Derek Schauland recently acquired a Peplink Balance 380 router for his company. Here is his experience with setting it up and configuring the settings.
Recently, my organization got real Internet. Okay, the Internet isn't any more real, but we did upgrade from a T1 line (the dial-up of business Internet) to 100Mb service. It is nice to be able to download things without checking on them the next day. [*See Update note below]
Because we still have a contract with the T1 carrier, I was looking for a way to add faster service to it too, which would allow us to use both and provide a way to decide which traffic uses which connection. I looked at a few devices (some I tried out recently and some I evaluated from reviews) and settled on the Peplink Balance 380.
How does it work?
The Balance 380 allows for up to three WAN connections to be load balanced across the device. The device has one Ethernet port to connect to the LAN. The Balance 380 supports up to 500 LAN users and 100Mbps throughput, which serves us just fine, for now at least.Figure A
The dashboard (click to enlarge)
Peplink uses several algorithms to help manage the WAN connections. Rules can be created to determine which traffic uses which WAN link. This was something very useful because of other things we have already configured.
Keeping email headed down the right path
We use Postini to filter much of the spam from our email; because of our prior configuration Postini knows that our email server has an IP address on the T1 pipe. I plan to work on changing this so it will be available using both connections, but for now this works pretty well. I created an outbound rule to ensure that all traffic on port 25 will head out over the T1 connection.Figure B
The algorithms that you can choose from to control traffic are:
- Weighted Balance: traffic is balanced across available WAN links according to the specified weight.
- Persistence: traffic from the same machine will be passed through the same WAN link.
- Enforced: traffic will be routed through the WAN link specified by the rule.
- Priority: traffic will be routed through the WAN link with the highest priority.
- Overflow: traffic will be routed through the WAN link with the highest priority that is not full. New connections will use the next highest priority WAN link that is not under full load.
- Least Used: traffic will be routed to the WAN link that is healthy and has the most available downstream bandwidth.
- Lowest Latency: traffic will be routed through the WAN link with the lowest latency. Packets will be sent periodically to test for latency on all links.
In testing some scenarios to best make use of the Internet links in my organization, I worked with support to create a rule that would prioritize VOIP traffic over the T1 link and all other traffic over the 100Mb link and used QoS to ensure that voice traffic had a higher priority on the slower link. This idea was great because it allowed the T1, which also has a point-to-point VPN to another location (created with different gear) to ensure things get where they need to be.When the rules were created, the new rule for the majority of traffic going over the largest connection was parked at the top of the outbound rules list, shown in Figure C. Figure C
Creating outbound rules
This caused all of the traffic to go out this particular connection and in doing so, prevented mail from being sent out, leading to huge outbound queues and some curious users. The mail rule mentioned earlier was not even getting seen because other rules were taking precedence. Once we moved it back to the top of the rules list, the mail queues cleared right up and all was well again.
What can this thing do?
So now that I have looked at a few reasons why the Peplink Balance 380 was a good fit for my organization, let's look into the configuration of the device.
The following items are available under the Network Settings tab:
- WAN: Incoming WAN links are added and managed here.
- LAN: This is the inside interface of the Peplink, for your internal network.
- Drop-in Mode: Use Drop-in Mode if you already have firewalls configured and other VPNs in place within your environment. Doing this causes the Peplink to bond Internet connections and pass them to the existing firewall and network environment from the outside interface of the firewall. It requires very little, if any, configuration of your existing environment.
- Site-to-site VPN: Connections between the Balance 380 and other Peplink routers
- IPSec VPN
In this section, you can define outbound rules to ensure traffic leaving your network is handled as needed, as is the case with my email traffic
Servers: Here you specify internal servers that should be available from the Internet
Services: In this section, you define services that are provided by servers previously exposed. Servers should be configured before adding services
DNS settings: The balance can act as a DNS server for your network, and here you can specify the settings for outbound connections over connected WAN links.
Like any good router the Peplink Balance provides network address translation (NAT) for traffic from the outside in. This allows the public IP address for the Balance to pass traffic on a given port to a computer on the local network.
The Balance 380 can control up to two access points on your wireless network. While I was unable to test this particular feature set, the idea of controlling bandwidth and access to wireless networks from your Peplink is pretty sweet.
Quality of service enables administrators to use two methods (user groups or applications) to use in managing and/or restricting bandwidth usage.
Under the user groups tab, you can create groups to allow certain allocations of bandwidth. The default groups are Managers, Staff, and Everyone.
These groups can be used to allow different levels of bandwidth to managers, other staff, and a group for everyone else. While you can add other groups to further segment bandwidth, the way I see this being useful is to add your management and higher level colleagues to the Managers group, the office staff to the staff group, and any public users to the everyone group. This would allow users on a public network or temporary employees to use the smallest amount of bandwidth.
Now that the groups are defined, clicking on the bandwidth control setting, you can use the sliders to adjust the amount of bandwidth allowed for use by each group. The sliders make changing the allotments for each group easy.
In addition to the groups, you can enable individual limits for all users of the Staff and Guest (Everyone) groups. Doing this allows bandwidth limits to be imposed for downloads across all WAN connections. Limiting staff members to 2Mbps might be a very useful feature.
In addition, speeds for upload on each WAN connection can be set independently, which can help control file uploads. This might be useful to restrict upload bandwidth to the IT or other department.
Another QoS setting allows bandwidth control by application for establishing the priority of a given application, like email or VOIP traffic. Applications categories that can be prioritized are:
- File Sharing/Transfer
- Audio Video Streaming
- Remote Assistance
- Security Tunneling
You can also create custom items for QoS.
The last QoS setting that can be configured is the DSL/Cable optimization option. This setting helps with connections that are not symmetrical and have different upload and download speeds. By using this setting, all download bandwidth can be used and not be affected when upload bandwidth is topping out.
The Balance 380 also includes a stateful firewall which can protect your network from certain types of traffic and attacks. Inbound and Outbound rules can be configured to keep your network secure.
In addition, you can turn on intrusion detection, which prevents denial of service attacks and other common attack types.
Today, it is not uncommon for organizations to filter web traffic. On this device you can filter web domains right at the router. Once you have built a list of domains to block, you can specify groups that are exempt from the filter. Subnets can also be exempted from the filter.
High Availability: Your network and Internet connections need to be up and available all the time; you can use these settings with additional 380s to ensure that the WAN links on these devices do not go out.
PPTP Server: This setting allows for email and web forwarding as well as DNS caching or proxy settings. This allows for the Peplink to intercept incoming traffic and redirect it to the specified host on your network.
Service Pass through: These settings allow some things to be passed to other devices and not processed by the Peplink. Vonage is a service that might make use of this setting.
Who is it for?
Any organization with a need to bond multiple Internet connections and take advantage of inexpensive bandwidth should take a look at the Peplink Balance. Because the device can handle three WAN links and pull them together for use as one Internet pipe, in my opinion, it is worth the price of admission. If you have over 100 users in your environment and up to 100Mb of Internet bandwidth, the 380 is worth considering.
To compare Balance units, check out their product grid: http://www.peplink.com/balance/tech-spec/
The Balance 380 starts at $1995. One thing I found about the purchase process that was odd is that there aren't very many resellers for Peplink. Getting this through a reseller would make the process much easier and possibly allow some wiggle room on the cost of the unit.
Having two or more Internet connections is a definite way to reduce the overall cost of your company's connections, but it can also provide immediate failover if one of these links goes down. Losing an Internet connection is a much bigger deal these days than it was even a few years ago. Having two connections, if for no reason other than removing a single point of failure, makes sense and can reduce the stress of a downed connection.Note: Some of the features, like VPN connections between Balance routers, as well as a look at Peplink's mobile router, the Max 700, will be covered in upcoming posts. *[UPDATE TO POST: When reviewing the 380 for TechRepublic, I was also installing the unit at my organization and misquoted the maximum throughput on the device. It will support upto 170Mbps not 100Mbps as I previously thought.]