndns.org, no-ip.org,
tzo.com and DNS-O-Matic) Ping, DNS lookup, and HTTP-based health check
1.1.3 LAN Wi-Fi AP Ethernet LAN ports DHCP server on LAN

Home Page

9

Copyright @ 2021 Peplink

Extended DHCP option support Static routing rules VLAN on LAN support
1.1.4 VPN PepVPN with SpeedFusionTM PepVPN performance analyzer X.509 certificate support VPN load balancing and failover among selected WAN connections Bandwidth bonding and failover among selected WAN connections IPsec VPN for network-to-network connections (works with Cisco and Juniper) Ability to route Internet traffic to a remote VPN peer Optional pre-shared key setting SpeedFusionTM throughput, ping, and traceroute tests PPTP server PPTP and IPsec passthrough
1.1.5 Firewall Outbound (LAN to WAN) firewall rules Inbound (WAN to LAN) firewall rules per WAN connection Intrusion detection and prevention Specification of NAT mappings Outbound firewall rules can be defined by destination domain name
1.1.6 Captive Portal Splash screen of open networks, login page for secure networks Customizable built-in captive portal Supports linking to outside page for captive portal
1.1.7 Outbound Policy Link load distribution per TCP/UDP service Persistent routing for specified source and/or destination IP addresses per TCP/UDP
service Traffic prioritization and DSL optimization Prioritize and route traffic to VPN tunnels with Priority and Enforced algorithms
1.1.8 AP Controller

Home Page

10

Copyright @ 2021 Peplink

Configure and manage Pepwave AP devices Review the status of connected APs
1.1.9 QoS Quality of service for different applications and custom protocols User group classification for different service levels Bandwidth usage control and monitoring on group- and user-level Application prioritization for custom protocols and DSL/cable optimization

Home Page

11

Copyright @ 2021 Peplink

1.2 Other Supported Features
User-friendly web-based administration interface HTTP and HTTPS support for web admin interface (default redirection to HTTPS) Configurable web administration port and administrator password Firmware upgrades, configuration backups, ping, and traceroute via web admin interface Remote web-based configuration (via WAN and LAN interfaces) Time server synchronization SNMP Email notification Read-only user access for web admin Shared IP drop-in mode Authentication and accounting by RADIUS server for web admin Built-in WINS servers Syslog SIP passthrough PPTP packet passthrough Event log Active sessions Client list WINS client list UPnP / NAT-PMP Real- time, hourly, daily, and monthly bandwidth usage reports and charts IPv6 support Support USB tethering on Android 2.2+ phones

  • Not supported on MAX Surf-On-The-Go, and BR1 variants

Home Page

12

Copyright @ 2021 Peplink

2 MAX HD2 Overview
2.1 Panel Appearance

2.2 LED indicators
The statuses indicated by the front panel LEDs are as follows:

Status Indicators

OFF

System initializing

Status

Red Blinking red

Booting up or busy Boot up error

Green

Ready

Cellular

OFF Blinking Slowly Green

Cellular Indicators Disabled or no SIM card inserted Connecting to network(s) Connected to network(s)

Wi-Fi / Wi-Fi AP

OFF ON

Wi-Fi Indicators Disabled intermittent Connected to wireless network(s)

Home Page

13

Copyright @ 2021 Peplink

Green LED Orange LED
Port Type

LAN Ports

ON

1000 Mbps

OFF

10 Mbps / 100 Mbps or port is not connected

ON

Port is connected without traffic

Blinking

Data is transferring

OFF

No data is being transferred or port is not connected

Auto MDI/MDI-X ports

Right LED Left LED Port Type

WAN Port

ON

1000 Mbps

OFF

10 Mbps / 100 Mbps or port is not connected

ON

Port is connected without traffic

Blinking

Data is transferring

OFF

No data is being transferred or port is not connected

Auto MDI/MDI-X ports

Home Page

14

Copyright @ 2021 Peplink

3 Advanced Feature Summary
3.1 Drop-in Mode and LAN Bypass: Transparent Deployment

As your organization grows, it may require more bandwidth, but modifying your network can be tedious. In Drop-in Mode, you can conveniently install your Peplink router without making any changes to your network. For any reason your Peplink router looses power, the LAN Bypass will safely and automatically bypass the Peplink router to resume your original network connection.
Note: Drop-in mode is compatible for All MAX models except MAX BR1 IP67
3.2 QoS: Clearer VoIP

VoIP and videoconferencing are highly sensitive to latency. With QoS, Peplink routers can detect VoIP traffic and assign it the highest priority, giving you crystal-clear calls.

Home Page

15

Copyright @ 2021 Peplink

3.3 Per-User Bandwidth Control

With per-user bandwidth control, you can define bandwidth control policies for up to 3 groups of users to prevent network congestion. Define groups by IP address and subnet, and set bandwidth limits for every user in the group.
3.4 High Availability via VRRP

When your organization has a corporate requirement demanding the highest availability with no single point of failure, you can deploy two Peplink routers in High Availability mode. With High Availability mode, the second device will take over when needed.

Home Page

16

Copyright @ 2021 Peplink

Compatible with: MAX 700, MAX HD2 (All variants), HD4 (All Variants)
3.5 USB Modem and Android Tethering

For increased WAN diversity, plug in a USB LTE modem as a backup. Peplink routers are compatible with over 200 modem types. You can also tether to smartphones running Android 4.1.X and above. Compatible with: MAX 700, HD2 (all variants except IP67), HD4 (All variants)
3.6 Built-In Remote User VPN Support

Use OpenVPN or L2TP with IPsec to safely and conveniently connect remote clients to your private network. L2TP with IPsec is supported by most devices, but legacy devices can also connect using PPTP.
Click here for the full instructions on setting up L2TP with IPsec. Click here for the full instructions on setting up OpenVPN connections

Home Page

17

Copyright @ 2021 Peplink

3.7 SIM-card USSD support

Cellular-enabled routers can now use USSD to check their SIM card’s balance, process pre-paid cards, and configure carrier-specific services. Click here for full instructions on using USSD
3.8 KVM Virtualization

KVM is a virtualisation module that allows administrators using our routers to host a large range of virtual machines. KVM is now supported on some MediaFast / ContentHub routers.

Home Page

18

Copyright @ 2021 Peplink

Click here for the full instructions on how to set up KVM Click here for the full instructions on how to set up KVM with USB Storage
3.9 DPI Engine
The DPI report written in the updated KB article will show further information on InControl2 through breaking down application categories into subcategories. https://forum.peplink.com/t/updated-ic2-deep-packet-inspection-dpi-reports- and-everythi ng-you-need-to-know-about-it/29658
3.10 NetFlow
NetFlow protocol is used to track network traffic. Tracking information from NetFlow can be sent to the NetFlow collector, which analyzes data and generates reports for review. Note: To enable this feature, go to https://<Device’s IP>/cgi-bin/MANGA/support.cgi

3.11 Wi-Fi Air Monitoring
Pepwave routers support Wi-Fi “Air Monitoring Mode” which used to troubleshoot remotely and proactively monitor Wi-Fi and WAN performance. The report can be viewed under InControl 2 > Reports > AirProbe Reports after enabling Wi-Fi Air Monitoring. Note: To enable this feature, go to https://<Device’s IP>/cgi- bin/MANGA/support.cgi

3.12 SP Default Configuration
The SP Default Configuration feature written in the updated KB article allows for the provisioning of custom made settings (a.k.a. InControl2 configuration) via the Ethernet LAN port and is ideal for those wanting to do a bulk deployment of many Peplink devices. Note: If you would like to use this feature, please contact your purchase point (Eg.VAD).

Home Page

19

Copyright @ 2021 Peplink

3.13 SpeedFusion Cloud Relay
Cloud Service Providers often restrict access to certain applications. With SFC Relay, you can route traffic before going out to the Internet, allowing access to previously restricted applications experienced with the public SpeedFusion Cloud nodes. Available as an add-on for your home router or as an upgradable license to your Peplink router, SFC Relay is sure to impress you and any peers you give access to. https://forum.peplink.com/t/configure- speedfusion-cloud-relay-server-and-client/6215ca9 b017e48e0f3ff2479/
3.14 DNS over HTTPS (DoH)
DoH provides the benefits of communicating DNS information over a secure HTTPS connection in an encrypted manner. The protocol offers increased privacy and confidentiality by preventing data interception and man-in-the-middle attacks.

Home Page

20

Copyright @ 2021 Peplink

4 Installation
The following section details connecting Pepwave routers to your network.
4.1 Preparation
Before installing your Pepwave router, please prepare the following as appropriate for your installation:
At least one Internet/WAN access account and/or Wi-Fi access information
Depending on network connection type(s), one or more of the following:
Ethernet WAN: A 10/100/1000BaseT UTP cable with RJ45 connector
USB: A USB modem
Embedded modem: A SIM card for 5G/4G LTE service
Wi-Fi WAN: Wi-Fi antennas
PC Card/Express Card WAN: A PC Card/ExpressCard for the corresponding card slot
A computer installed with the TCP/IP network protocol and a supported web browser. Supported browsers include Microsoft Internet Explorer 11 or above, Mozilla Firefox 24 or above, Apple Safari 7 or above, and Google Chrome 18 or above.
4.2 Constructing the Network
At a high level, construct the network according to the following steps:
1. With an Ethernet cable, connect a computer to one of the LAN ports on the Pepwave router. Repeat with different cables for up to 4 computers to be connected.
2. With another Ethernet cable or a USB modem/Wi-Fi antenna/PC Card/Express Card, connect to one of the WAN ports on the Pepwave router. Repeat the same procedure for other WAN ports.
3. Connect the power adapter to the power connector on the rear panel of the Pepwave router, and then plug it into a power outlet.

Home Page

21

Copyright @ 2021 Peplink

4.3 Configuring the Network Environment
To ensure that the Pepwave router works properly in the LAN environment and can access the Internet via WAN connections, please refer to the following setup procedures:
LAN configuration For basic configuration, refer to Section 8, Connecting to the Web Admin Interface. For advanced configuration, go to Section 9, Configuring the LAN Interface(s).
WAN configuration For basic configuration, refer to Section 8, Connecting to the Web Admin Interface. For advanced configuration, go to Section 9.2, Captive Portal.

Home Page

22

Copyright @ 2021 Peplink

5 Mounting the Unit
5.1 Wall Mount
The Pepwave MAX 700/HD2/On-The-Go can be wall mounted using screws. After adding the screw on the wall, slide the MAX in the screw hole socket as indicated below. Recommended screw specification: M3.5 x 20mm, head diameter 6mm, head thickness 2.4mm. The Pepwave MAX BR1 requires four screws for wall mounting.
5.2 Car Mount
The Pepwave MAX700/HD2 can be mounted in a vehicle using the included mounting brackets. Place the mounting brackets by the two sides and screw them onto the device.
5.3 IP67 Installation Guide
Installation instructions for IP67 devices can be found here: http://download.peplink.com/manual/IP67_Installation_Guide.pdf

Home Page

23

Copyright @ 2021 Peplink

5.4 PDX Accessory Kit Installation Guide
5.4.2 Battery Set appearance
Step 1: Lock the battery set in the slot with 2 pcs M3 screws.

Step 2: Plug power cable into the socket

Home Page

24

Copyright @ 2021 Peplink

STEP 3: Lock the slot cover with 4 pcs M3 screws.

5.4.3 SFE-DUO Set appearance

Home Page

25

Copyright @ 2021 Peplink

STEP 1: Assemble SMA cables to the device

STEP 2: Assemble bracket to the device

Home Page

26

Copyright @ 2021 Peplink

STEP 3: Assemble SMA connectors to the bracket

Home Page

27

Copyright @ 2021 Peplink

STEP 4: Lock the SFE-Duo set in the slot with 2 pcs M3 screws.

Home Page

28

Copyright @ 2021 Peplink

STEP 5: Connect DC power & ETH port

STEP 6: Lock the slot cover with 4 pcs M3 screws.

Home Page

29

Copyright @ 2021 Peplink

0

Home Page

30

Copyright @ 2021 Peplink

6 Connecting to the Web Admin Interface
1. Start a web browser on a computer that is connected with the Pepwave router through the LAN.
2. To connect to the router’s web admin interface, enter the following LAN IP address in the address field of the web browser: http://192.168.50.1 (This is the default LAN IP address for Pepwave routers.)
3. Enter the following to access the web admin interface. Username: admin Password: admin (This is the default username and password for Pepwave routers).
You must change the default password on the first successful logon. Password requirements are: A minimum of 10 lower AND upper case characters,
including at least 1 number. When HTTP is selected, the URL will be redirected to HTTPS by default.

Home Page

31

Copyright @ 2021 Peplink

After successful login, the Dashboard of the web admin interface will be displayed.

The Dashboard shows current WAN, LAN, and Wi-Fi AP statuses. Here, you can change WAN connection priority and switch on/off the Wi-Fi AP. For further information on setting up these connections, please refer to Sections 8 and 9.
Device Information displays details about the device, including model name, firmware version, and uptime. For further information, please refer to Section 22.
Important Note
Configuration changes (e.g. WAN, LAN, admin settings, etc.) will take effect only after clicking the Save button at the bottom of each page. The Apply Changes button causes the changes to be saved and applied.

Home Page

32

Copyright @ 2021 Peplink

7 SpeedFusion Cloud
With Peplink products, your device is able to connect to SpeedFusion Cloud without the use of a second endpoint. This service has wide access to a number of SpeedFusion endpoints hosted from around the world, providing your device with unbreakable connectivity wherever you are.
SpeedFusion Cloud is supported in firmware version 8.1.0 and above. SpeedFusion Cloud is a subscription basis. SpeedFusion Cloud license can be purchased at https://store.peplink.com/ > Cloud Solutions > SpeedFusion Cloud Service.
7.1 Activate SpeedFusion Cloud Service
You are entitled to a 30-day free period with 100GB of SpeedFusion usage upon activation of the SpeedFusion Cloud service. This offer is limited to once per device. To get your activation key please visit SpeedFusion Cloud.

Home Page

33

Copyright @ 2021 Peplink

Go to activate.speedfusion.com and select the type of SpeedFusion Cloud service, “Via Free 30-days Trial” or “Via Care Plans”, that you would like to activate. Next, register or login to your account.
Select the devices that you wish to activate SpeedFusion Cloud on and Click ACTIVATE.

Home Page

34

Copyright @ 2021 Peplink

From System > Features Add-ons, paste the license key into the window and click on Activate once you have received the license key.

Home Page

35

Copyright @ 2021 Peplink

7.2 Enable SpeedFusion Cloud
Access the Web Admin of the device you want to create as the SFC Relay Server, navigating to the “SpeedFusion Cloud” tab.

To setup a SpeedFusion Cloud Relay Server, select “Setup Home Sharing” > Choose the Cloud Location you wish to connect to > Click on the green tick button to confirm the change.

Home Page

36

Copyright @ 2021 Peplink

The Home Sharing Code will be generated and other peers can use this code to establish a SpeedFusion Cloud connection that will forward the traffic to this device, allowing them to access local networks and the Internet via your WAN connection.
To connect to SpeedFusion Cloud, you can select a Cloud Location of your choice, or simply Automatic, then the device will establish a connection to the nearest cloud server.
Choose Automatic > Click on the green tick button to confirm the change.

Home Page

37

Copyright @ 2021 Peplink

Or you may select Home Sharing and use your Home Sharing Code to create a profile if you have set up a SpeedFusion Cloud Relay Client on another device.
Click on Apply Changes to save the change.

Home Page

38

Copyright @ 2021 Peplink

By default, the router will build a SpeedFusion tunnel to the SpeedFusion Cloud

Home Page

39

Copyright @ 2021 Peplink

If you are running a latency sensitive service like video streaming or VOIP, a WAN Smoothing sub-tunnel can be created. Navigate to Speedfusion Cloud > Choose a cloud location > SFC.
A Speedfusion tunnel configuration window will pop out. Click on the + sign to create the WAN Smoothing sub-tunnel.

Home Page

40

Copyright @ 2021 Peplink

Home Page

41

Copyright @ 2021 Peplink

Click on Save and Apply Changes to save the configuration. Now, the router has 2 Speedfusion tunnels to the Speedfusion Cloud.

Home Page

42

Copyright @ 2021 Peplink

Create an outbound policy to steer the internet traffic to go into Speedfusion Cloud. Please go to Advanced > Outbound Policy, click on Add Rule to create a new outbound policy.

Home Page

43

Copyright @ 2021 Peplink

7.3 Connect Clients to Cloud
SpeedFusion Cloud provides a convenient way to route the LAN client to the cloud. From SpeedFusion Cloud > Connect Clients to Cloud.

Home Page

44

Copyright @ 2021 Peplink

Choose a client from the drop down list > Click + > Save > Apply Changes.
7.4 Link Wi-Fi to Cloud
SpeedFusion Cloud provides a convenient way to route the Wi-Fi client to the cloud from SpeedFusion Cloud > Link Wi-Fi to Cloud.

Home Page

45

Copyright @ 2021 Peplink

Create a new SSID for SpeedFusion Cloud. The new SSID will inherit all settings from one of the existing SSIDs including the Security Policy. Then click Save follow by Apply Changes.
SpeedFusion Cloud SSID will be shown on Dashboard.

Home Page

46

Copyright @ 2021 Peplink

7.5 Optimize Cloud Application
Optimize Cloud Application allows you to route Internet traffic to SpeedFusion Cloud based on the application. Go to SpeedFusion Cloud > Optimize Cloud Application.

Select a Cloud application to route through SpeedFusion Cloud from the drop down list > Click

Save > Apply Changes. Click the route through SpeedFusion Cloud.

to remove a selected Cloud application to

Home Page

47

Copyright @ 2021 Peplink

8 Configuring the LAN Interface(s)
8.1 Basic Settings
LAN interface settings are located at Network>LAN>Network Settings. Navigating to that page will show the following dashboard:

This represents the LAN interfaces that are active on your router (including VLAN). A grey “X” means that the VLAN is used in other settings and cannot be deleted. You can find which settings are using the VLAN by hovering over the grey “X”.
Alternatively, a red “X” means that there are no settings using the VLAN. You can delete that VLAN by clicking the red “X”
Clicking on any of the existing LAN interfaces (or creating a new one) will show the following :

IP Address

IP Settings The IP address and subnet mask of the Pepwave router on the LAN.

Name VLAN ID

Network Settings Enter a name for the LAN. Enter a number for your VLAN.

Inter-VLAN routing Check this box to enable routing between virtual LANs.

Home Page

48

Copyright @ 2021 Peplink

Layer 2 PepVPN Bridging

PepVPN Profiles to Bridge

The remote network of the selected PepVPN profiles will be bridged with this local LAN, creating a Layer 2 PepVPN, they will be connected and operate like a single LAN, and any broadcast or multicast packets will be sent over the VPN.

Remote Network Enable this option if you want to block network traffic between the remote

Isolation

networks, this will not affect the connectivity between them and this local LAN.

Spanning Tree Protocol

Click the box will enable STP for this layer 2 profile bridge.

Override IP Address when
bridge connected

Select “Do not override” if the LAN IP address and local DHCP server should remain unchanged after the Layer 2 PepVPN is up.
If you choose to override IP address when the VPN is connected, the device will not act as a router, and most Layer 3 routing functions will cease to work.

Click on the question Mark if you want to enable DHCP Option 82.

DHCP Option 82

This allows the device to inject Option 82 with Router Name information before forwarding the DHCP Request packet to a PepVPN peer, such that the DHCP

Server can identify where the request originates from.

Home Page

49

Copyright @ 2021 Peplink

DHCP Server DHCP Server
Logging IP Range & Subnet Mask Lease Time
DNS Servers
WINS Servers
BOOTP Extended DHCP Option

DHCP Server Settings
When this setting is enabled, the DHCP server automatically assigns an IP address to each computer that is connected via LAN and configured to obtain an IP address via DHCP. The Pepwave router’s DHCP server can prevent IP address collision on the LAN.
Enable logging of DHCP events in the eventlog by selecting the checkbox.
These settings allocate a range of IP addresses that will be assigned to LAN computers by the Pepwave router’s DHCP server.
This setting specifies the length of time throughout which an IP address of a DHCP client remains valid. Upon expiration of the lease time, the assigned IP address will no longer be valid and renewal of the IP address assignment will be required.
This option allows you to input the DNS server addresses to be offered to DHCP clients. If Assign DNS server automatically is selected, the Pepwave router’s built-in DNS server address (i.e., LAN IP address) will be offered.
This option allows you to optionally specify a Windows Internet Name Service (WINS) server. You may choose to use the built-in WINS server or external WINS servers. When this unit is connected using SpeedFusionTM, other VPN peers can share this unit’s built-in WINS server by entering this unit’s LAN IP address in their DHCP WINS Server setting. Afterward, all PC clients in the VPN can resolve the NetBIOS names of other clients in remote peers. If you have enabled this option, a list of WINS clients will be displayed at Status>WINS Clients.
Check this box to enable BOOTP on older networks that still require it.
In addition to standard DHCP options (e.g., DNS server address, gateway address, subnet mask), you can specify the value of additional extended DHCP options, as defined in RFC 2132. With these extended options enabled, you can

Home Page

50

Copyright @ 2021 Peplink

DHCP Reservation

pass additional configuration information to LAN hosts.

To define an extended DHCP option, click the Add button, choose the option to define and enter its value. For values that are in IP address list format, you can enter one IP address per line in the provided text area input control. Each option can be defined once only.

This setting reserves the assignment of fixed IP addresses for a list of computers on the LAN. The computers to be assigned fixed IP addresses on the LAN are identified by their MAC addresses. The fixed IP address assignment is displayed as a cross-reference list between the computers’ names, MAC addresses, and fixed IP addresses.

Name (an optional field) allows you to specify a name to represent the device.

MAC addresses should be in the format of 00:AA:BB:CC:DD:EE. Press

to

create a new record. Press

to remove a record. Reserved client

information can be imported from the Client List, located at Status>Client List.

For more details, please refer to Section 22.3.

Speed

LAN Physical Settings
This is the port speed of the LAN interface. It should be set to the same speed as the connected device to avoid port negotiation problems. When a static speed is set, you may choose whether to advertise its speed to the peer device. Auto is selected by default. You can choose not to advertise the port speed if the port has difficulty negotiating with the peer device.

Static Route Settings

Static Route

This table is for defining static routing rules for the LAN segment. A static route consists of the network address, subnet mask, and gateway address. The address and subnet mask values are in w.x.y.z format.
The local LAN subnet and subnets behind the LAN will be advertised to the VPN. Remote routes sent over the VPN will also be accepted. Any VPN member will be

able to route to the local subnets. Press to remove a route.

to create a new route. Press

A – Advanced feature, please click the button on the top right hand corner of the Static Route section to activate and configure Virtual Network Mapping to resolve network address conflict with remote peers.

Home Page

51

Copyright @ 2021 Peplink

In case of a network address conflict with remote peers (i.e. PepVPN / IPsec VPN / IP Forwarding WAN are considered as remote connections), you can define Virtual Network Mapping to resolve it.
Note: OSPF & RIPv2 settings should be updated as well to avoid advertising conflicted networks. For further details on virtual network mapping watch this video: https://youtu.be/C1FMdZCn3Z8

Virtual Network Mapping

One-to-One NAT

Every IP Address in the Local Network has a corresponding unique Virtual IP Address for NAT. Traffic originating from the Local Network to remote connections will be SNAT’ed and behave like coming from the defined Virtual Network. While traffic initiated by remote peers to the Virtual Network will be DNAT’ed accordingly.

The subnet range defined in Local Network will be mapped to a single Virtual IP Many-to-One NAT Address for NAT. Traffic can only be initiated from local to remote, and these
traffic will be NAT’ed and behaves like coming from the same Virtual IP Address.

Enable

WINS Server Settings
Check the box to enable the WINS server. A list of WINS clients will be displayed at Status>WINS Clients.

Home Page

52

Copyright @ 2021 Peplink

Enable DNS Caching

DNS Proxy Settings
To enable the DNS proxy feature, check this box, and then set up the feature at Network>LAN>DNS Proxy Settings. A DNS proxy server can be enabled to serve DNS requests originating from LAN/PPTP/SpeedFusionTM peers. Requests are forwarded to the DNS servers/resolvers defined for each WAN connection.
This field is to enable DNS caching on the built-in DNS proxy server. When the option is enabled, queried DNS replies will be cached until the records’ TTL has been reached. This feature can help improve DNS lookup time. However, it cannot return the most up-to-date result for those frequently updated DNS records. By default, DNS Caching is disabled.

Include Google Public DNS Servers

When this option is enabled, the DNS proxy server will also forward DNS requests to Google’s Public DNS Servers, in addition to the DNS servers defined in each WAN. This could increase the DNS service’s availability. This setting is disabled by default.

Local DNS Records

This table is for defining custom local DNS records. A static local DNS record consists of a host name and IP address. When looking up the host name from the LAN to LAN IP of the Pepwave router, the corresponding

IP address will be returned. Press to remove a record.

to create a new record. Press

DNS Resolvers A

Check the box to enable the WINS server. A list of WINS clients will be
displayed at Network>LAN>DNS Proxy Settings>DNS Resolvers. This field specifies which DNS resolvers will receive forwarded DNS requests.
If no WAN/VPN/LAN DNS resolver is selected, all of the WAN’s DNS
resolvers will be selected. If a SpeedFusionTM peer is selected, you may enter the VPN peer’s DNS

Home Page

53

Copyright @ 2021 Peplink

resolver IP address(es). Queries will be forwarded to the selected connections’ resolvers. If all of the selected connections are down, queries will be forwarded to all resolvers on healthy WAN connections.
A – Advanced feature, please click the button on the top right hand corner to activate.
Finally, if needed, configure Bonjour forwarding, Apple’s zero configuration networking protocol. Once VLAN configuration is complete, click Save to store your changes.

Bonjour Forwarding Settings

Enable

Check this box to turn on Bonjour forwarding.

Bonjour Service

Choose Service and Client networks from the drop-down menus, and then click

to add the networks. To delete an existing Bonjour listing, click

.

Home Page

54

Copyright @ 2021 Peplink

Drop-In Mode
Drop-in mode (or transparent bridging mode) eases the installation of the Pepwave MAX on a live network between the firewall and router, such that changes to the settings of existing equipment are not required. The following diagram illustrates drop-in mode setup:

Check the box Enable to enable the Drop-in Mode. After enabling this feature and selecting the WAN for Drop-in mode, various settings including the WAN’s connection method and IP address will be automatically updated. When drop-in mode is enabled, the LAN and the WAN for drop-in mode ports will be bridged. Traffic between the LAN hosts and WAN router will be forwarded between the devices. In this case, the hosts on both sides will not notice any IP or MAC address changes. After successfully setting up the Pepwave MAX as part of the network using drop-in mode, it will, depending on model, support one or more WAN connections. Some MAX units also support multiple WAN connections after activating drop-in mode, though a SpeedFusion license may be required to activate more than one WAN port.
Please note the Drop-In Mode is mutually exclusive with VLAN.

Home Page

55

Copyright @ 2021 Peplink

Drop-in Mode Settings

Enable

Drop-in mode eases the installation of the Pepwave MAX on a live network between the existing firewall and router, such that no configuration changes are required on existing equipment. Check the box to enable the drop-in mode feature.

WAN for

Select the WAN port to be used for drop-in mode. If WAN is selected, the high

Drop-In Mode availability feature will be disabled automatically.

When this option is enabled, the passthrough IP address will be used to connect

to WAN hosts (email notification, remote syslog, etc.). The MAX will listen for this

IP address when WAN hosts access services provided by the MAX (web admin

Shared Drop-In access from the WAN, DNS server requests, etc.).

IPA

To connect to hosts on the LAN (email notification, remote syslog, etc.), the default

gateway address will be used. The MAX will listen for this IP address when LAN

hosts access services provided by the MAX (web admin access from the WAN,

DNS proxy, etc.).

Shared IP Access to this IP address will be passed through to the LAN port if this device is

Home Page

56

Copyright @ 2021 Peplink

AddressA

not serving the service being accessed. The shared IP address will be used in connecting to hosts on the WAN (e.g., email notification, remote syslog, etc.) The device will also listen on the IP address when hosts on the WAN access services served on this device (e.g., web admin accesses from WAN, DNS server, etc.)

WAN Default Gateway

Enter the WAN router’s IP address in this field. If there are more hosts in addition
to the router on the WAN segment, click the button next to “WAN Default Gateway” and check the other host(s) on the WAN segment box and enter the IP address of the hosts that need to access LAN devices or be accessed by others.

WAN DNS Servers

Enter the selected WAN’s corresponding DNS server IP addresses.

A – Advanced feature, please click the button on the top right-hand corner to activate.

To enable VLAN configuration, click the button in the IP Settings section.

To add a new LAN, click the New LAN button. To change LAN settings, click the name of the LAN to change under the LAN heading.

The following settings are displayed when creating a new LAN or editing an existing LAN.

IP Address & Subnet Mask

IP Settings
Enter the Pepwave router’s IP address and subnet mask values to be used on the LAN.

Home Page

57

Copyright @ 2021 Peplink

Network Settings

Name VLAN ID

Enter a name for the LAN. Enter a number for the LAN.

Inter-VLAN routing

Check this box to enable routing between virtual LANs.

Captive Portal Check this box to turn on captive portals.

DHCP Server

DHCP Server Settings
When this setting is enabled, the Pepwave router’s DHCP server automatically assigns an IP address to each computer that is connected via LAN and configured to obtain an IP address via DHCP. The Pepwave router’s DHCP server can prevent IP address collisions on the LAN.

IP Range & Subnet Mask
Lease Time

To enable DHCP bridge relay, please click the icon on this menu item.
These settings allocate a range of IP addresses that will be assigned to LAN computers by the Pepwave router’s DHCP server.
This setting specifies the length of time throughout which an IP address of a DHCP client remains valid. Upon expiration of Lease Time, the assigned IP address will no longer be valid and the IP address assignment must be renewed.

Home Page

58

Copyright @ 2021 Peplink

DNS Servers

This option allows you to input the DNS server addresses to be offered to DHCP
clients. If Assign DNS server automatically is selected, the Pepwave router’s built-in DNS server address (i.e., LAN IP address) will be offered.

WINS Servers

This option allows you to specify the Windows Internet Name Service (WINS)
server. You may choose to use the built-in WINS server or external WINS servers. When this unit is connected using SpeedFusionTM, other VPN peers can share this
unit’s built-in WINS server by entering this unit’s LAN IP address in their DHCP WINS Servers setting. Therefore, all PC clients in the VPN can resolve the NetBIOS names of other clients in remote peers. If you have enabled this option, a
list of WINS clients will be displayed at Status>WINS Clients.

BOOTP

Check this box to enable BOOTP on older networks that still require it.

In addition to standard DHCP options (e.g. DNS server address, gateway address,

subnet mask), you can specify the value of additional extended DHCP options, as

Extended DHCP Option

defined in RFC 2132. With these extended options enabled, you can pass additional configuration information to LAN hosts. To define an extended DHCP option, click the Add button, choose the option to define, and then enter its value.

For values that are in IP address list format, you can enter one IP address per line

in the provided text area input control. Each option can be defined once only.

DHCP Reservation

This setting reserves the assignment of fixed IP addresses for a list of computers on the LAN. The computers to be assigned fixed IP addresses on the LAN are identified by their MAC addresses. The fixed IP address assignment is displayed as a cross-reference list between the computers’ names, MAC addresses, and fixed IP addresses.

Name (an optional field) allows you to specify a name to represent the device.

MAC addresses should be in the format of 00:AA:BB:CC:DD:EE. Press

to

create a new record. Press

to remove a record. Reserved clients

information can be imported from the Client List, located at Status>Client List.

For more details, please refer to Section 22.3.

To configure DHCP relay, first click the display the settings.

button found next to the DHCP Server option to

DHCP Relay Settings

Enable

Check this box to turn on DHCP relay. Click the icon to disable DHCP relay.

DHCP Server IP

Enter the IP addresses of one or two DHCP servers in the provided fields. The DHCP servers entered here will receive relayed DHCP requests from the LAN. For

Home Page

59

Copyright @ 2021 Peplink

Address

active-passive DHCP server configurations, enter active and passive DHCP server relay IP addresses in DHCP Server 1 and DHCP Server 2.

DHCP Option 82

DHCP Option 82 includes device information as relay agent for the attached client when forwarding DHCP requests from client to server. This option also embeds the device’s MAC address and network name in circuit and remote IDs. Check this box to enable DHCP Option 82.

Once DHCP is set up, configure LAN Physical Settings, Static Route Settings, WINS Server Settings, and DNS Proxy Settings as noted above.

8.2 Port Settings
To configure port settings, navigate to Network > Port Settings

On this screen, you can enable specific ports, as well as determine the speed of the LAN ports, whether each port is a trunk or access port, can well as which VLAN each link belongs to, if any.

Home Page

60

Copyright @ 2021 Peplink

8.3 Captive Portal
The captive portal serves as a gateway that clients have to pass if they wish to access the internet using your router. To configure, navigate to Network>LAN>Captive Portal.

Enable Hostname Access Mode

Captive Portal Settings
Check Enable and then, optionally, select the LANs/VLANs that will use the captive portal.
To customize the portal’s form submission and redirection URL, enter a new URL in this field. To reset the URL to factory settings, click Default.
Click Open Access to allow clients to freely access your router. Click User Authentication to force your clients to authenticate before accessing your router.
This authenticates your clients through a RADIUS server. After selecting this option, you will see the following fields:

RADIUS Server

LDAP Server

Fill in the necessary information to complete your connection to the server and enable authentication.
This authenticates your clients through a LDAP server. Upon selecting this option, you will see the following fields:

Home Page

61

Copyright @ 2021 Peplink

Access Quota
Quota Reset Time
Allowed Networks
Allowed Clients
Splash Page

Fill in the necessary information to complete your connection to the server and enable authentication.
Set a time and data cap to each user’s Internet usage.
This menu determines how your usage quota resets. Setting it to Daily will reset it at a specified time every day. Setting a number of minutes after quota reached establish a timer for each user that begins after the quota has been reached.
Add networks that can bypass the captive Portal in this field. To whitelist a network, enter the domain name / IP address here and click
. To delete an existing network from the list of allowed networks, click the button next to the listing.
Add MAC address and /or IP addresses for client devices that are allowed to bypass the Captive Portal. Clients accessing these domains and IP addresses will not be redirected to the splash page.
Here, you can choose between using the Pepwave router’s built-in captive portal and redirecting clients to a URL you define.

The Portal Customization menu has two options:

and

. Clicking

displays a pop-up previewing the captive portal that your clients will see. Clicking the following menu:

displays

Home Page

62

Copyright @ 2021 Peplink

Logo Image
Message
Terms & Conditions
Custom Landing
Page

Portal Customization Click the Choose File button to select a logo to use for the built-in portal. If you have any additional messages for your users, enter them in this field. If you would like to use your own set of terms and conditions, please enter them here. If left empty, the built-in portal will display the default terms and conditions.
Fill in this field to redirect clients to an external URL.

Home Page

63

Copyright @ 2021 Peplink

9 Configuring the WAN Interface(s)
WAN Interface settings are located at Network>WAN. To reorder WAN priority, drag on the appropriate WAN by holding the left mouse button, move it to the desired priority (the first one would be the highest priority, the second one would be lower priority, and so on), and drop it by releasing the mouse button.

To able a particular WAN connection, drag on the appropriate WAN by holding the left mouse button, move it the Disabled row, and drop it by releasing the mouse button. You can also set priorities on the Dashboard. Click the Details button in the corresponding row to modify the connection setting.
Important Note
Connection details will be changed and become effective immediately after clicking the Save and Apply button.

Home Page

64

Copyright @ 2021 Peplink

IPv6
You can also enable IPv6 support in this section.
DNS over HTTPS (DoH)
You can enable DoH (DNS over HTTPS) support in this section.

Enable Server

DNS over HTTPS
When this option is enabled, the DNS proxy server will use HTTPS connections to forward DNS requests to the DoH resolver; it will not fallback to traditional UDP DNS options.
The options to configure DoH with a predefined server are:
Cloudflare – The DNS server IP addresses for Cloudflare will be using 1.1.1.1, which is unfiltered.
Quad9 – The DNS server IP addresses for Quad9 will be using 9.9.9.9 and 142.112.112.112, which is malware blocking and DNSSEC.
Google DNS – The DNS server IP addresses for Google DNS will be using 8.8.8.8 and 8.8.4.4, which is RFC8484 standard.
OpenDNS – The DNS server IP addresses for OpenDNS will be using 208.67.222.222 and 208.67.220.220, which is standard DNS.
Custom URL – You may select Custom URL:, and enter the resolver URL and IP address.

Home Page

65

Copyright @ 2021 Peplink

WAN Quality Monitoring
This settings advice how WAN Quality information is being gathered.
By default, WAN Quality will always be observed and gathered automatically. With customized choice of WAN connections, the device will always observe WAN Quality of those selected WAN connections. Other WAN connections may stop observing WAN Quality information if it is not necessary for the underlying features.

Home Page

66

Copyright @ 2021 Peplink

9.1 Ethernet WAN
9.1.2 DHCP Connection There are four possible connection methods:
1. DHCP 2. Static IP 3. PPPoE 4. L2TP 5. GRE The DHCP connection method is suitable if the ISP provides an IP address automatically using DHCP (e.g., satellite modem, WiMAX modem, cable, Metro Ethernet, etc.).

Routing Mode
Hostname (Optional)

DHCP Connection Settings
NAT allows substituting the real address in a packet with a mapped address
that is routable on the destination network. By clicking the help icon in this field, you can display the IP Forwarding option, if your network requires it.
If your service provider’s DHCP server requires you to supply a hostname value upon acquiring an IP address, you may enter the value here. If your service provider does not provide you with the value, you can safely bypass this option.

Home Page

67

Copyright @ 2021 Peplink

Management IP Address

Management IP Address is available for configuration when you click the
link in the help icon via the Hostname.
This option allows you to configure the management IP address for the DHCP WAN connection.
Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.

DNS Servers

Selecting Obtain DNS server address automatically results in the DNS servers being assigned by the WAN DHCP server to be used for outbound DNS lookups over the connection. (The DNS servers are obtained along with the WAN IP address assigned from the DHCP server.)

When Use the following DNS server address(es) is selected, you may enter custom DNS server addresses for this WAN connection into the DNS Server 1 and DNS Server 2 fields.
When this IP Passthrough option is active, after the ethernet WAN connection is up, the router’s DHCP server will offer the connection’s IP address to one LAN client. All incoming or outgoing traffic will be routed without NAT.

IP Passthrough

Regardless the WAN connection’s state, the router always binds to the LAN IP address (Default: 192.168.50.1). So when the ethernet WAN is connected, the LAN client could access the router’s web admin by manually configuring its IP address to the same subnet as the router’s LAN IP address (e.g. 192.168.50.10).

Independent from Backup WANs
Standby State

Note: when this option is firstly enabled, the LAN client may not be able to refresh its IP address to the ethernet WAN IP address in a timely fashion. The LAN client may have to manually renew its IP address from DHCP server. After this option is enabled, the DHCP lease time will be 2 minutes. I.e. the LAN client could refresh its IP address and access the network at most one minute after the ethernet WAN connection goes up.
If this is checked, the connection will be working independent from other Backup WAN connections. Those in Backup Priority will ignore the status of this WAN connection, and will be used when none of the other higher priority connections are available.
This option allows you to choose whether to remain connected when this WAN connection is no longer in the highest priority and has entered the standby state. When Remain connected is chosen, upon bringing up this WAN connection to active, it will be immediately available for use.

If this WAN connection is charged by connection time, you may want to set

Home Page

68

Copyright @ 2021 Peplink

this option to Disconnect so that connection will be made only when needed.

Reply to ICMP PING
Upload Bandwidth
Download Bandwidth

PepVPN may use connected standby WAN for failover if link failure detected on the higher priority WAN, you can set this option to Disconnect to avoid data passing through.
If the checkbox is unticked, this option is disabled and the system will not reply to any ICMP ping echo requests to the WAN IP addresses of this WAN connection.
Default: ticked (Yes)
This field refers to the maximum upload speed.
This value is referenced when default weight is chosen for outbound traffic and traffic prioritization. A correct value can result in effective traffic prioritization and efficient use of upstream bandwidth.
This field refers to the maximum download speed.
Default weight control for outbound traffic will be adjusted according to this value.

9.1.3 Static IP Connection
The static IP connection method is suitable if your ISP provides a static IP address to connect directly.

Home Page

69

Copyright @ 2021 Peplink

Routing Mode
IP Address / Subnet Mask /
Default Gateway

Static IP Settings
NAT allows substituting the real address in a packet with a mapped address that is routable on the destination network. By clicking the help icon in this field, you can display the IP Forwarding option, if your network requires it.
These settings allow you to specify the information required in order to communicate on the Internet via a fixed Internet IP address. The information is typically determined by and can be obtained from the ISP.
Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.

DNS Servers

Selecting Obtain DNS server address automatically results in the DNS servers being assigned by the WAN DHCP server to be used for outbound DNS lookups over the connection. (The DNS servers are obtained along with the WAN IP address assigned from the DHCP server.

When Use the following DNS server address(es) is selected, you may enter custom DNS server addresses for this WAN connection into the DNS Server 1 and DNS Server 2 fields.

Home Page

70

Copyright @ 2021 Peplink

9.1.4 PPPoE Connection
This connection method is suitable if your ISP provides a login ID/password to connect via PPPoE.

PPPoE Settings

Routing Mode
PPPoE Username / Password
Confirm PPPoE Password
Service Name (Optional) IP Address

NAT allows substituting the real address in a packet with a mapped address that is routable on the destination network. By clicking the help icon in this field, you can display the IP Forwarding option, if your network requires it. Enter the required information in these fields in order to connect via PPPoE to the ISP. The parameter values are determined by and can be obtained from the ISP.
Verify your password by entering it again in this field.
Service name is provided by the ISP. Note: Leave this field blank unless it is provided by your ISP. If your ISP provides a PPPoE IP address, enter it here.

Home Page

71

Copyright @ 2021 Peplink

(Optional) DNS Servers

Note: Leave this field blank unless it is provided by your ISP.
Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.
Selecting Obtain DNS server address automatically results in the DNS servers being assigned by the WAN DHCP server to be used for outbound DNS lookups over the connection. (The DNS servers are obtained along with the WAN IP address assigned from the DHCP server.)
When Use the following DNS server address(es) is selected, you may enter custom DNS server addresses for this WAN connection into the DNS Server 1 and DNS Server 2 fields.

9.1.5 L2TP Connection
L2TP has all the compatibility and convenience of PPTP with greater security. Combine this with IPsec for a good balance between ease of use and security.

Home Page

72

Copyright @ 2021 Peplink

L2TP Settings

Routing Mode

NAT allows substituting the real address in a packet with a mapped address that is routable on the destination network. By clicking the help icon in this field, you can display the IP Forwarding option, if your network requires it.

L2TP Username / Password

Enter the required information in these fields in order to connect via L2TP to your ISP.
The parameter values are determined by and can be obtained from your ISP.

Confirm L2TP Password

Verify your password by entering it again in this field.

Server IP

L2TP server address is a parameter which is provided by your ISP.

Address / Host Note: Leave this field blank unless it is provided by your ISP.

Address Type

Your ISP will also indicate whether the server IP address is Dynamic or Static. Please click the appropriate value.

Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.

DNS Servers

Selecting Obtain DNS server address automatically results in the DNS servers assigned by the PPPoE server to be used for outbound DNS lookups over the WAN connection.
(The DNS servers are obtained along with the WAN IP address assigned from the PPPoE server.)

When Use the following DNS server address(es) is selected, you can enter custom DNS server addresses for this WAN connection into the DNS server 1 and DNS server 2 fields.

Home Page

73

Copyright @ 2021 Peplink

9.1.6 GRE Connection This connection method is suitable if your ISP provides a static WAN IP and Tunnel IP via GRE.

L2TP Settings

Routing Mode

NAT allows substituting the real address in a packet with a mapped address that is routable on the destination network. By clicking the help icon in this field, you can display the IP Forwarding option, if your network requires it.

WAN IP Address These settings allow you to specify the information required in order to
/ Subnet Mask / communicate on the Internet via a fixed Internet IP address. The information is Default Gateway typically determined by and can be obtained from the ISP.

Remote GRE Host

This field allows you to enter the IP address of the remote GRE.

Tunnel Local IP This field allows you to enter the IP address of the local tunnel for the GRE tunnel

Address

connection.

Tunnel Remote This field allows you to enter the IP address of the remote tunnel for the GRE IP Address tunnel connection.

Home Page

74

Copyright @ 2021 Peplink

Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.

DNS Servers

Selecting Obtain DNS server address automatically results in the DNS servers assigned by the PPPoE server to be used for outbound DNS lookups over the WAN connection.
(The DNS servers are obtained along with the WAN IP address assigned from the PPPoE server.)

When Use the following DNS server address(es) is selected, you can enter custom DNS server addresses for this WAN connection into the DNS server 1 and DNS server 2 fields.

Home Page

75

Copyright @ 2021 Peplink

9.2 Cellular WAN

To access cellular WAN settings, click Network>WAN>Details.

IMSI ICCID MEID IMEI

WAN Connection Status
This is the International Mobile Subscriber Identity which uniquely identifies the SIM card. This is applicable to 3G modems only.
This is a unique number assigned to a SIM card used in a cellular device.
Some Pepwave routers support both HSPA and EV-DO. For Sprint or Verizon Wireless EV-DO users, a unique MEID identifier code (in hexadecimal format) is used by the carrier to associate the EV-DO device with the user. This information is presented in hex and decimal format.
This is the unique ID for identifying the modem in GSM/HSPA mode.

Home Page

76

Copyright @ 2021 Peplink

Connection Settings

WAN Connection
Name

Indicate a name you wish to give this WAN connection

Routing Mode

This option allows you to select the routing method to be used in routing IP frames via the WAN connection. The mode can be either NAT (Network Address Translation) or IP Forwarding.
In the case if you need to choose IP Forwarding for your scenario. Click the button to enable IP Forwarding.

DNS Servers

Each ISP may provide a set of DNS servers for DNS lookups. This setting specifies the DNS (Domain Name System) servers to be used when a DNS lookup is routed through this connection.
Selecting Obtain DNS server address automatically results in the DNS servers assigned by the WAN DHCP server being used for outbound DNS lookups over the connection. (The DNS servers are obtained along with the WAN IP address assigned by the DHCP server.)
When Use the following DNS server address(es) is selected, you may enter custom DNS server addresses for this WAN connection into the DNS server 1 and DNS server 2 fields.

Independent from Backup
WANs

If this is checked, the connection will be working independent from other Backup WAN connections. Those in Backup Priority will ignore the status of this WAN connection, and will be used when none of the other higher priority connections are available.

Standby State

This option allows you to choose whether to remain connected or disconnected when this WAN connection is no longer in the highest priority and has entered the standby state. When Remain connected is chosen, bringing up this WAN connection to active makes it immediately available for use.

Home Page

77

Copyright @ 2021 Peplink

If this is checked, the connection will disconnect when idle after the configured Time
Idle Disconnect value.
This option is disabled by default.

SIM Card

Cellular Settings
IIndicate which SIM card this cellular WAN will use. Only applies to cellular WAN with redundant SIM cards. For routers that support the SIM Injector, you may select the “Use Remote SIM Only” to provision a SIM from a SIM Injector. Further details on the SIM Injector found is available here: https://www.peplink.com/products/sim-injector/.

Preferred SIM If “Both SIMs” were selected on the above field, then you can designate the priority

Home Page

78

Copyright @ 2021 Peplink

Card

of the SIM card slots here.
If “Use Remote SIM Only” is selected in the SIM card section, the Remote SIM Settings will be shown.

Remote SIM Settings

You may need to enable the remote SIM Host settings in the Remote SIM management, see the section 22.10 or Appendix B for more details on FusionSIM. After that, click on “Scan nearby remote SIM server” to show the serial number(s) of the connected SIM Injector(s).

LTE/3G
Optimal Network Discovery

If you want to select a specific SIM, in the Cellular Settings, type “:” and then the number of the SIM slot, eg.1111-2222-3333:7.
This drop-down menu allows restricting cellular to particular band. Click the button to enable the selection of specific bands.
Cellular WANs by default will only handover from 3G to LTE network when there is no active data traffic, enable this option will make it run the handover procedures after fallback to 3G for a defined effective period, even this may interrupt the connectivity for a short while.

Band Selection

When set to Auto, band selection allows for automatically connecting to available, supported bands (frequencies) . When set to Manual, you can manually select the bands (frequencies) the SIM will connect to.

Data Roaming

This checkbox enables data roaming on this particular SIM card. When data roaming is enabled this option allows you to select in which countries the SIM has a data connection. The option is configured by using MMC (country) codes.Please check your service provider’s data roaming policy before proceeding.

Authentication

Choose from PAP Only or CHAP Only to use those authentication methods exclusively. Select Auto to automatically choose an authentication method.

Operator Settings

This setting allows you to configure the APN settings of your connection. If Auto is selected, the mobile operator should be detected automatically. The connected
device will be configured and connection will be made automatically. If there is any
difficulty in making connection, you may select Custom to enter your carrier’s APN, Login, Password, and Dial Number settings manually. The correct values can be obtained from your carrier. The default and recommended setting is Auto.

Home Page

79

Copyright @ 2021 Peplink

APN / Login / When Auto is selected, the information in these fields will be filled automatically. Password / Select Custom to customize these parameters. The parameter values are
SIM PIN determined by and can be obtained from the ISP.

Bandwidth Allowance
Monitor

Check the box Enable to enable bandwidth usage monitoring on this WAN connection for each billing cycle. When this option is not enabled, bandwidth usage of each month is still being tracked but no action will be taken.

Action

If email notification is enabled, you will be notified by email when usage hits 75% and
95% of the monthly allowance. If Disconnect when usage hits 100% of monthly allowance is checked, this WAN connection will be disconnected automatically when the usage hits the monthly allowance. It will not resume connection unless this option
has been turned off or the usage has been reset when a new billing cycle starts.

Start Day This option allows you to define which day of the month each billing cycle begins.

Monthly This field is for defining the maximum bandwidth usage allowed for the WAN Allowance connection each month.

Signal Threshold Settings

If signal threshold is defined, this connection will be treated as down when a weaker than threshold signal is determined. The following values are used by the threshold scale:

To define the threshold manually using specific signal strength values, please click on the question Mark and the following field will be visible.

Home Page

80

Copyright @ 2021 Peplink

9.3 Wi-Fi WAN
To access Wi-Fi WAN settings, click Network>WAN>Details.

WAN Connection Settings

WAN Connection Name

Enter a name to represent this WAN connection.

Independent from Backup WANs

If this is checked, the connection will be working independent from other Backup WAN connections. Those in Backup Priority will ignore the status of this WAN connection, and will be used when none of the other higher priority connections are available.

Standby State

This setting specifies the state of the WAN connection while in standby. The
available options are Remain Connected (hot standby) and Disconnect (cold standby).

MTU

This setting specifies the maximum transmission unit. By default, MTU is set to
Custom 1440. You may adjust the MTU value by editing the text field. Click Default to restore the default MTU value. Select Auto and the appropriate MTU value will be automatically detected. The auto-detection will run each time the
WAN connection establishes

Reply to ICMP PING

If this setting is disabled, the WAN connection will not respond to ICMP ping requests. By default, this setting is enabled.

Home Page

81

Copyright @ 2021 Peplink

Wi-Fi WAN Settings Select the channel width for this Wi-Fi WAN. 20MHz will have greater support for Channel Width older devices using 2.4Ghz, while 40MHz is appropriate for networks with newer devices that connect using 5Ghz Determine whether the channel will be automatically selected. If you select custom, the following table will appear:
Channel

Output Power

If you are setting up a network with many Wi-Fi devices in close proximity, then you can configure the output power here. Click the “boost” button for additional power. However, with that option ticked, output power may exceed local regulatory limits.

Data Rate

Selecting Auto will enable the router to automatically determine the best data rate, while manually selecting a rate will force devices to connect using the fixed rate.

Roaming

Checking this box will enable Wi-Fi roaming. Click the options.

icon for additional

Connect to Any This option is to specify whether the Wi-Fi WAN will connect to any open mode Open Mode AP access points it finds.

Beacon Miss Counter

This sets the threshold for the number of missed beacons.

Channel Scan Interval

Configure Channel Scan Interval in ms.

Home Page

82

Copyright @ 2021 Peplink

9.3.2 Creating Wi-Fi Connection Profiles You can manually create a profile to connect to a Wi-Fi connection. This is useful for creating a profile for connecting to hidden-SSID access points. Click Network>WAN>Details>Create Profile… to get started.
This will open a window similar to the one shown below

Type

Wi-Fi Connection Profile Settings Select whether the network will connect automatically or manually.

Network Name (SSID)

Enter a name to represent this Wi-Fi connection.

Home Page

83

Copyright @ 2021 Peplink

Security
Shared Key Preffered BSSID Connected Method
DNS Servers

This option allows you to select which security policy is used for this wireless network. Available options:
Open WPA3 -Personal (AES:CCMP) WPA2/WPA3 -Personal (AES:CCMP) WPA2 ­ Personal: AES:CCMP WPA2 ­ Enterprise: AES: CCMP WPA/ WPA2 ­ Personal: TKIP/AES:CCMP WPA/ WPA2 ­ ENterprise: TKIP/AES:CCMP
Enter the password for the wireless network.
Configure the BSSID. The BSSID is the MAC address of the wireless access point (WAP). Choose DHCP or Static IP.
Configure the DNS servers that this WAN connection should use.

9.4 WAN Connection Settings (Common)
The remaining WAN-related settings are common to the WAN connection:

Speed

Physical Interface Settings
This is the port speed of the WAN connection. It should be set to the same speed as the connected device in case of any port negotiation problems.
When a static speed is set, you may choose whether to advertise its speed to the peer device or not. Advertise Speed is selected by default. You can choose not to advertise the port speed if the port has difficulty in negotiating with the peer device.
Default: Auto

Home Page

84

Copyright @ 2021 Peplink

MTU

This field is for specifying the Maximum Transmission Unit value of the WAN connection. An excessive MTU value can cause file downloads stall shortly after connected. You may consult your ISP for the connection’s MTU value. Default value is 1440.

MSS

This field is for specifying the Maximum Segment Size of the WAN connection.
When Auto is selected, MSS will be depended on the MTU value. When Custom is selected, you may enter a value for MSS. This value will be announced to remote TCP servers for maximum data that it can receive during the establishment of TCP connections.
Some Internet servers are unable to listen to MTU setting if ICMP is filtered by firewall between the connections.
Normally, MSS equals to MTU minus 40. You are recommended to reduce the MSS only if changing of the MTU value cannot effectively inform some remote servers to size down data size.
Default: Auto

MAC Address Clone

Some service providers (e.g. cable network) identify the client’s MAC address and require client to always use the same MAC address to connect to the network. If it is the case, you may change the WAN interface’s MAC address to the client PC’s one by entering the PC’s MAC address to this field. If you are not sure, click the Default button to restore to the default value.

VLAN

Check the box to assign a VLAN to the interface.

9.5 WAN Health Check

To ensure traffic is routed to healthy WAN connections only, the Pepwave router can periodically check the health of each WAN connection. The health check settings for each WAN connection can be independently configured via Network>WAN>Details.

Health Check Settings

Method

This setting specifies the health check method for the WAN connection. This value
can be configured as Disabled, PING, DNS Lookup, or HTTP. The default method is DNS Lookup. For mobile Internet connections, the value of Method can be configured as Disabled or SmartCheck.

Health Check Disabled

When Disabled is chosen in the Method field, the WAN connection will always be considered as up. The connection will NOT be treated as down in the event of IP routing errors.

Home Page

85

Copyright @ 2021 Peplink

Health Check Method: PING

ICMP ping packets will be issued to test the connectivity with a configurable target IP address or hostname. A WAN connection is considered as up if ping responses are received from either one or both of the ping hosts.

PING Hosts

This setting specifies IP addresses or hostnames with which connectivity is to be tested via ICMP ping. If Use first two DNS servers as Ping Hosts is checked, the target ping host will be the first DNS server for the corresponding WAN connection. Reliable ping hosts with a high uptime should be considered. By default, the first two DNS servers of the WAN connection are used as the ping hosts.

Health Check Method: DNS Lookup

DNS lookups will be issued to test connectivity with target DNS servers. The connection will be treated as up if DNS responses are received from one or both of the servers, regardless of whether the result was positive or negative.

Health Check DNS Servers

This field allows you to specify two DNS hosts’ IP addresses with which connectivity is to be tested via DNS lookup.
If Use first two DNS servers as Health Check DNS Servers is checked, the first two DNS servers will be the DNS lookup targets for checking a connection’s health. If the box is not checked, Host 1 must be filled, while a value for Host 2 is optional.
If Include public DNS servers is selected and no response is received from all specified DNS servers, DNS lookups will also be issued to some public DNS servers. A WAN connection will be treated as down only if there is also no response received from the public DNS servers.
Connections will be considered as up if DNS responses are received from any one of the health check DNS servers, regardless of a positive or negative result. By default, the first two DNS servers of the WAN connection are used as the health check DNS servers.

Health Check Method: HTTP

HTTP connections will be issued to test connectivity with configurable URLs and strings to match.

Home Page

86

Copyright @ 2021 Peplink

URL1 URL 2

WAN Settings>WAN Edit>Health Check Settings>URL1 The URL will be retrieved when performing an HTTP health check. When String to Match is left blank, a health check will pass if the HTTP return code is between 200 and 299 (Note: HTTP redirection codes 301 or 302 are treated as failures). When String to Match is filled, a health check will pass if the HTTP return code is between 200 and 299 and if the HTTP response content contains the string.
WAN Settings>WAN Edit>Health Check Settings>URL2 If URL2 is also provided, a health check will pass if either one of the tests passed.

Other Health Check Settings

Timeout

This setting specifies the timeout in seconds for ping/DNS lookup requests. The default timeout is 5 seconds.

Health Check This setting specifies the time interval in seconds between ping or DNS lookup

Interval

requests. The default health check interval is 5 seconds.

Health Check Retries

This setting specifies the number of consecutive ping/DNS lookup timeouts after which the Pepwave router will treat the corresponding WAN connection as down. Default health retries is set to 3. Using the default Health Retries setting of 3, the corresponding WAN connection will be treated as down after three consecutive timeouts.

This setting specifies the number of consecutive successful ping/DNS lookup

responses that must be received before the Pepwave router treats a previously

Recovery Retries

down WAN connection as up again. By default, Recover Retries is set to 3. Using the default setting, a WAN connection that is treated as down will be considered

as up again upon receiving three consecutive successful ping/DNS lookup

responses.

Automatic Public DNS Server Check on DNS Test Failure
When the health check method is set to DNS Lookup and health checks fail, the Pepwave router will automatically perform DNS lookups on public DNS servers. If the tests are successful, the WAN may not be down, but rather the target DNS server malfunctioned. You will see the following warning message on the main page:

Home Page

87

Copyright @ 2021 Peplink

9.6 Bandwidth Allowance Monitoring

Action
Start Day Monthly Allowance

Bandwidth Allowance Monitor
If Email Notification is enabled, you will be notified by email when usage hits 75% and 95% of the monthly allowance. If Disconnect when usage hits 100% of monthly allowance is checked, this WAN connection will be disconnected automatically when the usage hits the monthly allowance. It will not resume connection unless this option has been turned off or the usage has been reset when a new billing cycle starts.
This option allows you to define which day of the month each billing cycle begins.
This field is for defining the maximum bandwidth usage allowed for the WAN connection each month.

Disclaimer
Due to different network protocol overheads and conversions, the amount of data reported by this Peplink device is not representative of actual billable data usage as metered by your network provider. Peplink disclaims any obligation or responsibility for any events arising from the use of the numbers shown here.

Home Page

88

Copyright @ 2021 Peplink

9.7 Additional Public IP address

Additional Public IP Settings
IP Address List represents the list of fixed Internet IP addresses assigned by the ISP in the event that more than one Internet IP address is assigned to this WAN
IP Address List connection. Enter the fixed Internet IP addresses and the corresponding subnet
mask, and then click the Down Arrow button to populate IP address entries to the IP Address List.
9.8 Dynamic DNS Settings
Pepwave routers are capable of registering the domain name relationships to dynamic DNS service providers. Through registration with dynamic DNS service provider(s), the default public Internet IP address of each WAN connection can be associated with a host name. With dynamic DNS service enabled for a WAN connection, you can connect to your WAN’s IP address from the external, even if its IP address is dynamic. You must register for an account from the listed dynamic DNS service providers before enabling this option. If the WAN connection’s IP address is a reserved private IP address (i.e., behind a NAT router), the public IP of each WAN will be automatically reported to the DNS service provider. Either upon a change in IP addresses or every 23 days without link reconnection, the Pepwave router will connect to the dynamic DNS service provider to perform an IP address update within the provider’s records.
The settings for dynamic DNS service provider(s) and the association of hostname(s) are configured via Network>WAN>Details>Dynamic DNS Service Provider/Dynamic DNS Settings.

Home Page

89

Copyright @ 2021 Peplink

Dynamic DNS

Dynamic DNS Settings
This setting specifies the dynamic DNS service provider to be used for the WAN based on supported dynamic DNS service providers:
changeip.com dyndns.org no-ip.org tzo.com DNS-O-Matic Others…

Account Name / Email Address Password / TZO
Key
Hosts / Domain

Support custom Dynamic DNS servers by entering its URL. Works with any service compatible with DynDNS API. Select Disabled to disable this feature.
This setting specifies the registered user name for the dynamic DNS service.
This setting specifies the password for the dynamic DNS service.
This field allows you to specify a list of host names or domains to be associated with the public Internet IP address of the WAN connection. If you need to enter more than one host, use a carriage return to separate them.

Important Note
In order to use dynamic DNS services, appropriate host name registration(s) and a valid account with a supported dynamic DNS service provider are required. A dynamic DNS update is performed whenever a WAN’s IP address changes (e.g., the IP is changed after a DHCP IP refresh, reconnection, etc.). Due to dynamic DNS service providers’ policy, a dynamic DNS host will automatically expire if the host record has not been updated for a long time. Therefore the Pepwave router performs an update every 23 days, even if a WAN’s IP address has not changed.

Home Page

90

Copyright @ 2021 Peplink

10 Advanced Wi-Fi Settings
Wi-Fi settings can be configured at Advanced>Wi-Fi Settings (or AP>Settings on some models). Note: Menus displayed can vary by model.

SSID
Operating Country
Preferred Frequency

AP Settings
You can select the wireless networks for 2.4 GHz or 5 GHz separately for each SSID.
This drop-down menu specifies the national/regional regulations which the Wi- Fi radio should follow.
If a North American region is selected, RF channels 1 to 11 will be available and the maximum transmission power will be 26 dBm (400 mW).
If European region is selected, RF channels 1 to 13 will be available. The maximum transmission power will be 20 dBm (100 mW).
Note: Users are required to choose an option suitable to local laws and regulations.
Indicate the preferred frequency to use for clients to connect.

Important Note
Per FCC regulation, the country selection is not available on all models marketed in the US. All US models are fixed to US channels only.

Home Page

91

Copyright @ 2021 Peplink

AP Settings (part 2)

Protocol
Channel Width
Channel Auto Channel
Update
Output Power
Client Signal Strength Threshold
Maximum number of clients

This option allows you to specify whether 802.11b and/or 802.11g client association requests will be accepted. Available options are 802.11ng and 802.11na. By default, 802.11ng is selected. Available options are 20 MHz, 40 MHz, and Auto (20/40 MHz) . Default is Auto (20/40 MHz), which allows both widths to be used simultaneously. This option allows you to select which 802.11 RF channel will be utilized. Channel 1 (2.412 GHz) is selected by default.
Indicate the time of day at which update automatic channel selection.
This option is for specifying the transmission output power for the Wi-Fi AP. There are 4 relative power levels available ­ Max, High, Mid, and Low. The actual output power will be bound by the regulatory limits of the selected country.
Clients with signal strength lower than this value will not be allowed to connect.
This setting determines the maximum number of clients that can connect to this Wi-Fi frequency.

Advanced Wi-Fi AP settings can be displayed by clicking the on the top right- hand corner of
the Wi-Fi AP Settings section, which can be found at AP>Settings. Other models will display a separate section called Wi-Fi AP Advanced Settings, which can be found at Advanced>Wi-Fi Settings.

Home Page

92

Copyright @ 2021 Peplink

Advanced AP Settings

This field specifies the VLAN ID to tag to management traffic, such as

Management VLAN ID

communication traffic between the AP and the AP Controller. The value is zero by default, which means that no VLAN tagging will be applied.
Note: Change this value with caution as alterations may result in loss of

connection to the AP Controller.

Operating Schedule

Choose from the schedules that you have defined in System>Schedule. Select the schedule for the integrated AP to follow from the drop-down menu.

Beacon Rate A

This option is for setting the transmit bit rate for sending a beacon. By default, 1Mbps is selected.

Beacon Interval A

This option is for setting the time interval between each beacon. By default, 100ms is selected.

DTIM A

This field allows you to set the frequency for the beacon to include delivery traffic indication messages. The interval is measured in milliseconds. The default value is set to 1 ms.

RTS Threshold A

The RTS (Request to Clear) threshold determines the level of connection required before the AP starts sending data. The recommended standard of the RTS threshold is around 500.

Fragmentation Threshold A

This setting determines the maximum size of a packet before it gets fragmented into multiple pieces.

Distance / Time Select the range you wish to cover with your Wi-Fi, and the router will make

Convertor

recommendations for the Slot Time and ACK Timeout.

Slot Time A

This field is for specifying the unit wait time before transmitting a packet. By default, this field is set to 9 µs.

Home Page

93

Copyright @ 2021 Peplink

ACK Timeout A

This field is for setting the wait time to receive an acknowledgement packet before performing a retransmission. By default, this field is set to 48 µs.

Frame Aggregation This option allows you to enable frame aggregation to increase transmission

A

throughput.

A – Advanced feature, please click the button on the top right-hand corner to activate.

Enable Web Access
Protocol Management Port Admin Username Admin Password

Web Administration Settings Ticking this box enables web admin access for APs located on the WAN.
Determines whether the web admin portal can be accessed through HTTP or HTTPS
Determines the port at which the management UI can be accessed. Determines the username to be used for logging into the web admin portal Determines the password for the web admin portal on external AP.

Wi-Fi WAN settings can be configured at Advanced>Wi-Fi Settings (or Advanced

Wi-Fi WAN or some models).

Channel Width Bit Rate
Output Power

Wi-Fi WAN Settings
Available options are 20/40 MHz and 20 MHz. Default is 20/40 MHz, which allows both widths to be used simultaneously.
This option allows you to select a specific bit rate for data transfer over the device’s Wi-Fi network. By default, Auto is selected.
This option is for specifying the transmission output power for the Wi-Fi AP. There are 4 relative power levels available ­ Max, High, Mid, and Low. The actual output power will be bound by the regulatory limits of the selected country.
Note that selecting the Boost option may cause the MAX’s radio output to exceed local regulatory limits.

Home Page

94

Copyright @ 2021 Peplink

11 MediaFast Configuration
MediaFast settings can be configured from the Advanced menu.
11.1 Setting Up MediaFast Content Caching
To access MediaFast content caching settings, select Advanced>Cache Control

Enable
Domains / IP Addresses
Source IP Subnet

MediaFast
Click the checkbox to enable MediaFast content caching.
Choose to Cache on all domains, or enter domain names and then choose either Whitelist (cache the specified domains only) or Blacklist (do not cache the specified domains).
This setting allows caching to be enabled on custom subnets only. If “Any” is selected, then caching will apply to all subnets.

Home Page

95

Copyright @ 2021 Peplink

The Secure Content Caching menu operates identically to the MediaFast menu, except it is for secure content cachting accessible through https://. In order for Mediafast devices to cache and deliver HTTPS content, every client needs to have the necessary certificates installed.
See https://forum.peplink.com/t/certificate-installation-for-mediafast-https-caching/

Cache Control

Content Type

Check these boxes to cache the listed content types or leave boxes unchecked to disable caching for the listed types.

Cache Lifetime Settings

Enter a file extension, such as JPG or DOC. Then enter a lifetime in days to specify how long files with that extension will be cached. Add or delete entries using the controls on the right.

Home Page

96

Copyright @ 2021 Peplink

11.2 Scheduling Content Prefetching
Content prefetching allows you to download content on a schedule that you define, which can help to preserve network bandwidth during busy times and keep costs down. To access MediaFast content prefetching settings, select Advanced >Prefetch Schedule.

Prefetch Schedule Settings

Name

This field displays the name given to the scheduled download.

Status

Check the status of your scheduled download here.

Next Run Time/Last Run
Time

These fields display the date and time of the next and most recent occurrences of the scheduled download.

Last Duration

Check this field to ensure that the most recent download took as long as expected to complete. A value that is too low might indicate an incomplete download or incorrectly specified download target, while a value that is too long could mean a download with an incorrectly specified target or stop time.

Result

This field indicates whether downloads are in progress ( ) or complete ( ).

Last Download

Check this field to ensure that the most recent download file size is within the expected range. A value that is too low might indicate an incomplete download or incorrectly specified download target, while a value that is too long could mean a download with an incorrectly specified target or stop time. This field is also useful for quickly seeing which downloads are consuming the most storage space.

Actions

To begin a scheduled download immediately, click .

To cancel a scheduled download, click .

To edit a scheduled download, click

.

Home Page

97

Copyright @ 2021 Peplink

To delete a scheduled download, click . Click to begin creating a new scheduled download. Clicking the button will cause the following screen to appear:
New Schedule

Simply provide the requested information to create your schedule.

Clear Web Cache

To clear undone.

all

cached

content,

click

this

button.

Note

that

this

action

cannot

be

Clear Statistics To clear all prefetch and status page statistics, click this button.

Home Page

98

Copyright @ 2021 Peplink

11.3 Viewing MediaFast Statistics
To get details on storage and bandwidth usage, select Status>MediaFast.

Home Page

99

Copyright @ 2021 Peplink

12 ContentHub
ContentHub allows you to deliver webpages and applications to users connected to the SSID using the local storage on your router, like the Max HD2/HD4 with Mediafast, which can store up to 8GB of media. Users will be able to access news, articles, videos, and access your web app without the need for internet access. The ContentHub can be used to provide infotainment to connected users on transport.
12.1 Configuring the ContentHub
ContentHub storage needs to be configured before content can be uploaded to the ContentHub. Click on the link on the information panel to configure storage.
To access ContentHub, navigate to Advanced > ContentHub and check the Enable box.

On an external server, configure content (a website or application) that will be synced to the ContentHub. For example, an html5 website.
To configure a website or application as content, follow the steps below.
Configure a website for ContentHub
This option allows you to sync a website to the Pepwave router. This website will then be published with the specified domain from the router itself and makes the content available to the client via the HTTP/HTTPS protocol. Only FTP sync is supported for this type of ContentHub content. The content should be uploaded to an FTP server before you sync it with ContentHub.

Home Page

100

Copyright @ 2021 Peplink

Click New Website and a window with the following configuration options will appear:

Schedule

Active

Checking the box toggles the activation of the content.

Type

Select the type of content: Website or Application.

Protocol

Configure the protocol to be used: HTTP, HTTPS or both.

Domain/Path

Enter the URL for the ContenHub to use as the domain name for client access (such as http://mytest.com).

Method

Only applicable for Application type content. Choose between sync or file upload.

Source

Enter the details of the server that the content will be downloaded from. Enter credentials under Username and Password.

Period

This field determines how often the router will search for updates to the source content.

Bandwidth Limit

Set a bandwidth limit for clients.

Home Page

101

Copyright @ 2021 Peplink

Click “Save & Apply Now” to activate the changes. A screenshot of the display after configuration is shown below:

The content will be synced regularly according to the time set in the Period that was configured earlier.

If you want to activate the sync manually, you can click the ”

” icon. The “Status” column

will display the sync progress. When the sync is completed, a summary will be displayed, as

shown in the screenshot below:

To access the content, open a browser in the MFA’s client and enter the domain details that were configured earlier (such as http://mytest.com).

Home Page

102

Copyright @ 2021 Peplink

Configure an application for ContentHub
MediaFast routers allow you to configure and publish any application from the router itself by using one of the supported frameworks below:
Python (version 2.7.12) Ruby (version 2.3.3) Node.js (version 6.9.2)
Install the desired framework under “Package Manager” as shown below:

After installing the framework, change the “Type” to “Application” and configure the website.

Home Page

103

Copyright @ 2021 Peplink

The setting is the same as the Website type (refer to the description in the section above).
Application type content need to be packed as explained below: 1. Implement two bash script files, start.sh and stop.sh in the root folder, to start and stop your application. The MediaFast router will only execute start.sh and stop.sh when the corresponding website is enabled and disabled respectively. 2. Compress the application files and the bash script to .tar.gz format. 3. Upload this tar file to the router.

Home Page

104

Copyright @ 2021 Peplink

13 Docker
MediaFast enabled routers can host Docker containers when running Firmware 7.1 or later. Docker is an open platform for developing, shipping, and running applications. From Firmware version 7.1.0 and upwards, it is possible to install and run Docker Containers on your Pepwave routers with MediaFast, such as the MAX HD2 and the MAX HD4.
Due to the nature of Docker and its unlimited variables, this feature is supported by Pepwave up to the point of creating a running Docker Container. Information about Docker can be found on the Docker Documentation site: https://docs.docker.com/ 2
This will allow you to run a file sharing platform (ownCloud), a web server (WordPress, Joomla!) , a learning platform (Moodle), or a visualisation tool for viewing large scale data (Kibana). When creating a new Docker Container, the Pepwave router will search through the Docker Hub repository. https://hub.docker.com/explore/ 7
For detailed configuration instructions, refer to our knowledge base: https://forum.peplink.com/t/how-to-run-a-docker-application-on-a-peplink- mediafast-router/1602 1

Home Page

105

Copyright @ 2021 Peplink

14 KVM
MediaFast enabled routers now support KVM. Users will have to download and install Virtual Machine Manager to manage the KVM virtual machines. Through this, users are able to virtualise a Linux environment.

For detailed configuration instructions, refer to our knowledge base articles:

  1. How to install a Virtual Machine on Peplink/Pepwave – MediaFast/ContentHub Routers
    2. How to Install Virtual Machine with USB storage on Peplink/Pepwave MediaFast/ContentHub Routers

Home Page

106

Copyright @ 2021 Peplink

15 Bandwidth Bonding SpeedFusionTM / PepVPN

Pepwave bandwidth bonding SpeedFusionTM is our patented technology that enables our SD-WAN routers to bond multiple Internet connections to increase site-to-site bandwidth and reliability. SpeedFusion functionality securely connects your Pepwave router to another Pepwave or Peplink device (Peplink Balance 210/310/380/580/710/1350 only). Data, voice, or video communications between these locations are kept confidential across the public Internet.
Bandwidth bonding SpeedFusionTM is specifically designed for multi-WAN environments. In case of failures and network congestion at one or more WANs, other WANs can be used to continue carrying the network traffic.
Different models of our SD-WAN routers have different numbers of site-to-site connections allowed. End-users who need to have more site-to-site connections can purchase a SpeedFusion license to increase the number of site-to-site connections allowed.
Pepwave routers can aggregate all WAN connections’ bandwidth for routing SpeedFusionTM traffic. Unless all the WAN connections of one site are down, Pepwave routers can keep the VPN up and running.
VPN bandwidth bonding is supported in Firmware 5.1 or above. All available bandwidth will be utilized to establish the VPN tunnel, and all traffic will be load balanced at packet level across all links. VPN bandwidth bonding is enabled by default.

Home Page

107

Copyright @ 2021 Peplink

15.1 PepVPN
To configure PepVPN and SpeedFusion, navigate to Advanced>SpeedFusionTM or Advanced>PepVPN.

The local LAN subnet and subnets behind the LAN (defined under Static Route on the LAN settings page) will be advertised to the VPN. All VPN members (branch offices and headquarters) will be able to route to local subnets.
Note that all LAN subnets and the subnets behind them must be unique. Otherwise, VPN members will not be able to access each other.
All data can be routed over the VPN using the 256-bit AES encryption standard. To configure, navigate to Advanced>SpeedFusionTM or Advanced>PepVPN and click the New Profile button to create a new VPN profile (you may have to first save the displayed default profile in order to access the New Profile button). Each profile specifies the settings for making VPN connection with one remote Pepwave or Peplink device. Note that available settings vary by model.
A list of defined SpeedFusion connection profiles and a Link Failure Detection Time option will be shown. Click the New Profile button to create a new VPN connection profile for making a VPN connection to a remote Pepwave or Peplink device via the available WAN connections. Each profile is for making a VPN connection with one remote Pepwave or Peplink Device.

Home Page

108

Copyright @ 2021 Peplink

PepVPN Profile Settings

Name

This field is for specifying a name to represent this profile. The name can be any combination of alphanumeric characters (0-9, A-Z, a-z), underscores (_), dashes (-), and/or non-leading/trailing spaces ( ).

Active

When this box is checked, this VPN connection profile will be enabled. Otherwise, it will be disabled.

Encryption

By default, VPN traffic is encrypted with 256-bit AES. If Off is selected on both sides of a VPN connection, no encryption will be applied.

Select from By Remote ID Only, Preshared Key, or X.509 to specify the method Authentication the Pepwave MAX will use to authenticate peers. When selecting By Remote ID
Only, be sure to enter a unique peer ID number in the Remote ID field.

Remote ID / Pre-shared Key

This optional field becomes available when Remote ID / Pre-shared Key is selected as the Pepwave router’s VPN Authentication method, as explained above. Pre-shared Key defines the pre-shared key used for this particular VPN connection. The VPN connection’s session key will be further protected by the
pre-shared key. The connection will be up only if the pre-shared keys on each side

Home Page

109

Copyright @ 2021 Peplink

match. When the peer is running firmware 5.0+, this setting will be ignored.

Enter Remote IDs either by typing out each Remote ID and Pre-shared Key, or by

pasting a CSV. If you wish to paste a CSV, click the ID / Preshared Key” setting.

icon next to the “Remote

Remote ID/Remote Certificate

These optional fields become available when X.509 is selected as the Pepwave MAX’s VPN authentication method, as explained above. To authenticate VPN
connections using X.509 certificates, copy and paste certificate details into these
fields. To get more information on a listed X.509 certificate, click the Show Details link below the field.

Allow Shared When this option is enabled, the router will allow multiple peers to run using the Remote ID same remote ID.

NAT Mode

Check this box to allow the local DHCP server to assign an IP address to the
remote peer. When NAT Mode is enabled, all remote traffic over the VPN will be tagged with the assigned IP address using network address translation.

Remote IP Address / Host
Names (Optional)

If NAT Mode is not enabled, you can enter a remote peer’s WAN IP address or hostname(s) here. If the remote uses more than one address, enter only one of them here. Multiple hostnames are allowed and can be separated by a space character or carriage return. Dynamic-DNS host names are also accepted.
This field is optional. With this field filled, the Pepwave MAX will initiate connection to each of the remote IP addresses until it succeeds in making a connection. If the field is empty, the Pepwave MAX will wait for connection from the remote peer. Therefore, at least one of the two VPN peers must specify this value. Otherwise, VPN connections cannot be established.

Cost

Define path cost for this profile. OSPF will determine the best route through the network using the assigned cost. Default: 10

Data Port

This field is used to specify a UDP port number for transporting outgoing VPN data. If Default is selected, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable. If Custom is selected, enter an outgoing port number from 1 to 65535.

Click the

icon to configure data stream using TCP protocol

[EXPERIMENTAL].In the case TCP protocol is used, the exposed TCP session

option can be authorised to work with TCP accelerated WAN link.

Bandwidth Limit

Define maximum download and upload speed to each individual peer. This functionality requires the peer to use PepVPN version 4.0.0 or above.

While using PepVPN, utilize multiple WAN links to reduce the impact of packet

WAN Smoothing

loss and get the lowest possible latency at the expense of extra bandwidth consumption. This is suitable for streaming applications where the average bitrate

requirement is much lower than the WAN’s available bandwidth.

Home Page

110

Copyright @ 2021 Peplink

Off – Disable WAN Smoothing.

Normal – The total bandwidth consumption will be at most 2x of the original data traffic.

Medium – The total bandwidth consumption will be at most 3x of the original data traffic.

Forward Error Correction

High – The total bandwidth consumption depends on the number of connected active tunnels.
Forward Error Correction (FEC) can help to recover packet loss by using extra bandwidth to send redundant data packets. Higher FEC level will recover packets on a higher loss rate link.
The expected overhead of Low is 13.3% and High is 26.7%.

Require peer using PepVPN version 8.0.0 and above.
Receive Buffer can help to reduce out-of-order packets and jitter, but will introduce Receive Buffer extra latency to the tunnel. Default is 0 ms, which disables the buffer, and
maximum buffer size is 2000 ms.
If the packet size is larger than the tunnel’s MTU, it will be fragmented inside the tunnel in order to pass through.

Packet Fragmentation

Select Always to fragment any packets that are too large to send, or Use DF Flag to only fragment packets with Don’t Fragment bit cleared. This can be useful if your application does Path MTU Discovery, usually sending large packets with DF bit set, if allowing them to go through by fragmentation, the MTU will not be detected correctly.

Use IP ToSA Checking this button enables the use of IP ToS header field.

Latency
Difference CutoffA

Traffic will be stopped for links that exceed the specified millisecond value with respect to the lowest latency link. (e.g. Lowest latency is 100ms, a value of 500ms means links with latency 600ms or more will not be used)

A – Advanced feature, please click the button on the top right-hand corner to activate.
To enable Layer 2 Bridging between PepVPN profiles, navigate to Network>LAN>Basic Settings>LAN Profile Name and refer to instructions in section 9.1

Home Page

111

Copyright @ 2021 Peplink

Policy

Traffic Distribution
This option allows you to select the desired out-bound traffic distribution policy:
Bonding – Aggregate multiple WAN-to-WAN links into a single higher throughput tunnel.
Dynamic Weighted Bonding – Aggregates WAN-to-WAN links with similar latencies.
By default, Bonding is selected as a traffic distribution policy.

Congestion Latency Level

For most WANs, especially on cellular networks, the latency will increase when the link becomes more congested.
Setting the Congestion Latency Level to Low will treat the link as congested more aggressively.
Setting it to High will allow the latency to increase more before treating it as congested.

Ignore Packet By default, when there is packet loss, it is considered as a congestion event. If this Loss Event is not the case, select this option to ignore the packet loss event.

Disable Bufferbloat
Handling

Bufferbloat is a phenomenon on the WAN side when it is congested. The latency can become very high due to buffering on the uplink. By default, the Dynamic Weighted Bonding policy will try its best to mitigate bufferbloat by reducing TCP throughput when the WAN is congested. However, as a side effect, the tunnel might not achieve maximum bandwidth.
Selecting this option will disable the bufferbloat handling mentioned above.

Disable TCP ACK
Optimization

By default, TCP ACK will be forwarded to remote peers as fast as possible. This will consume more bandwidth, but may help to improve TCP performance as well.
Selecting this option will disable the TCP ACK optimization mentioned above.

Packet Jitter Buffer

The default jitter buffer is 150ms, and can be modified from 0ms to 500ms. The jitter buffer may increase the tunnel latency. If you want to keep the latency as low as possible, you can set it to 0ms to disable the buffer.
Note: If the Receive Buffer is set, the Packet Jitter Buffer will be automatically disabled.

Home Page

112

Copyright @ 2021 Peplink

8.41
WAN Connection Priority
If your device supports it, you can specify the priority of WAN connections to be used for making VPN connections. WAN connections set to OFF will never be WAN Connection used. Only available WAN connections with the highest priority will be used. Priority To enable asymmetric connections, connection mapping to remote WANs, cut-off
latency, and packet loss suspension time, click the button.

Send All Traffic To
This feature allows you to redirect all traffic to a specified PepVPN connection. Click the select your connection and the following menu will appear:

button to

You could also specify a DNS server to resolve incoming DNS requests. Click the checkbox next to Backup Site to designate a backup SpeedFusion profile that will take over, should the main PepVPN connection fail.
Outbound Policy/PepVPN Outbound Custom Rules Some models allow you to set outbound policy and custom outbound rules from Advanced>PepVPN.

Home Page

113

Copyright @ 2021 Peplink

See Section 14 for more information on outbound policy settings.

PepVPN Local ID
The local ID is a text string to identify this local unit when establishing a VPN connection. When creating a profile on a remote unit, this local ID must be entered in the remote unit’s Remote ID field. Click the
icon to edit Local ID.

PepVPN Settings

Handshake PortA

To designate a custom handshake port (TCP), click the custom radio button and enter the port number you wish to designate.

Backward Compatibility

Determine the level of backward compatibility needed for PepVPN tunnels. The
use of the Latest setting is recommended as it will improve the performance and resilience of SpeedFusion connections.

Link Failure Detection Time

The bonded VPN can detect routing failures on the path between two sites over each WAN connection. Failed WAN connections will not be used to route VPN traffic. Health check packets are sent to the remote unit to detect any failure. The more frequently checks are sent, the shorter the detection time, although more bandwidth will be consumed.
When Recommended (default) is selected, a health check packet is sent every five seconds, and the expected detection time is 15 seconds.
When Fast is selected, a health check packet is sent every three seconds, and the expected detection time is six seconds.
When Faster is selected, a health check packet is sent every second, and the expected detection time is two seconds.

Home Page

114

Copyright @ 2021 Peplink

When Extreme is selected, a health check packet is sent every 0.1 second, and the expected detection time is less than one second. A – Advanced feature, please click the button on the top right-hand corner to activate.
Important Note
Peplink proprietary SpeedFusionTM uses TCP port 32015 and UDP port 4500 for establishing VPN connections. If you have a firewall in front of your Pepwave devices, you will need to add firewall rules for these ports and protocols to allow inbound and outbound traffic to pass through the firewall.
Tip Want to know more about VPN sub-second session failover? Visit our YouTube Channel for a video tutorial!

Home Page

115

Copyright @ 2021 Peplink

15.2 The Pepwave Router Behind a NAT Router
Pepwave routers support establishing SpeedFusionTM over WAN connections which are behind a NAT (network address translation) router.
To enable a WAN connection behind a NAT router to accept VPN connections, you can configure the NAT router in front of the WAN connection to inbound port- forward TCP port 32015 to the Pepwave router.
If one or more WAN connections on Unit A can accept VPN connections (by means of port forwarding or not), while none of the WAN connections on the peer Unit B can do so, you should enter all of Unit A’s public IP addresses or hostnames into Unit B’s Remote IP Addresses / Host Names field. Leave the field in Unit A blank. With this setting, a SpeedFusionTM connection can be set up and all WAN connections on both sides will be utilized.
See the following diagram for an example of this setup in use:

One of the WANs connected to Router A is non-NAT’d (212.1.1.1). The rest of the WANs connected to Router A and all WANs connected to Router B are NAT’d. In this case, the Peer IP Addresses / Host Names field for Router B should be filled with all of Router A’s hostnames or public IP addresses (i.e., 212.1.1.1, 212.2.2.2, and 212.3.3.3), and the field in Router A can be left blank. The two NAT routers on WAN1 and WAN3 connected to Router A should inbound port-forward TCP port 32015 to Router A so that all WANs will be utilized in establishing the VPN.

Home Page

116

Copyright @ 2021 Peplink

15.3 SpeedFusionTM Status
SpeedFusionTM status is shown in the Dashboard. The connection status of each connection profile is shown as below.
After clicking the Status button at the top right corner of the SpeedFusionTM table, you will be forwarded to Status>SpeedFusionTM, where you can view subnet and WAN connection information for each VPN peer. Please refer to Section 22.6 for details.
IP Subnets Must Be Unique Among VPN Peers The entire interconnected SpeedFusionTM network is a single non-NAT IP network. Avoid duplicating subnets in your sites to prevent connectivity problems when accessing those subnets.

Home Page

117

Copyright @ 2021 Peplink

16 IPsec VPN
IPsec VPN functionality securely connects one or more branch offices to your company’s main headquarters or to other branches. Data, voice, and video communications between these locations are kept safe and confidential across the public Internet.
IPsec VPN on Pepwave routers is specially designed for multi-WAN environments. For instance, if a user sets up multiple IPsec profiles for a multi-WAN environment and WAN1 is connected and healthy, IPsec traffic will go through this link. However, should unforeseen problems (e.g., unplugged cables or ISP problems) cause WAN1 to go down, our IPsec implementation will make use of WAN2 and WAN3 for failover.
16.1 IPsec VPN Settings
Many Pepwave products can make multiple IPsec VPN connections with Peplink, Pepwave, Cisco, and Juniper routers. Note that all LAN subnets and the subnets behind them must be unique. Otherwise, VPN members will not be able to access each other. All data can be routed over the VPN with a selection of encryption standards, such as 3DES, AES-128, and AES-256. To configure IPsec VPN on Pepwave devices that support it, navigate to Advanced>IPsec VPN.
A NAT-Traversal option and list of defined IPsec VPN profiles will be shown. NAT-Traversal should be enabled if your system is behind a NAT router. Click the New Profile button to create new IPsec VPN profiles that make VPN connections to remote Pepwave, Cisco, or Juniper routers via available WAN connections. To edit any of the profiles, click on its associated connection name in the leftmost column.

Home Page

118

Copyright @ 2021 Peplink

Name Active

IPsec VPN Settings
This field is for specifying a local name to represent this connection profile.
When this box is checked, this IPsec VPN connection profile will be enabled. Otherwise, it will be disabled.

Home Page

119

Copyright @ 2021 Peplink

IKE Version

Two versions of the IKE standards are available:
IKEv1 IKEv2

Connect Upon Disconnection
of

Check this box and select a WAN to connect to this VPN automatically when the specified WAN is disconnected.

Remote Gateway IP Address / Host
Name

Enter the remote peer’s public IP address. For Aggressive Mode, this is optional.

Policy-based – (default) All the matched traffic as defined in Local Networks and Remote Networks will be routed to this IPsec connection, this cannot be overridden by other routing methods.

IPsec Type

Route-based – Outbound Policy rule is required to route traffic to this tunnel and comes with more flexibility to control how to route traffic compared to Policy-based. If you want to modify the traffic selector instead of using the default (0.0.0.0/0). Note: This option is available for certain following models only:
MAX: BR1 ENT, Transit, 700 HW3 or above, HD2 HW5 or above, HD4
Enter the local LAN subnets here. If you have defined static routes, they will be shown here.

Using NAT, you can map a specific local network / IP address to another, and the packets received by remote gateway will appear to be coming from the mapped network / IP address. This allow you to establish IPsec connection to a remote site that has one or more subnets overlapped with local site.

Two types of NAT policies can be defined:
Local Networks One-to-One NAT policy: if the defined subnet in Local Network and NAT Network has the same size, for example, policy “192.168.50.0/24 > 172.16.1.0/24” will translate the local IP address 192.168.50.10 to 172.16.1.10 and 192.168.50.20 to 172.16.1.20. This is a bidirectional mapping which means clients in remote site can initiate connection to the local clients using the mapped address too.

Remote

Many-to-One NAT policy: if the defined NAT Network on the right hand side is an IP address (or having a network prefix /32), for example, policy “192.168.1.0/24 > 172.168.50.1/32” will translate all clients in 192.168.1.0/24 network to 172.168.50.1. This is a unidirectional mapping which means clients in remote site will not be able to initiate connection to the local clients.
Enter the LAN and subnets that are located at the remote site here.

Home Page

120

Copyright @ 2021 Peplink

Networks

To access your VPN, clients will need to authenticate by your choice of methods.
Authentication Choose between the Preshared Key and X.509 Certificate methods of authentication.

Mode

Choose Main Mode if both IPsec peers use static IP addresses. Choose Aggressive Mode if one of the IPsec peers uses dynamic IP addresses.

Force UDP Encapsulation

For forced UDP encapsulation regardless of NAT-traversal, tick this checkbox.

This defines the peer authentication pre-shared key used to authenticate this
Pre-shared Key VPN connection. The connection will be up only if the pre- shared keys on each side match.

Remote Certificate (pem
encoded)

Available only when X.509 Certificate is chosen as the Authentication method, this field allows you to paste a valid X.509 certificate.

Local ID

In Main Mode, this field can be left blank. In Aggressive Mode, if Remote Gateway IP Address is filled on this end and the peer end, this field can be left blank. Otherwise, this field is typically a U-FQDN.

Remote ID

In Main Mode, this field can be left blank. In Aggressive Mode, if Remote Gateway IP Address is filled on this end and the peer end, this field can be left blank. Otherwise, this field is typically a U-FQDN.

Phase 1 (IKE) Proposal

In Main Mode, this allows setting up to six encryption standards, in descending order of priority, to be used in initial connection key negotiations. In Aggressive Mode, only one selection is permitted.

Phase 1 DH Group

This is the Diffie-Hellman group used within IKE. This allows two parties to establish a shared secret over an insecure communications channel. The larger the group number, the higher the security.
Group 2: 1024-bit is the default value.
Group 5: 1536-bit is the alternative option.

Phase 1 SA Lifetime

This setting specifies the lifetime limit of this Phase 1 Security Association. By default, it is set at 3600 seconds.

Phase 2 (ESP) Proposal

In Main Mode, this allows setting up to six encryption standards, in descending order of priority, to be used for the IP data that is being transferred. In
Aggressive Mode, only one selection is permitted.

Phase 2 PFS Group

Perfect forward secrecy (PFS) ensures that if a key was compromised, the attacker will be able to access only the data protected by that key.
None – Do not request for PFS when initiating connection. However, since there is no valid reason to refuse PFS, the system will allow the connection to use PFS if requested by the remote peer. This is the default value.

Home Page

121

Copyright @ 2021 Peplink

Phase 2 SA Lifetime

Group 2: 1024-bit Diffie-Hellman group. The larger the group number, the higher the security. Group 5: 1536-bit is the third option.
This setting specifies the lifetime limit of this Phase 2 Security Association. By default, it is set at 28800 seconds.

WAN Connection Priority WAN Connection Select the appropriate WAN connection from the drop-down menu.
16.2 GRE Tunnel
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to- point links over an Internet Protocol network. A GRE tunnel is similar to IPSec or PepVPN. To configure a GRE Tunnel, navigate to Advanced > GRE Tunnel.
Click the New Profile button to create new GRE tunnel profiles that establish tunnel connections to remote tunnel endpoints via available WAN connections. To edit the profiles, click on its associated connection name in the leftmost column.

Home Page

122

Copyright @ 2021 Peplink

GRE Tunnel Profile Settings

Name

This field is for specifying a name to represent this GRE Tunnel connection profile.

Active

When this box is checked, this GRE Tunnel connection profile will be enabled. Otherwise, it will be disabled.

Remote GRE IP Address

This field is for entering the remote GRE’s IP address

Tunnel Local IP Address

This field is for specifying the tunnel source IP address.

Tunnel Remote IP Address

This field is for specifying the tunnel destination IP address

Tunnel Subnet Mask

This field is to select the subnet mask that is to be used for the GRE tunnel.

Connection Select the appropriate WAN connection from the drop-down menu.

Remote Networks

Input the LAN and subnets that are located at the remote site here.

Home Page

123

Copyright @ 2021 Peplink

17 Outbound Policy
Pepwave routers can flexibly manage and load balance outbound traffic among WAN connections.
Important Note Outbound policy is applied only when more than one WAN connection is active.
The settings for managing and load balancing outbound traffic are located at Advanced>Outbound Policy or Advanced>PepVPN, depending on the model.

Home Page

124

Copyright @ 2021 Peplink

17.1 Outbound Policy
Outbound policies for managing and load balancing outbound traffic are located at
Advanced>Outbound Policy> or Advanced>PepVPN>Outbound Policy. Click the button beside the Outbound Policy box:

There are three main selections for the outbound traffic policy:
High Application Compatibility Normal Application Compatibility Custom Note that some Pepwave routers provide only the Send All Traffic To setting here. See Section 12.1 for details.
Outbound Policy Settings

High Application Compatibility

Outbound traffic from a source LAN device is routed through the same WAN connection regardless of the destination Internet IP address and protocol. This option provides the highest application compatibility.

Normal Application Compatibility

Outbound traffic from a source LAN device to the same destination Internet IP address will be routed through the same WAN connection persistently, regardless of protocol. This option provides high compatibility to most applications, and users still benefit from WAN link load balancing when multiple Internet servers are accessed.

Custom

Outbound traffic behavior can be managed by defining rules in a custom rule table. A default rule can be defined for connections that cannot be matched with any of the rules.

The default policy is Normal Application Compatibility.
Tip Want to know more about creating outbound rules? Visit our YouTube Channel for a video tutorial!

Home Page

125

Copyright @ 2021 Peplink

17.2 Adding Rules for Outbound Policy
The menu underneath enables you to define Outbound policy rules:
The bottom-most rule is Default. Edit this rule to change the device’s default manner of controlling outbound traffic for all connections that do not match any of the rules above it. Under the Service heading, click Default to change these settings. To rearrange the priority of outbound rules, drag and drop them into the desired sequence.

Home Page

126

Copyright @ 2021 Peplink

By default, Auto is selected as the Default Rule. You can select Custom to change the algorithm to be used. Please refer to the upcoming sections for the details on the available algorithms.
To create a custom rule, click Add Rule at the bottom of the table.

Home Page

127

Copyright @ 2021 Peplink

Service Name Enable

New Custom Rule Settings
This setting specifies the name of the outbound traffic rule.
This setting specifies whether the outbound traffic rule takes effect. When Enable is checked, the rule takes effect: traffic is matched and actions are taken by the Pepwave router based on the other parameters of the rule. When Enable is unchecked, the rule does not take effect: the Pepwave router disregards the other parameters of the rule.
Click the drop-down menu next to the checkbox to apply a time schedule to this custom rule.
This setting specifies the source IP Address, IP Network, MAC Address or Grouped Network for traffic that matches the rule.

Source

Destination

This setting specifies the destination IP address, IP network, Domain name, SpeedFusion Cloud, PepVPN Profile or Grouped network for traffic that matches the rule.

Home Page

128

Copyright @ 2021 Peplink

If Domain Name is chosen and a domain name, such as foobar.com, is entered, any outgoing accesses to foobar.com and .foobar.com will match this criterion. You may enter a wildcard (.) at the end of a domain name to match any host with a name having the domain name in the middle. If you enter foobar.*, for example, www.foobar.com, www.foobar.co.jp, or foobar.co.uk will also match. Placing wildcards in any other position is not supported. Note: if a server has one Internet IP address and multiple server names, and if one of the names is defined here, access to any one of the server names will also match this rule.

This setting specifies the IP protocol and port of traffic that matches this rule. Via a drop-down menu, the following protocols can be specified:

Protocol and Port

Any TCP UDP IP DSCP

Alternatively, the Protocol Selection Tool drop-down menu can be used to automatically fill in the protocol and port number of common Internet services (e.g., HTTP, HTTPS, etc.)
After selecting an item from the Protocol Selection Tool drop-down menu, the protocol and port number remains manually modifiable.

Algorithm

This setting specifies the behavior of the Pepwave router for the custom rule. One of the following values can be selected (Note that some Pepwave routers provide only some of these options):
Weighted Balance Persistence Enforced Priority Overflow Least Used Lowest Latency Fastest Response Time For a full explanation of each Algorithm, please see the following article: https://forum.peplink.com/t/exactly-how-do- peplinks-load-balancing-algorithmns-work/8059

Load Distribution Weight

This is to define the outbound traffic weight ratio for each WAN connection.

Home Page

129

Copyright @ 2021 Peplink

This field allows you to configure the default action when all the selected Connections are not available.

When No connections are
available

Drop the Traffic – Traffic will be discarded.
Use Any Available Connections – Traffic will be routed to any available Connection, even it is not selected in the list.

Terminate Sessions on Connection
Recovery

Fall-through to Next Rule – Traffic will continue to match the next Outbound Policy rule just like this rule is inactive.
This setting specifies whether to terminate existing IP sessions on a less preferred WAN connection in the event that a more preferred WAN connection is recovered. This setting is applicable to the Priority algorithms. By default, this setting is disabled. In this case, existing IP sessions will not be terminated or affected when any other WAN connection is recovered. When this setting is enabled, existing IP sessions may be terminated when another WAN connection is recovered, such that only the preferred healthy WAN connection(s) is used at any point in time.

17.2.2 Algorithm: Weighted Balance
This setting specifies the ratio of WAN connection usage to be applied on the specified IP protocol and port. This setting is applicable only when Algorithm is set to Weighted Balance.

The amount of matching traffic that is distributed to a WAN connection is proportional to the weight of the WAN connection relative to the total weight. Use the sliders to change each WAN’s weight. For example, with the following weight settings:
Ethernet WAN1: 10 Ethernet WAN2: 10 Wi-Fi WAN: 10 Cellular 1: 10 Cellular 2: 10

Home Page

130

Copyright @ 2021 Peplink

USB: 10
Total weight is 60 = (10 +10 + 10 + 10 + 10 + 10).
Matching traffic distributed to Ethernet WAN1 is 16.7% = (10 / 60 x 100%.
Matching traffic distributed to Ethernet WAN2 is 16.7% = (10 / 60) x 100%.
Matching traffic distributed to Wi-Fi WAN is 16.7% = (10 / 60) x 100%.
Matching traffic distributed to Cellular 1 is 16.7% = (10 / 60) x 100%.
Matching traffic distributed to Cellular 2 is 16.7% = (10 / 60) x 100%.
Matching traffic distributed to USB is 16.7% = (10 / 60) x 100%.
17.2.3 Algorithm: Persistence The configuration of persistent services is the solution to the few situations where link load distribution for Internet services is undesirable. For example, for security reasons, many e-banking and other secure websites terminate the session when the client computer’s Internet IP address changes mid-session.
In general, different Internet IP addresses represent different computers. The security concern is that an IP address change during a session may be the result of an unauthorized intrusion attempt. Therefore, to prevent damages from the potential intrusion, the session is terminated upon the detection of an IP address change.
Pepwave routers can be configured to distribute data traffic across multiple WAN connections. Also, the Internet IP depends on the WAN connections over which communication actually takes place. As a result, a LAN client computer behind the Pepwave router may communicate using multiple Internet IP addresses. For example, a LAN client computer behind a Pepwave router with three WAN connections may communicate on the Internet using three different IP addresses.
With the persistence feature, rules can be configured to enable client computers to persistently utilize the same WAN connections for e-banking and other secure websites

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Related Manuals