Feature Overview: Firmware 8.1.0

Where to Find The Firmware

So there’s two ways to get the beta firmware; you can go to our forum and download it there, actually I guess there’s three ways you can get it from the forum, you can go to our open beta program page on our website -just Google Peplink open beta you’ll probably find it that way, or you can get it directly from InControl.

Upgraded Capabilities

So there’s lots of other things to talk about in firmware 8.1.0. A Really big one is drop-in mode as being supported on all of our products now. That used to be either unavailable or a paid add-on for the lower end products, and so when you look at something like the br1 Mini all of a sudden that has drop-in mode that enables all kinds of expanded use cases for those lower end products.

So if you’re a managed service provider and you want to come in to bring phone service into a company who’s already got an existing network you can protect that phone traffic with the br1 mini. You can put it in drop-in mode, integrate it really really seamlessly with their existing infrastructure so it gives it gives customers a whole bunch more flexibility on across our entire model line so it’s not a segmented feature anymore.

Another unique one is what we’re calling our unbreakable time server so there’s two layers to this. Number one the the Peplink routers are now able to serve as an NTP server and so that allows them to be an authoritative time source for any devices on the network. So you can think of like IP cameras IP phones and Public Safety obviously this is going to be a big deal for them they’ve got lots of different systems that need a really accurate time source and so this gives you one rate embedded into the Peplink router the other thing that we’ve added or expanded is the Peplink router previously would reach out to an upstream ntp server on the internet for its time source and now what we’re doing is we’re allowing that those devices that have a cellular radio in there with GPS to get the time synchronization directly from GPS as well and so we’ll show you how those work a little bit later they’re real easy to configure very straightforward but again very powerful feature a lot of companies or again public safety agencies end up buying separate net clock devices and so now this really eliminates the need for that another upgrade we’ve done is we’ve added bandwidth bonding to our media fast 500 and 700 routers so again that used to be a paid upgrade that is now included by default with those routers so I’m sure a welcome addition for people that own those products another really unique one is the TCP accelerator support so those of you that deal with things like satellite links are probably very familiar with TCP acceleration and so it’s been a request for a long time to enable TCP acceleration on speed fusion so that it can be compatible with more compatible with with things like satellite links and so what we’ve done in 8 1 0 is we’ve enabled the TCP sessions to be exposed even though they still remain encrypted so that TCP acceleration that’s built into things like satellite modems can work on speed fusion traffic so we’ll show you how to configure that a little bit later as well some other really cool things which we’re not going to show today but definitely reach out if you’ve got an interest in using these features we’ve added some new virtualization options to our products the EPX is now able to run virtual machines and docker so that was a in addition that was planned from the get-go but we finally got that released and then any any media fast product and then a couple of the new products like the mbx have optional capabilities to enable the Hubb feature and so the products that have that content hub feature are now able to do full operating system virtualization so we’re utilizing a technology called KVM to virtualize any operating system you want and run that directly on that Peplink router that has the content hub capability so you could run a Windows virtual machine right inside your Peplink router so that you can eliminate the need for additional servers or all additional infrastructure at your customer location this can be very important in harsh environments so like railway projects where industry certifications are a must it’s oftentimes much easier to get that virtual machine running on the router that’s already certified and ruggedized for those environments so definitely a powerful option for those folks looking to do pretty sophisticated applications another big point of 8 1 0 is upgrading the wireless security capabilities and this extends to both the routers built-in Wi-Fi for those that have it and the AP controller integrated in most of our products as well so WPA 3 is a new white Wi-Fi security standard so any 11ac any routers that have an 11 AC radio in them should support the WPA 3 directly on that built-in access point again all of the access point controllers are able to configure this security setting for access points that are capable of it and you’ll start to see this WPA 3 capability show up on our access point products like the 11 AC capable ones in the next firmware version so those of you that have our 11 AC way of to products those already support WPA 3 in the current firmware those of you that have like an AP one Enterprise that’s the first generation 11 AC products you’ll see a firmware update coming out soon to support WPA 3 on those as well we’re also supporting 802 11 W on the Wi-Fi LAN so lots of upgrades on the Wi-Fi technology here another area focused for 8 1 0 is on traffic analysis so we’ve got a couple different ways this plays out here on the speed fusion side we’ve got we’ve we’ve really enhanced the graphs for speed fusion so you can get a lot deeper information and understanding of what’s going on in your speed fusion network so you can better troubleshoot and evaluate the performance of that will show you those a little bit later as always we keep expanding our dpi capabilities so the signature database has grown pretty extensively in this version so you’ll you’ll find that the the dpi reports and the DPI steering capabilities as well as content blocking capabilities are all a lot more granular now and you’ll see a lot more popular applications that that customers have been looking for in there so again we’ll show you that as well that flows another one if you know what this is you’re probably excited about it if you don’t not anything you have to get too worried about but we’ll show you how this works in a little bit that flows a lot like deep packet inspection and SNMP so it just sends metadata about all the different traffic utilization on your network to an external server that does its own analysis so it’s not a direct feature that Peplink is exposing in the UI but it allows you to send that net flow stream to a third party net flow collector for for larger networks so we’ll show you where that lives right now.

Live Demo

Speedfusion Cloud

Okay sorry for the delay folks so the new firmware there’s direct there’s a new tab at the top of the the router user interface I don’t think that’s happened for since the max product line came out. So kind of a dramatic shift for your eyeballs if you’re used to looking at our router interface but there’s a lot of great stuff here.

So the first thing we can do if we look at which locations we want to choose, you can select them here. So I’m just gonna clear these out and kind of start over. So when you first enable speed fusion cloud when you first register that license that’s what’s gonna expose this tab here, so if you haven’t done that check our forum out there’s a registration process so you can get the demo set up. But once you’ve done that this tab is going to show up and right away you can just choose which location, by default you can just choose automatic it works great it’s gonna choose the the closest location to you based on latency, but you can also just manually select which locations you want to connect to. So I’m just gonna choose you can choose up to three of them, I’m gonna choose just a few of them here. I’m gonna say Japan New York and let’s go to London as well okay, so if I click apply changes. The routers gonna automatically start establishing connections to all three of those cloud locations. Another really cool thing you can do though is you can modify these just like you would a normal speed fusion profile. So you can create all kinds of different different tunnel profiles that are then gonna be mirrored on the on the other side of the speed fusion cloud, so that you get all the performance benefits that you want from each mode.

So let’s say the default tunnel will make hot-failover, so I’m gonna make my broadband the highest priority. Aand then I’ve got three cellular interfaces that we can failover to. Now if you’re not very familiar with the connection priority down here, I’ll explain how this works. If you’re choosing links in a certain priority and and then you have a link in another priority, the tunnel is only going to actively use whatever links are in the highest priority. If you have more than one link in a priority group that means you’re basically bonding those links together. So in this case we are using just the broadband if that’s available, and if that fails then we’re going to fail over to a bonded cellular connection. And so you’re actually combining hot failover and bonding in this profile.

Now you can also do things like wan smoothing with speedfusion cloud, so we’re gonna put that at normal so normal if you’re not sure about wan smoothing you can read the tooltip here. Basically it’s a packet redundancy protocol so that you can lower your average latency for latency sensitive applications like voice over IP. And you can basically eliminate packet loss as long as you’ve got a couple links in play, you can you can duplicate your traffic so that you’re always getting the best performance on every single packet and you’re gonna get completely seamless failover if if one of those links drops, you’re not even I hear audio drop for a second. You can also do forward error correction with speedfusion cloud now. So forward error correction is somewhat similar to wansmoothing but it’s different in it in another way it’s a lot more efficient so your overhead is gonna be a lot lower instead of duplicating your packets you’re only generating either 13 or 26 percent overhead. So you’re sending some parity bits to kind of help you reassemble packets if there’s packet loss. Forward error correction is usually great for video streaming. It’s not as ideal for audio streaming, audio is a lot more sensitive to latency, usually video streams even live ones have a little bit of buffering in them and so forward error correction needs just a small amount of time just you know we’re talking milliseconds to reassemble those packets so again forward error correction usually great for video, wan smoothing usually more ideal for real-time voice. But again with speedfusion cloud you can now utilize these technologies and again these settings are mirrored on the other side so you’ve got really easy setup of these.

Some other cool things you can do is you can connect specific devices to the cloud. So you can still use the outbound policies to steer traffic to the cloud and we’ll show you how that works in a second, but you can also just pick individual clients and choose where they where you want them to go. So I could send this ap one over to Japan if I wanted.

So you can just it’ll automatically populate your client list so you can pick and choose clients and basically and force them to tunnel all their traffic to whichever speed fusion cloud node you want. So if you’ve got a reason to pop up in Japan, you can just choose your iPhone or laptop or whatever device and have that all of that devices traffic tunnel to whichever node you choose. Now if it’s a Wi-Fi enabled product you can also do the same strategy with the Wi-Fi networks, I’ll pull that up in a little bit here on a different model so you can see that but you can create custom SSIDs that are then tunneled to whichever speed fusion cloud node you want so that every device on that particular SSID is going to get tunneled.

So lots of nice easy quick ways to get devices connected to the speed fusion cloud but again you can also just use your outbound polcies to do the same thing that you’re used to doing with normal speed fusion tunnels.

DPI & Speedfusion Cloud

I want to point out too we’ve got our deep packet inspection / application steering feature that’s been out I think since eight firmware eight zero zero, but you need to enable expert mode to expose this capability. Expert modes already turned on on this router but if it’s not on yours you just open this tooltip here and you’ll be able to see the expert mode link to enable that.

Once you do that what you’re able to do is you’re able to use our deep packet inspection technology to steer specific applications to different tunnel profiles. So if I say the destination is speed fusioncloud I can say New York City and then I can choose application and so like I said, the DPI signatures have expanded greatly in this firmware, and so if we look under voice over IP you can see there’s several things. So it’s not just voice over IP it’s also like WebEx and zoom Skype so it’s a voice over IP and whatever web content sharing platforms you guys are using as well. So if we just choose that then I can say I want to send that to I want to send that to my wan smoothing profile so that I can guarantee that those streams don’t get interrupted, and we don’t have a bad experience on on a webinar or something like that, so that’s how you can use those multiple tunnel profiles that you create in the speed fusion cloud.

New Speedfusion Graphs

So there’s a lot more information here which can be a little bit overwhelming but once you know what it is it’s super helpful. So previously we got the throughput and we got the latency graph and I think we had a packet loss graph. Now we’ve got downlink and uplink quality separated – right now the links are real stable so we don’t have anything showing up there will generate some speed here in a second see if we can’t get some get some problems to show up here.

Okay so we got the speed ramping up. So we got a few problems starting to show up here. You can see we’ve got packets out of order being identified here. So an uplink and downlink status you’ve got packet fragmentation if you’re using forward error correction you’ll you’ll see dots show up if if forward error correction is actually being utilized – if they’re having to reassemble packets. And you can also see redundant packets from from WAN smoothing as well, so again there’s a lot more information here.

Then my favorite view is this all wan to wan and this basically shows you all the active links in the tunnel. So here you can really start to see – on the left you’ve got the aggregate stats, but then you can start peeling it out one one at a time so we can see our broadband link is really clean we’re not having any of those airs down here that we see in the aggregate stats so if we scroll over you can see the cellular link not that surprisingly is where we’re seeing some of the the problems showing up. So again these graphs are excellent for troubleshooting if you click on the export button you’ll get a you’ll get an image capture of the graphs so that you can very easily show people.

Now there is a lot of data here so these are scalable graphics so you can zoom in and see all the details on each one, but really nice easy export capability so that you can capture some evidence if you’ve got a problem you need to show to somebody else.

Drop In Mode

Okay the next one I’m gonna show you is drop-in mode on the br1 mini. I’m gonna pull that up again and see if remote web admin is gonna be my friend it sure is. Like I said drop in mode that’s being expanded to all of our products so again as an example on the BR1 mini, to use drop in mode – for those of you that don’t know, drop in Mode turns the router into basically a transparent bridge. So if you’ve got a customer that has like a third-party firewall and they basically like the way their network works right now, they don’t want to change their existing network but they want to add some sort of SDWAN capability now that’s where drop-in mode comes in.

It lets us transparently insert ourself into the network without making any changes, and then it lets you add on those SDWAN benefits to that existing network. So this is really common with MPLS connections, the customer doesn’t want to renumber their network and so we integrate into that that network address scheme using drop-in mode and then we’re able to to bond in additional links with speed fusion. But to set that up you go to your LAN settings which isn’t the most intuitive right away but you see this right here drop-in mode settings that’s all of a sudden available. It’s what you need to do with drop-in mode is if if the customer have if you’re on them if your customer has extra public IPS you would just enter an unused public IP here under the LAN settings and then you need to just enter the gateway DNS servers – we’re not gonna be doing DHCP, so there’s a there’s a bunch of notes here to just take in if you’re using this a lot of these settings suddenly aren’t relevant and drop in mode because again we’re just bridging through. We’ve also got the shared IP option so if your customer doesn’t have extra public IPs, you can share whatever public IP their firewall might have so that gives you a little bit more flexibility. So that’s drop in mode.

NTP Time Server

Next one I’ll show you is the NTP server – the unbreakable time server. Okay so here we’ve got an SDX with the add-on cellular module so we’ve got a GPS time source coming from this device. So again there’s two layers to this, there’s just enabling the NTP server itself – this does not require GPS, and it’s as simple as a one check box. You turn it on and the Peplink router will start responding to NTP requests on its LAN IP – so it’s default gateway address. So you don’t really have to do much of all anything to get that working. Now the other option you’ve got if we go under system and then time, you can choose you can now choose where the Peplink gets its time source from. So by default it’s gonna use a time server and you can use our Peplink time server if you want – that’s automatic, or you can punch in your own custom time server, but now you’ve got two more options you can just strictly use GPS as the time source for the router – again you need a product that actually has a cellular radio and GPS radio with antenna attached, and you can also use GPS with time server as a fallback. So if you’re not 100% confident that GPS is always going to be available for that that unit, you can prefer to use GPS as the time source and then fallback to an internet-based server. So we run into this a lot you know people use private networks quite often in public safety government applications and so those private networks often don’t have any internet access by design, and so oftentimes those networks don’t have a time server on them so there’s nowhere to get that time sink from. And so if you’ve got a private network you can still reach GPS that’s a that’s a one-way that’s a one-way stream so it’s totally safe to to listen to the GPS time information and use that as your source.

So again people that have IP cameras they need a really consistent time source so that all of the cameras in one location are going to be on the same exact time. Public Safety has a lot of software systems that need accurate time source information. So this gives you that capability and much more flexible especially in those private networks and scenarios.

Deep Packet Inspection

The next one I’m going to show you is deep packet inspection. So deep packet inspection shows up in several places in our in our router. I showed you the application steering already – that’s one place, QoS is another place that you’ll see deep packet inspection being utilized. So if you click to add an application we’ve got the normal categories you always saw before, but underneath those categories there’s a lot more applications. So we’ve got twitch, VEVO lots of the popular video streaming services. Again Netflix has been there for a little bit now, but lots of different video services under there. Again if we look under voice over IP that includes things like zoom and WebEx – so not just voice over IP but also the web conferencing applications that people like. So again lots of new lots of new applications under here, got onedrive, Google Drive, Dropbox. Now you can also leverage these signatures for content blocking. Like let’s say I just want to block Dropbox. I can just come down here choose Dropbox and I can block it it’s as easy as that. Same with Netflix. I don’t want people at work doing Netflix so we’re gonna shut that off as well.

DPI Reports

Now the other thing I’ll show you with dpi is the DPI reports. If you don’t know how to turn these on in IC2 you can do this at the device level or at the group level. I’ll show you at the device level here if you just click Edit, you just have to turn that little ‘enable dpi’ to on, not all products support the DPI engine so you’ll if you don’t see that button there you’ve probably got a router that doesn’t support that. Now if we go back to the group level you can do this in bulk, so if I just click Edit I can check all the boxes and under actions I can click enable dpi. so that’ll enable it on all the routers that support it in just a couple of clicks instead of having to do it one by one. But, now that we’ve got that turned on, we can see reports for what we’ve been up to on this router.

Now once you turn it on its gonna only start collecting data at that point so if you turn it on you’re gonna get kind of a disappointing report right away but just give it give it some time what’s some traffic build up and these reports should populate I think every hour you’ll see these update. So by default it’s showing you the graph based on percentage of volume, traffic volume, and then it’s grouping by application category. So okay so 53% is web traffic and 24% its remote remote access to me that doesn’t mean a whole lot it’s nice to see a categorized but if we uncheck that box then you’re gonna get more details, so that web traffic is pretty much all Google – I’m a very heavy Google user so that’s not surprising. We got a lot of SSH on this traffic we got some speedtest.net SSL. If you used this feature in the past – before we really expanded our dpi applications, the the unclassified slice of the pie used to be a lot bigger. And so again as you can see we’ve really really enhanced the the dpi capabilities to make these reports much more meaningful and useful. We also do it based on number of packets so depending on the perspective you’re trying to look at, but again traffic volume is usually what people are most concerned with – how much of this or that is being actually consumed on the links.

Netflow

So NetFlow again net flow is somewhat similar we don’t we’re not gonna be able to demonstrate it today but I’ll show you how to configure it. You need to go to our not-so-secret support.cgi page, if you haven’t been here it’s kind of an ugly page because there’s all kinds of stuff that we haven’t necessarily integrated into the GUI. It’s where some of the more hidden features are shown and right at the very bottom here we’ve got net flow. We can just click on that we can enable it.

Again with net flow you’re sending it to an external net flow receiver or net flow server and so you’re gonna choose whichever version and protocol is appropriate, tell it where the where that server lives, and it’s gonna stream that net flow data to that external device. There’s not a lot to setup there and there’s not a lot to see there unless you’ve gotten that flow server to actually digest all that information.

TCP Acceleration

The next one I will show you is the TCP acceleration. So we’re not directly doing TCP acceleration and speed fusion. I’m gonna actually delete this profile and start over so you can see because it’s all hidden by default. Okay by default you’re just gonna see this data port auto or custom, if you open that little tooltip there, you can configure which data stream protocol you’re going to use, you can switch it to tcp mode, and then this little checkbox exposes the TCP headers. So previously if you don’t check that box even the TCP headers are going to be encrypted, if you check the box we will expose the TCP headers but the data packet payload is the payload of the data packet is still encrypted. So you’re exposing a little bit of information to the network, which allows those third party external TCP accelerators to actually work and accelerate all of the encrypted traffic. Now you’re gonna need to – that this will also expose all of the TCP ports for the source and destination for each session so, if you’ve got a fusion hub that’s heavily locked down you’re gonna need to open the firewall up quite a bit on that to accommodate all those all those TCP sessions that are suddenly being exposed. It’s not going to be limited to just the the port’s that you’re establishing the tunnel with anymore when you expose those TCP sessions.

WPA3 Support

Okay I’m going to show you WPA three support now. I think this was the router that was giving me trouble earlier – we’ve got a bad router in the demo pool here, or a router on a bad connection I should say. We’ll take a look at another one and show you the controller side first at least. So we look at the AP controller on this SDX we can turn that on, and under wireless SSID we’ll create a new one. And so the controller now supports WPA 3 profiles this would require an access point that also supports WPA 3. So again right now all of our wave 2 access points support that in firmware today. All of the 11ac products will also support that in a future release I think there should be a beta of that ap firmware very soon – so you’ll be able to try that out on most of our modern Wi-Fi access points. But it’s not a lot different than WPA 2 or 1 it’s just more secure so the set up is really not any different you just select the mode you want, enter your key in, you know we’ve got the fast roaming support so you can get enterprise-grade handoff between access points – that’s been there for a little bit. And so that covers WPA 3 let’s see if this other one popped up I don’t think so it’s trying to load but I’ve got this on a cellular connection with poor for signal – there we go cool. So I’ve got a profile in here WPA 3 test you can see it’s set to WPA 3 personal and so this is a balance 20x one of our new products this has built in wave 2 Wi-Fi so this product already by default supports WPA 3 on its integrated access point. And so you can see that’s being broadcast right there.

Q & A