Network - Drop-in Mode

Drop-in Mode is an interesting feature to simplify the transition and installation of the PePLink multi-WAN router into an existing network using a single WAN router. In Drop-in Mode, the PePLink 30 can be inserted between the current single WAN router and LAN without changing network IP addressing, duplicating configurations from another router, or adding the latency of another router hop.

In this mode, the Balance 30 acts as a bridge between the WAN1 interface and the LAN interface, meaning packets between the two interfaces are on the same subnet. However, frames forwarded between the WAN1 and LAN interfaces and back will have their source MAC addresses changed to the PePLink's MAC, meaning an ARP table refresh on all devices may be necessary after inserting the Balance 30 into an existing network.

Drop-in diagram
Figure 7: Drop-in Mode scenario diagram

The illustration in Figure 7, which graphically depicts a situation in which the PePLink could make a network administrator's life easier, is from PePLink's product specifications. It allows for the addition of 1–2 more WAN connections without having to alter or remove the working configurations in the existing WAN connection or firewall.

As you can see, a network with a single WAN connection to ISP A is transitioned to a multi-WAN scenario by installing the Balance 30 between the existing router and firewall, and then adding additional WAN connections to leverage the multi-WAN capability of the Balance 30.
Network – Routing and Firewall

With three WAN interfaces, the Balance 30 could be useful as a router between multiple subnets. NAT can be disabled on each WAN interface as necessary, but only after uncovering the IP Forwarding option hidden in a help menu warning that you should "know fully what you're doing."

I successfully tested IP Forwarding mode, using the Balance 30 on a network with multiple other routers. Static routes can be entered in the LAN configuration section, but I was disappointed to find the Balance 30 doesn't support any dynamic routing protocols, even basic RIP.

As a firewall, the Balance 30 can filter both outbound and inbound traffic. As displayed in Figure 8, rules can be defined to allow or deny outbound or inbound traffic based on protocol, source IP and port addresses, and/or destination IP and port addresses. In addition, inbound rules can be created and applied to all WAN interfaces, or to specific WAN interfaces. However, creating time schedules for traffic rules is not supported.

Firewall
Figure 8: Configuring a firewall rule

For outbound traffic controls such as content filtering, configuration is based on destination IP address. The Balance 30 doesn't support URL-based filters. I tested outbound traffic filtering by creating a simple rule to block traffic to YouTube.com. (Note: I'm not picking on YouTube, but have seen that some workplaces have been restricting YouTube access due to productivity and bandwidth issues.)

I pinged YouTube.com to get their IP address, and since they have multiple servers, set up a simple rule to block all outbound traffic from any LAN user behind the Balance 30 to the /24 subnet including YouTube's IP addresses. Once configured and enabled, browser attempts to YouTube.com would simply hang; no error message or warning was presented notifying the user they are attempting to reach a restricted site. Figure 9 shows my configuration.

YouTube block
Figure 9: Blocking outbound traffic to YouTube's subnet in the firewall
{mospagebreak title=Firewall - more, Management}
Firewall - more

In addition to creating rules for filtering traffic in both the outbound and inbound directions, rules can be created for port forwarding. Port forwarding applies when using Network Address Translation, or NAT. With IP Forwarding enabled on a WAN interface, port forwarding isn't an option.

Configuring port forwarding on the Balance 30 is standard. Traffic flows from the WAN side of the router destined for the Balance 30 can be mapped by WAN interface, by port or protocol, to the IP address of specific devices on the LAN. For example, I've configured port forwarding in Figure 10 to direct inbound FTP traffic to an FTP server at 192.168.1.22 on my LAN.

Port forward
Figure 10: Port forwarding of FTP traffic
Management

Effectively managing multiple WAN links requires clear utilization data. Visibility into WAN utilization is available in the Balance 30 Status menu, and historical data collection can be enabled via the PePLink website. These two features complement the Balance 30's multi-WAN capability, giving network administrators information needed to tune their load balancing configurations.

The Balance 30's Link Usage menu provides totals of inbound and outbound data transfers by WAN interface collected since the last device reboot. Further, the Link Usage menu reports a summary of data transferred by common protocol types, including HTTP, HTTPS, IMAP, POP3, SMTP, and "Others."

To track data utilization by time period, the Balance 30 can be configured to post data to the PePLink reporting server. Setting up historical reporting involves creating a username and password on the PePLink site, with the link conveniently located in the Balance 30 menu. Once a username and password is completed and the function enabled, reports such as the simple report in Figure 11 showing inbound and outbound daily utilization on the WAN1 interface are available. Additional reports by interface, day, week, and month are also available as the data is generated and collected. (Note: the report below shows erratic utilization reflecting my lab testing environment. Production reports will likely be more consistent.)

Traffic utilization
Figure 11: Inbound and outbound daily utilization report

Other reporting tools include basic logging, writing log data to a syslog server, SNMP support, and email notifications. The Balance 30 Status menu has a basic log, showing time-stamped entries recording events as they occur on the router. Firewall rules can have logging enabled, which will create entries showing when each rule was triggered.

To maintain historical log data, syslog messages can be sent to a Syslog server by enabling this option and configuring the Balance 30 with the IP address of the Syslog server. Further, SNMP polling can be enabled for SNMP versions 1–3.

Email notification can be configured so the Balance 30 will send notifications when there is a status change on a WAN interface, or when there is a firmware upgrade available. The menu only allows for configuring a single email recipient, so you may want to set up an email alias to ensure the message is sent to multiple destinations.

Remote configuration of the Balance 30 can be enabled for HTTP and/or HTTPS access, and can be limited by WAN interface. Specific source subnets can be specified to further restrict external access