InControl Manual

InControl can be accessed from any recent web browser.
Peplink routers, access points and switches that to be managed from InControl need to be within warranty or covered by an InControl Subscription.
The device’s warranty status and InControl subscription status will still be shown, even if the device’s warranty and/or subscription has expired.
When expired, InControl subscriptions and extended warranty can be purchased from a Peplink Certified Partner.

To allow InControl to communicate with your Peplink devices the application uses the following ports:

Port number	Used for	Service
UDP 5246	Data flow	InControl
TCP 443	HTTPS service	InControl
TCP 5246	Optional, used when TCP 443 is not responding	InControl

If you have an InControl subscription, but the device is showing offline, try performing a ping test from your device to ac1.peplink.com.
If you succeed, and the device does not appear online on InControl, you can reach out to your Peplink Certified partner, the Peplink forum, or Peplink support

The InControl subscription is a standalone service that enables selected Peplink devices to connect to InControl.
While InControl is included as a part of warranty and PrimeCare, the InControl subscription enables you to connect devices to InControl without any additional subscription services. 

Supported Devices

The full list of products that have InControl subscription is available on the Peplink official website InControl page.

Use of Subscription Services 

Any Peplink device will function on InControl as long as it is subscribed to InControl subscription, Warranty, or PrimeCare. Customers can change between InControl subscription and warranty without any interruption in InControl service.
However, PrimeCare devices are unable to use InControl Subscriptions.
Please refer to the PrimeCare Terms and Conditions for full details.

If a device is no longer subscribed to any service, they will no longer be able to be accessed from InControl.
However, all records from the device’s time under subscription will be retained and will remain accessible on InControl.
If the device re-enters warranty or InControl subscription, it will once again become visible and manageable on InControl. InControl subscriptions are non-transferable, each subscription is specific to the device that it is assigned to.

InControl has several built-in user roles to provide granular access to organizations and groups depending on the organizational structure of your business.

Below is a description of each of the different types of administrative roles, how to configure them, and the specific levels of access that each role receives:

Organization level

Super Organization Administrator

Organization administrators have full access to your organization. They can view all dashboards, reports, social user data, settings, and device details for all groups. In addition, they can also make configuration changes.

Organization Administrator

Organization administrators have the same access rights as Super Organization Administrators except for social user data access permissions.

Organization Viewer

Organization viewers can view the dashboards, reports, device details, and some settings for all groups. However, they have no editing permissions.

Organization Dashboard Viewer

Dashboard viewers can only see the organization dashboard and the dashboards for any groups. They cannot see reports, settings, or device details, and they have no editing capability.

Group Level

Group Administrator

Group administrators have full access to the group. They can view the dashboard for this group, reports, settings, and device details. In addition, they can also make configuration changes. However, they cannot access other groups in your organization or social user data.

Group Viewer

Group viewers can view the dashboard, reports, settings, and device details for this group. However, they have no editing ability, and they cannot access other groups in your organization.

Group Dashboard Viewer

Dashboard viewers can only see the dashboard for this group. They cannot see reports, settings, or device details. They have no editing capability, and they cannot access other groups in your organization.

Captive Portal Administrator

Captive Portal Administrators have access to the Captive Portal section in this group only. They also have read and deletion rights on social user data.

Captive Portal Report Viewer

Captive Portal Report Viewers have access to the Captive Portal Reports in this group only. They also have read access right son social user data.

Fleet Manager

Fleet Managers have access to the map on this group’s dashboard page only.

To create a new user on Organizational Level log in to InControl and select Organization Settings > Organization Settings in the menu.

To create a new user on Group Level, select the required Group and select Settings > Group settings in the menu.

Add the First Name, Last Name and Email address for the new user in the required field.
Select the user role from the drop-down menu, select the + button and save the changes.

A TAG is a keyword or term assigned to one or more Peplink units; once assigned, the TAG can be used for several purposes

• Tracking
• Configuration (apply settings to devices, including SSID, Schedules, Outbound policies, firewall rules, Speedfusion profiles and firmware)
• Reporting

Adding a Tag

To configure a Tag, navigate too the Device Level for the applicable unit, select edit and scroll to TAG.
Once there, simply assign the Keyword(s).

A device can have any number of TAGS assigned to it and a TAG can be assigned to any number of Devices in the Group

Bulk Tagging

Tags can be assigned to a group of devices concurrently from the Group Level Dashboard.
Select the “Device Management” option and select the applicable units.
Then select TAG and assign the Keyword(s) to the applicable unit(s).

 

The InControl Organization and Group settings sections allow you to configure the Organization’s and Group’s Name, Address, Security Settings and Logo.
These settings can be accessed from Organization settings > Organization Settings at Organization level or Settings > Group Settings at Group Level in the main menu.

At Organization Level

At Group Level

The following settings can be configured

Name

Edit the organization or group Name in the Name field.

Administration

Configure user accounts to allow access to your InControl organization and /or group(s).
Read the User Roles section for more details.

Security (organization level only)

The security options are only available at organization level and configurable from this section:

Idle Time out	Sign out password-authenticated users after The configured number of minutes in this field minutes of inactivity. Default is 240 minutes.   Note: Users authenticated with Google ID will not be signed out automatically
Two-factor authentication	Force users to set up and use two-factor authentication
Authenticated with Password	Do not allow users to authenticate with Google ID but username and password
Block Peplink Support	Prevent Peplink support from viewing this organization

Advanced Settings

Auto apply configuration patches to devices	At certain occasions InControl makes configuration patches available for devices. When such patches are available for a device, if this option is enabled, the patch will be sent to the device automatically. If the option is not enabled, InControl will stop all configurations to the device. Administrators will be asked to confirm to apply such patch before the patch and any configuration could be applied to the device.
Show Warranty and Subscription Expiry Dates and Notices to non-Organization Administrators	These options are used to keep certain details hidden from non-Organization Administrators that have access to the InControl organization.
Send Warranty and Subscription Renewal Reminder to non-Organization Administrators
Display Internet & Device Availability on Group Dashboard

Logo & Favicon (organization level only)

To upload another organization logo and favicon to replace the default ones, use the upload option in this section.

Address

 

Change the Organization Address details by selecting the correct details in the map or assigning the correct longitude and latitude coordinates.

 

 

 

 

Map (Organization Only)

Choose the map integration for the organization; OpenMapTiles or OpenStreetMap details.

Unit (organization only)

Choose the unit displayed in the Organizations maps and reports, imperial, metric or nautical.

FlightAware API (organization only)

Integration with the FlighAware website can be configured on Organization Level.
When the username and API keys are defined, and a FlightAware Ident is defined on a device’s details page, the devices’ location will be updated from FlightAware every five minutes.

Organization Removal (Organization only)

The organization will be automatically removed after 28 days when all devices have been removed from the organization.

Time (Group only)

The Time zone can be configured at Group level.

The group Management page allows for the creation, deletion, moving and renaming of groups.
Open this page by selecting Organization Settings > Group Management

This will show an overview of groups and the number of devices in each group.

The following options are available in this section:

1. Select the pencil icon to rename a group.
2. After selecting the pencil icon, the group name is editable and can be saved or cancelled.
3. Select these tick boxes to delete or move several groups.
4. The Create Group page opens when selecting the Create button.
5. Delete a selection of groups using the Delete button.
6. Move a selection of groups using the Move to a new organization button.

After selecting the option to move devices the following window will be visible.
Name the organization and select Proceed to confirm to move the devices.

To add groups in the Organization, select Organization Settings > create Group from the menu.

Enter the group name and description on the new page; these settings can be changed at a later stage.

 

Optionally, you can clone  settings from another group by selecting the settings and the original group.

 

 

 

 

If devices need to be rebooted on a regular basis, enable the Scheduled Reboot option.

 

Select a Country from the drop-down list

Select a location by selecting a point on the map or by adding the location’s latitude and longitude details.

 

 

 

 

 

You can use online resources to find the exact latitude and Longitude coordinates.
This website for example.

Select the desired Time Zone and choose if devices in this group should follow this time setting.

Devices can be added at the Organization or Group level.

Since devices belong to a Group and Organization there is only 1 extra step involved when adding the device at Organization level, which is selecting the group.
The following steps show how to add a device at Organization Level.

Select Organization Settings > Add Devices

 

Select a group form the drop-down list,
select an existing tag or add a new tag,
And add the serial number(s).

When adding multiple devices, the serial numbers should be comma, space or return separated.

Click Next.

 

Change the device name and location (if required) in the next section.

Click on confirm to finalize this action, a Message will appear that the device is added successfully.

The Device Management section shows an overview of information about all the devices in a group or organization.
Several changes can be made to multiple devices at the same time after selecting these devices.
This section is available in Organization Settings>Device Management and Group Settings>Device Management.
Device Management at Organizational Level allows you to view the details of all your devices in your organization; at Group Level the details of devices in the group are shown.

The following options are available:

Configure the columns showing details of your devices

 

Click to Add  devices

Status
Device Name
Serial Number
Group
Tags
Product
Uptime
Online Status
Wan
2.4 GHz Channel
5 GHz Channel
Usage
Clients
Firmware
Last Config Applied
InControl Detected IP

 

The Column order can be changed by keeping a column selected with your mouse and by dragging it to the desired position.

Select the required options and click OK to save the settings or Reset the Default Order.
The order of the devices in view can be changed by selecting the required column.

The device names of Selected Devices are shown in the top bar in the overview of the device management section.
Tags can be added to the selected devices or an action can be applied to the selected devices.

The InControl Detected IP in the equally named column is not always the WAN IP address of your Peplink Router. It could be the NAT-ted WAN IP address of the broadband connection depending on your network configuration.

Add or remove Tags and icons to or from the selected devices by selecting the Tags button.
Icons can be used as tags as well and be added to one or more units.

Several actions are available by selecting the actions drop down bar.
Options that are not available for the selected devices (because they apply to different Peplink devices not in the group) are Greyed Out.

The following options can be configured from this view:

 

Action	Description
Move to	Move devices to a different group
Remove	Remove devices from the organization
Firmware	Apply a firmware policy
Find My Peplink	Configure the Peplink DDNS service
Wi-Fi AP State	View the Wi-Fi status of Access Points
AP Routing Mode	View Access Point routing mode status
Enable DPI	Enable Deep Packet inspection
DHCP Snooping	Configure DHCP snooping for Peplink switches
STP Bridge priority	Configure STP Bridge priority for Peplink switches
Enable collecting Wi-Fi analytics data	Enable collecting Wi-Fi analytics data
Lock cellular WANs to currently active SIM Cards	Lock cellular WANs to currently active SIM Cards
Remove GPS Data	Remove GPS Data
Data Roaming	Configure Data Roaming
Update cellular module firmware	Update cellular module firmware

 

Firmware policies can be created on organization, group or device level and assigned on a per device basis.
Firmware can be upgraded automatically for all Peplink and Pepwave models at a scheduled time.

To assign a firmware policy select organization settings > firmware or group settings > firmware policy.
The image below shows the firmware policy on organization level, which is similar to the group level.

A table shows each device model within the organization or group, the hardware revision, details about the group or organization policy assigned and a dropdown list to assign a policy.
Assign the desired firmware version from the drop-down list, upload a custom firmware or disable firmware management.

Update Schedule

Underneath the product table is a section to create an update schedule.

Creating a schedule with a time interval of approximately 15 minutes will prevent devices to upgrade and restart at the same time.

On the bottom of the page is a section showing the pending firmware update schedules.

The options on device level are similar but the layout of the page is  adapted to the device specific information.

Updating Firmware by Group or Organization

To assign a firmware policy select organization settings > firmware or group settings > firmware policy.

Here you can select which firmware to update on which device models. These configurations will appear in all devices within the group. Firmware update schedules can be configured for the organization or group.
Click Save Changes to complete the process.

 

Updating firmware on Individual Devices

 

On the individual device page, navigate to Settings > Firmware Management

Select the desired firmware from the device list.
Press Save Changes to apply your changes.

The operational log, available in Organization > Organization Settings > Operation Log, keeps track of significant events and activities in the InControl organisation.
Activities can be searched by asset, activity, time or user account.
This allows for auditing user access to groups and devices within the organisation.

The recorded details are:

Time	UTC
Admin	User Account Name
Group	Group Account Name
Device	Device Account Name
Page	Menu Option Accessed
Label	Change or “Action Taken”
Old Value	Setting before Change
New Value	Setting after Change

Data in the operational log is stored for the lifetime of the organisation.

Results can be filtered by using the Search field.
To filter out information regarding a single event use a mac address, group name, administrator name or any other word matching a word in one of the fields in the operational log.

Email notification profiles are created InControl to send email alerts about system events to the administrators or other email addresses.
Several Notification Profiles can be created with different information for different devices.
The section can be accessed from the Group Level menu in Settings > Notifications.

General Options

The following General settings can be configured:

Enabled

Enable or Disable the Notification Profile

Devices Notify for…

Select the devices to collect the notifications from using ‘Tags’

Silence Period

Configure a silence period for weekdays and weekends to stop any notifications during that period.

E-mail Notification Subscriptions

Event notifications can be sent to different people; this is a configurable option for each e-mail notification subscription. This could be all organization and group admins, all group admins, an organization or group admin, or another email address.

Some events have different notification levels.
Up to three notification levels can be configured to send an email after x number of minutes.

Device Online / Offline	Bandwidth Usage	SIM Card Insertion / Removal
HA Transitions	AirProbe Alarms	SIM Card Switch Over
Wan Up / Down	ContentHub Storage Alarms	Web Admin Logins
PepVPN / SpeedFusion Up / Down	Configuration Changes Applied
LAN Port Up / Down (not supported on all models)	Smart Reader Attachment / Detachment

HTTPS Notifications

A HTTP/S POST call will be made to the specified URL for the enabled events. The POST data is an array of events in JSON format:
For any errors (e.g. an HTTP response code greater than or equal to 300 received, network timeout, etc.), it will retry at most five times every one minute.

[{
"ts":"2016-07-07T03:12:54",
"device_name":"Test Device",
"device_id":0,
"client_name":"Test Client Device",
"client_mac":"AA:BB:CC:DD:EE:FF",
"event_type":"WLAN",
"detail":"Event log notificiation test",
"longitude":0.1,
"latitude":0.2,
"gps_timestamp":"2016-07-07T03:12:54",
"sn":"0000-0000-0000"
},
{...}
]

Mobile App Notifications

You will receive notifications if you have installed the InControl app and signed-in as with your InControl user account. You can choose what notifications to receive within the app.
To download the app follow this link.

The InControl Options in Group Settings are used to configure how the devices in the group are managed by InControl.
This affects the data usage of the devices.
The section is available from Group Settings > InControl Options.

Estimated Base Data Usage

InControl options

The following options can be configured:

Disable Device Configuration

InControl can solely be used for monitoring purposes when Device Configuration is disabled.

Auto roll back device configuration

If devices cannot reach InControl after receiving a configuration from InControl, the configuration will be rolled back.
If the device fails to connect to InControl after 10 minutes, it will automatically roll-back to the previous configuration.

Auto apply configuration patches to devices

In order to fix errors, sometimes InControl needs to send some configuration patches to devices. When such patches are available for a device, if this option is enabled, the patch will be sent to the device automatically.
If the option is not enabled, InControl will stop all configurations to the device. Administrators will be asked to confirm to apply such patch before the patch and any configuration could be applied to the device.
Alternatively, the group can follow the organization setting.

Disable Firmware Management

InControl firmware upgrade configuration cane be disabled by ticking the checkbox.

Low Data Usage Mode

When low data usage is enabled, the minimum amount of data is sent to the device.
Devices’ WAN health checks will be forcefully disabled. You will have to manually enable health checks on the web admin when you disable this mode.

Disable Device Reporting

Devices send reporting data to InControl regularly which incurs data usage. Disabling device reporting could save devices’ data usage.

Captive portals will fail to operate when this option is checked.

Disable Live Status Queries

Live status queries incur data usage and are blocked when this option is checked.

Captive portals will fail to operate when this option is checked.

GPS Location Collection

By default, 30 GPS location points are retrieved from a device every minute. To change data usage and location accuracy, this setting can be changed to 60 location points every minute, 1 location point every 30 minutes, 1 location point every hour the service can be disabled.

Minimum Communication Interval

Configure the communication interval (Default: 28 seconds. Minimum: 28 seconds. Maximum: 60 minutes).
When a device has sent no data to InControl for more than this amount of time (T), it will send a heartbeat to InControl to maintain a two-way communication channel.
A device will be treated as offline if InControl has received no data from it for more than 3 mins and T×2+2 secs when T<=30 and T>30 secs respectively.

Real-time communication with devices may be delayed and InControl managed captive portals may not work for any interval longer than 30 seconds if a NAT router is present in the communication path.

Save the changes to apply the new settings.

The Device System Management section allows you to configure the local device web admin management, reboot schedules and external InControl Appliance settings for devices in a group.
Navigate to Groups Settings > Device System Management to view and configure these settings.

Device Web Admin Management

Device Web Admin management can be enabled by selecting the tick box.

Web Session Timeout

The Web Session Time-Out indicates the time before a web login session gets logged out automatically if it has been idle longer that the Web Session Timeout.
0 hours 0 minutes signifies an unlimited session time.
This setting should be used only in special situations as it will lower the system security level if users do not logout before closing the browser.

Default: 4 hours 0 minutes

Web Admin passwords can be downloaded within this section by selecting the ‘Download admin passwords’ link.

Authentication using RADIUS

Web Admin Access

If Any is selected, web admin access is allowed from anywhere without any IP address restriction.

Each IP subnet must be specified in IDR Subnet Mask Notation

Separate each IP subnet on a single line to define multiple subnets.
For example:
192.168.0.0/24
10.8.0.0/16

To further enhance security the Web Admin Access port can be changed from the default 80 for HTTP or 443 for HTTPS.

Scheduled Reboot

The

Daily or Weekly Reboot schedules are configured in this section and applied to all or some devices using tags.
Select the required settings from the dropdown lists.
If several reboot schedules are applied to the same device, only the first matched rule will be applied.

External InControl Appliance Settings

If you use a private InControl appliance, add ALL serial numbers to both the “private ICVA” AND a Group on Public IC2.
Then configure “By Redirection”.
This means, if a device is factory reset, it will automatically re-direct to the Private ICVA.
It also means that no-one else can register that device in their Public InControl organisation.

Device IP settings for LANs can be automatically configured using the Network settings > VLAN settings section, but these settings can also be imported into InControl using a template in .csv format containing the serial numbers and IP details of one or more devices in a particular group.

Navigate to Group Settings >Device IP settings
The available configurable options are displayed within this section, complete with a description of the configurable options and examples of the value of the format.

Download the Peplink Balance/ Pepwave Max template or Pepwave AP template to your computer and open the file with a spreadsheet program (Google sheets, Microsoft Excel or OpenOffice Calc).
Add the Serial numbers and IP settings in the matching fields, save the file and drop the csv file into the Import IP settings field in InControl.

A confirmation message will be shown, and the imported data will be visible in the same section.

Select the Import button to start pushing these settings to the device in the group.

Check your devices and event log to make sure the new settings have been applied.

Device time schedules are managed from Group Settings > Device Schedule

Outbound policies, firewall rules, Wi-Fi radios, SSIDs and Switch PoE ports can be enabled or disabled during certain time periods.
This can be achieved by assigning a schedule to the configuration of that specific service.

Start creating a new schedule by selecting the ‘Add’ button.

Each individual schedule can be enabled or disabled.
Enter an appropriate name for the schedule.
Choose a scheduled template form the drop-down list.
Choose between Always on, Always off, 8am to 5pm weekdays only, weekdays only or a custom.
Custom time schedules can be created by keeping the mouse button clicked while dragging the mouse over the schedule map.

The schedule details and which services the schedule is applied to will be visible in the overview.
Schedules can be deleted from the overview using the bin icon in the Action column.

Geofencing allows the use of GPS to create a virtual geographic boundary, enabling InControl to trigger a response when a mobile device enters or leaves a geo-fenced area.
Geofencing is supported for devices with built-in GPS.

The Geofencing section is available within the group settings.

After selecting “Geo-Fencing” you can add a new Geo-fence option.
The window below will show up, in which you can add a “Ring” or “Path” to create a “zone”.
Multiple zones can be added to the same Geofence.
This “fence” can then be applied to all or some devices (using “tags”).

When the GPS-enabled Peplink router leaves the geo-fenced area, the following actions can be triggered:

• Email-notification
• HTTP /HTTPS notification
• Enable / Disable Wi-Fi AP (access point)
• Device Tagging

Sample use cases

• Geo-based SSID – to enable an SSID A when a device is in zone A, and to enable an SSID B (and disable SSID A) when the device moved to zone B.
• PepVPN / Speedfusion tunnel selection based on the geographic location

When a Geo-fence is created or modified, or newly applied on a device, by default, no action will be performed until the device(s) enters/leaves the Geo-fenced area.
The specified actions will be performed as soon as InControl receives the devices’ next location points.
E-mail notifications will be sent out for each of the devices (if enabled).

If a device is selected by more than one fence, only the topmost fence will apply.

Changing Bulk configuration options can be applied to other units with the same product model by using an existing config file from a Peplink or Pepwave device.
This option is accessible from Group Settings > Bulk Configurator.

The Bulk Configurator will push the configuration file(s) onto the corresponding applicable devices. In addition, it will also individualize the following settings if applicable:

• Wi-Fi AP SSID and Radio *
• PepVPN / SpeedFusion *
• VLAN Networks
• Outbound Policy *
• Firewall Rules *
• Web Admin Settings *
• Device name
• Time zone *

Wi-Fi AP on/off state, Remote Assistance state, WANs’ Dynamic DNS settings and PPPoE credentials in the configuration file(s) are discarded and not applied.

* When its management option on InControl is disabled, its setting in the configuration file(s) will be applied.

When more than one configuration is assigned to a device, the topmost one will be applied.

Config file management

After configuring a Peplink or Pepwave with the required settings, download the configuration file from the local web admin or InControl device details.

A new window will appear after selecting the ‘Upload New Config file’ button.

The new window will show details of the product model.
Optionally PepVPN settings can be preserved, but InControl PepVPN management will have priority over these bulk-configuration settings.

The Configuration time and Device selection need to be configured to decide which units receive the new settings at what time.

The Warranty & License section can be accessed from Organization Settings > Warranty & License, which shows an overview and tools to help manage warranty and licenses for all the physical devices in the organization AND the licenses for Fusionhub virtual appliances.

Service Status

The service status table shows all devices, the product details, the group, service status and Service expiration date.
The table is sortable by each individual column header, this is changed by clicking on the table headers.
A filter can be applied too.

FusionHub Licenses

FusionHub is the virtual SpeedFusion appliance from Peplink. With FusionHub, you can establish SpeedFusion connections between cloud servers and physical Peplink devices.
FusionHub licenses can be imported, released and acquired in this section.

FusionHub Solo is a free virtual appliance that can be acquired by following the instructions.The FusionHub Solo allows a SpeedFusion VPN configuration to the cloud to be able to bond all available Wan connections into one reliable, fast connection.

The Outbound Policy section allows you to manage how your LAN-to-Internet traffic is routed according to the rule/algorithm options.
Before configuring Outbound Policies take note of the following:

• Only devices running firmware 8.0 or above support Outbound Policy rule sets created in InControl.
• Make sure the up and download bandwidth values for the network WAN connection(s) are configured for the outbound policies to work properly.

• A rule set refers to the entire set of rules as defined in the device’s outbound policy page (Network > Outbound Policy). Within the rule set, each rule applies to a name-specific WAN connection (e.g. WAN 1). When applying imported rule sets to selected devices, only WAN connections with matching names (e.g. WAN 1) will be imported. If the rule has no matching WAN connections, then the rule will not be applied to the selected device.

For example, to apply a rule that enforces traffic to “WAN 1”, each selected device also needs a WAN called “WAN 1”. For devices without a “WAN 1”, the rule will be excluded.

• The same logic applies to PepVPN profiles available in Priority and Enforced algorithms: the name of the rule’s PepVPN profile needs to match with the name of a PepVPN profile on the selected devices in order for the rule to be applied.

Select the tick box to manage Outbound policies on devices in the group.

Several rulesets containing one or more outbound policies can be created and applied to one or more devices in the group using tags.
Existing Outbound policy rule sets can be imported using a Peplink configuration file or can be newly configured.

Importing Outbound Policy rules

Outbound policies can be created on the local device and imported using the Pepllink configuration file.
To start Click the “Import Rule Set from Configuration File” button.

A window will pop up showing all the Outbound policies available in that configuration file.
This will create a new Outbound Policies Rule Set when saved.
Before saving select the options to enable or disable individual outbound policies.
Select if the rule set should be applied to All Balance and Max devices or a selection of your devices using ‘tags’.

After being saved the rule set will be available from the main Outbound Policy section in InControl.

Creating a new Outbound Policy rule set

Start creating a new rule set by selecting the “Create rule set” button.

Each new rule set contains a “HTTPS_Persistence” rule which makes sure HTTPS sessions are not interrupted when the originating IP address changes mid-session.
Create new rules by using the “Add rule” button.

Configure the following options to create a rule:

Name	Name
Source	Choose between Any (all traffic), IP address, IP Network, MAC Address or Grouped Network as the traffic source.
Destination	Choose between Any, IP Address, IP Network, Domain Name, PepVPN Network, Grouped Network, SaaS or Region.
Protocol	Choose between Any, TCP, UDP or IP address to define the traffic kind. Port numbers for certain traffic can be configured using the port number or select the protocol from the drop-down list (for example FTP, Citrix, SMTP).
Algorithm	Choose the algorithms “weighted Balance”, “Persistence”, “Enforced”, “Priority”, “Overflow”, “Least Used”, “Lowest Latency” and “Fastest Response Time”
Load Distribution Weight	Add the Wan connections and Weight to distribute the traffic proportionally over several WAN connections.
When no Connections are available	This option allows you to configure which action to take when a rule set applied to a WAN that is disconnected or down. Choose between “Drop the traffic”, “Use any available connections or “fall-through to the next rule”

Outbound policies configured on the local device are overwritten or preserved (default) depending on the configuration.

using the SaaS (Software as a Service) option as a destination in the Outbound Policy allows for controlling the way “G Suite” or “Microsoft Office 365” traffic is routed.
Using the region option as a destination allows for controlling traffic to servers in a specific country.

A firewall is a mechanism that selectively filters data traffic between the WAN side (the Internet) and the LAN side of the network. It can protect the local network from potential hacker attacks, access to offensive websites, and/or other inappropriate uses.

The firewall functionality of Pepwave routers supports the selective filtering of data traffic in both directions:

• Outbound (LAN to WAN)
• Inbound (WAN to LAN)
• Between Internal Networks (VLAN to VLAN)

The firewall also supports Intrusion detection and DDoS attack prevention.

Select the tick box to manage Firewall Rules on devices in the group.

Before configuring firewall rules, take note of the following:

A rule set refers to the entire set of rules as defined in the device’s firewall page (Network > Firewall > Access Rules).
When an inbound firewall rule in a rule set specifies a particular WAN only, only devices that have a WAN name identical to the WAN name specified in the rule will receive the rule.
Devices without the specified WAN name will not receive the rule.

For example, to apply an inbound firewall rule that allows traffic to “WAN 1”, the rule will be applied to devices that have a WAN named “WAN 1”. The rule won’t be applied to devices without a WAN named “WAN 1”.

Importing Firewall rules

Firewall Rules can be created on the local device and imported using the Peplink configuration file.
To start Click the “Import Rule Set from Configuration File” button.

A window will pop up showing all the Firewall Rules available in that configuration file.
This will create a new Firewall Rule Set when saved.
Before saving select the options to enable or disable individual firewall rules.
Select if the rule set should be applied to All Balance and Max devices or a selection of your devices using ‘tags’.

After being saved the rule set will be available from the main Firewall section in InControl.

Creating new fire wall rule sets

Start creating a new rule set by selecting the “Create rule set” button.

A firewall rule set consist of one or more Outbound, Inbound and Internal Network Firewall Rules.

The following options are available in the firewall rule settings:

• Outbound Firewall Rules
• Inbound Firewall Rules
• Internal Network Firewall Rules
• Intrusion Detection and DoS prevention

Firewall Rules configured on the local device are overwritten or preserved (default) depending on the configuration.

Using the SaaS (Software as a Service) option as a source or destination in the Firewall Rule allows for controlling
traffic matching the application.

Using the region option as a destination allows for controlling traffic to servers in a specific country.

The Grouped Networks option allows users to define their own grouping of IP addresses, which can be used for creating firewall rules and outbound policy rules.
Instead of creating many individual policies based on a single IP address, a single policy can be created that is assigned to a particular Grouped Network.

To create a Grouped Network select Add Network Group.

A new window opens:

Add the group name and IP ranges and click Save.

The new Grouped Network can now be selected from the Group Policy and Firewall Rules “source” and “destination” options.

Access Control Lists (or ACL’s) are lists of Mac Addresses from network devices which can be used to allow or deny access to SSIDs, Firewall, and Captive Portal profiles within the group.
The option can be found in the menu following group settings > network settings > access control lists and is available to groups that contain Balance, MAX, and AP One devices.

To create a new ACL select Add Access Control List, name the ACL, add the MAC addresses for client devices and save the List.

A VLAN or Virtual LAN is a custom network created from one or more existing LANs.
It enables groups of devices from multiple networks (both wired and wireless) to be combined into a single logical network.
The result is a virtual LAN that can be administered like a physical LAN.

• VLANs defined on a device but not on InControl are “device managed”. InControl will not manage them.
• VLANs defined on both a device and InControl are “InControl managed”, which means that:
• InControl will control their Name, Inter-VLAN Routing option, and Captive Portal settings.
• Their IP settingswill be kept intact.
• When a VLAN is removed from InControl, it will be removed from the device as well.
• If a VLAN gets defined on InControl but not yet on the device, it will be defined on the device as well. Its
• IP address will follow the Default IP Address setting.

Default VLAN

The Default VLAN is the VLAN which all Access Ports are assigned to until they are explicitly placed in another VLAN. … Typically, this VLAN is only relevant on an Access (untagged) ports port, which is a port that sends and expects to receive traffic without a VLAN tag.

The Captive Portal is a webpage that automatically pops up when customers and guests connect to your Wi-Fi or LAN.
Clients can connect using multiple authentication methods, including email, Social media accounts, tokens or even SMS text messages.
A Captive Portal can be configured within InControl to require clients accessing your network to enter a valid logon mode.
The Captive Portal is GDPR compliant and the portal page can be customized.
Captive Portal can be assigned to a VLAN using the VLAN configuration or a SSID (for Pepwave Access Points’s only) using the SSID configuration settings.

Configuration

Open the Captive Portal section from the menu following Group Settings > Network Settings > Captive Portals.

To create a Captive Portal, select the New Captive Portal button and configure the options in the new window.

Enable	Tick box to enable or disable the Captive Portal.
Name	Name of the Captive Portal (identification purposes only)
Company Name	Company Name
Access mode	Enable one or more access modes as the authentication method. There are several access modes to choose from.

Access modes

The following access modes are available to choose from for the Captive Portal Authentication.

Social

Allows clients to log on user their Social Media credentials.Supported applications are Facebook, Google ID, Twitter, Instagram, LinkedIn and Sina Weibo.
Tick the appropriate box to enable these logon methods.
A Social Media ID is optional, a customised background image ad logo will be used when a Social Media ID is configured.

Open Access

Open Access allows unrestricted access to the SSID without authentication; however, access can be controlled using a filter or ACL, and a daily quota can be configured to limit usage.

Email

When email authentication is enabled an email is sent to the client’s email address.
The client gains access after confirming the details in the received email within the configured time allowed for e-mail checking.

Token

Access Tokens can be configured to grant clients internet access using the Captive Portal.

SMS

To enable authentication using SMS you first must configure the SMS service settings for Captive portal in the InControl group settings.

The “SMS” options are similar to the “Token” options.
You have an option to set the length of the tokens and the amount of time for SMS checking in minutes.
Your Wi-Fi users will be asked to fill in their phone number and will receive a token to access the SSID in a SMS (text) message as shown in the image below.

Daily Quota

A Daily Time and/or usage-based bandwidth quota is configurable to limit client access to internet.

Reset Quota

Quota can be reset at a configurable time or after a configurable period.

Guests required to sign in…

The amount of time after guests are required to sign back into the Captive Portal.

The options are once only, every day or after a quota reset (which is the default setting) or every time they connect to the SSID.

Allowed Networks and Clients

Access to the Captive Portal can be restricted by only allowing devices with a certain domain name / IP address, IP subnet or MAC address or selecting a ACL (Access Control List) from the drop down list.

Landing Page

A landing page is the URL that is opened after clients connect to the SSID

This feature is not compatible with Android devices.
Clients can be redirected to a URL of choice or shows a start-browsing button instead.

Preview and customization

The Captive Portal can be previewed and customized within InControl
The Splash Screen and Signed-In Screen Text, Language, Colour, Logo and Background Image can be edited by following the Preview and Customization link.

The options to create a new profile depend on the chosen topology. In the example below is described how to create a profile choosing the star topology.
Steps to create profiles using other technologies are almost identical to each topology; options that are not compatible with a topology are not displayed or configurable.
Choose between the following topologies when creating a new Speedfusion profile.

Star Topology	In a star topology, every host is connected to one central hub. This is also known as a hub and spoke topology.
Fully Meshed Topology	A PepVPN/ SpeedFusion connection will be created between all devices selected using this topology.
Point-To-Point Topology	A PepVPN/ SpeedFusion connection will be created between the two devices selected using this topology.

To start creating the profile select Add Profile.

Choose the topology of choice; Star, Fully Meshed or Point-to-Point

First select the device acting as the hub from the group and device drop down lists.

The Hub device IP addresses and host names will be automatically filled with the IP addresses known by InControl, but these can be changed manually if needed.

Next, elect the End Point Devices.

Several profile options need to be configured in the next step:

SpeedFusion profile Name

Name of the Speedfusion profile

Dynamic Links

When ticked this option allows individual links in this profile to be dynamically enabled whenever both the hub and endpoint devices have a preselected ‘trigger’ tag applied to them.

This is commonly used with the geofencing options to allow hubs to service specific geographic areas.

Encryption

Enable 256-bit AES encryption or turn encryption off.

Nat Mode

Note: NAT Mode and Layer 2 Bridging options cannot both be active at the same time.

Data Port

This is the outgoing UDP port number for transporting VPN data. By default, UDP port 4500 is used.

Send all traffic to remote Hub

By default, only traffic that is destined for the remote hub will use the PepVPN /SpeedFusion tunnel. Other traffic, like internet browsing, will be routed directly to the internet, not via the remote hub.
When this option is selected, all traffic will be sent through the PepVPN / SpeedFusion tunnel.

Link Failure Detection Time

Sets the maximum time a link can remain idle before a health check packet is sent to ensure connectivity. This is 15 seconds by default.

Setting shorter detection times will increase the frequency of health checks and incur a higher maximum bandwidth overhead.

Path Cost

Base OSPF cost used to determine the best route through the network.
The higher the cost the less preferable the route (i.e. traffic will prefer the path with the lowest cost.)

Maximum allowable difference in round trip time (in milliseconds) between the highest and lowest latency connections.

Max Latency Diff

Connections exceeding this limit will be temporarily unused for data transfer until latency conditions improve.

Note

Field to add notes.

Select the next button to show a summary of the new PepVPN/SpeedFusion profile.
Check the profile settings before saving the profile by selecting the Finish button.
You Speedfusion VPN profile has now been configured and will be pushed to the devices the next time they are online.

When creating the PepVPN /SpeedFusion profiles an option can be selected to show advanced settings for each configuration.
These advanced settings can be used to manipulate the data traffic in the SpeedFusion profile and overcome common problems.

The following advanced settings are configurable from inControl:

Suppress Endpoint IPs

Removes endpoint IP’s from the hub site configuration. This will prevent unnecessary configuration updates (and link disconnections) on the hub site whenever one of the endpoint IP addresses change.

Unless your network requires that PepVPN connections must be initiated from the hub site, enabling this option is recommended.

If hub-initiated connections are required, configuration update frequency can be reduced by enabling dynamic DNS addressing on the associated endpoints.

L2 Bridging VLANs

NAT Mode and Layer 2 Bridging options cannot both be active at the same time.

These settings are common to all PepVPN Layer 2 bridges on each device, and will cause issues if set differently in multiple profiles

The configuration precedence is as follows

Remote Network Isolation	Enabled	Disabled
Spanning Tree Protocol	Enabled	Disabled
Site IP Address	Do Not Override	By DHCP	As None

This setting is currently unable to be used when multiple tunnels are configured between a single pair of devices.

Link Settings

Settings for individual links within the PepVPN SpeedFusion tunnel can be configured in the Advanced Link Settings.
A new window will open after selecting this option.

Link Name

Rename the default link name.

Tunnel Name

Rename the Tunnel Name.

Data Port

Set a custom data port (Default UDP 4500) to be used for this link including an option to use TCP.

WAN Smoothing

WAN Smoothing can prevent packet loss without incurring any latency penalty, at the cost of a substantial bandwidth overhead.
This is suitable for streaming applications where the average bitrate requirement is much lower than the WAN’s available bandwidth.

The expected overhead of Normal is up to 100%

The expected overhead of Medium is up to 200%

The expected overhead of High is up to 300%

The expected overhead of Maximum depends on the number connected, active tunnels

Smoothing Cap

In cases where there the number of active WAN-to-WAN connections is lower than the WAN Smoothing setting, smoothing data can be sent multiple times across the same connection.

Default	Each connection will be limited to the primary smoothing stream.
Normal	Each connection will allow a single redundant stream.
Medium	Each connection will allow up to two redundant streams.
High	Each connection will allow up to three redundant streams.

This option is only available on devices running firmware 7.1.1 or above.

FEC

Forward Error Correction (FEC) can help to recover packet loss by using extra bandwidth to send redundant data packets. Higher FEC level will recover packets on a higher loss rate link.

The expected overhead of Low is 13.3% and High is 26.7%.

This option will only be active on links where both peers are using PepVPN version 8.0.0 or above.

Path Cost

Base OSPF cost for the individual link used to determine the best route through the network.

The higher the cost the less preferable the route (i.e. traffic will prefer the path with the lowest cost.)

Receive Buffer

Receive Buffer can help to reduce out-of-order packets and jitter but will introduce extra latency to the tunnel.
By default, the buffer is disabled, with a maximum buffer size of 2000 ms.

This option is only available on devices running firmware 7.1.0 or above.

IP ToS

If enabled, the ToS value of the data packets will be copied to the PepVPN header during encapsulation.

Max Latency Diff

Maximum allowable difference in round trip time (in milliseconds) between the highest and lowest latency connections.

Connections exceeding this limit will be temporarily unused for data transfer until latency conditions improve.

Upload Cap

Maximum upload bandwidth for this link.

This value will be reduced to a value no higher than the peer’s maximum download bandwidth for this link.

Advanced WAN Settings

The WAN priority can be modified within this section.

Only the WAN connection(s) with the highest priority will be utilized, with the connection failing over in order of priority. Speedfusion-capable devices may set multiple WAN connections to the same priority.

SpeedFusion can be viewed and monitored using different views.

PepVPN / SpeedFusion Live Status – Map View

PepVPN / SpeedFusion Live Status – Map View and Logical View

PepVPN / SpeedFusion Live Status – Tabular View

SSID or Service Set IDentifier is the name for a wireless network.
SSID’s can be assigned to one or more devices in your InControl organizayion.

Start configuring a new SSID by clicking the Add New SSID button.

The following options are configurable:

SSID name

Enter an appropriate name for the SSID, if #### is used in the name the sequence will be replaced with the last 4 digits of the device’s serial number

SSID Availability

Select the devices that need to have this SSID assigned using “Tags”

Security Settings

Configure the security and encryption settings of the SSID.
The available options are WPA/WPA2 Personal and Enterprise.

Layer 2 Isolation, which blocks communication between Wi-Fi clients within the same SSID, can be enabled from this section.

SSID Visibility

Choose to show or hide the SSID; this option only hides the name, not the network itself.

Guest Protect (Pepwave AP only)

The “Guest protect” feature is often compared to “Layer 2” isolation.

While Layer 2 isolation blocks communication between Wi-Fi clients within the same SSID, the “guest protect” feature will block communication between a Wi-Fi client and wired clients within the same VLAN and clients from other VLANs.

This feature can be enabled for devices on a custom subnet.
The custom subnet field accepts IP subnets in CIDR format separated by a carriage return. E.g.:

192.168.30.0/24
10.8.0.0/16
169.254.169.254/32

Bandwidth Management (Pepwave AP only)

A Bandwidth limit can be configured for the whole SSID or for individual clients connected to this SSID.
QoS or network priority can be assigned to the SSID traffic using 3 categories (gold, silver and bronze). With Gold being the highest priority and bronze the lowest.

VLAN Settings

The option to assign a VLAN to this SSID and tag the traffic can be enabled within the SSID VLAN settings.
In order to implement VLANs, the routers and switches within the network must support VLANs.

MAC Filter

To restrict access to the SSID enter the MAC addresses you wish to block or allow access to a specific SSID.

Multicast Settings

Multicast is a form of communication that allows multiple transmissions of multimedia and streaming data to specific recipients at the same time. When Multicast Filter is enabled any multicast traffic to the wireless SSID will be discarded.

The multicast rate is the minimum speed that a wireless device must be able to communicate at in order to connect to the router. The Multicast Rate can be selected from the drop-down list.

When enabled, IGMP Snooping monitors IGMP communications among devices and optimizes wireless multicast traffic.

Radio Selection

Select if the SSID is broadcasting on 2.4 GHz, 5 GHz or both.

Maximum Number of Clients

Configure the maximum number of clients on each frequency (2.4 GHz / 5 GHz).

Schedule

Select a time schedule for the SSID to be broadcasted

Captive Portal Settings

Select a Captive Portal to be assigned to the SSID.

Manage and configure the radio settings for the Wi-Fi enabled devices on group or device level from this section.

Operating country, Default band for Dual-band Radio and Preferred Protocol settings can be configured at the group level.

The following options can be configured by selecting one or more of the devices in the group:

Band	Select between 2.4GHz and 5 GHZ
Channel	Select a broadcast channel
Channel Width	Select between 20/40 MHz or Auto
Output Power	This Custom option is available for AP firmware 3.6.1 or above, and Balance/MAX firmware 8.0.0 or above. If a power value larger than a radio can support is inputted, the radio’s max power will be applied.
Boost	Boost the power to the maximum device capability (may exceed regulatory limits)
Max. Clients	No more connections to the SSID will be accepted when the number of connected clients reaches this amount.
Minimal Client Signal Strength	Clients with signal strength lower than this value will not be allowed to connect. Default: Unlimited

Advanced Settings

Check the box to enable network discovery.
Note that setting Channel to Auto will activate this feature automatically.

The scanning interval and time can be configured in this section.

The checkbox next to WMM enables Wi-Fi Multimedia (WMM) on your access points.

Wi-Fi Multimedia (WMM), previously known as Wireless Multimedia Extensions (WME), is a subset of the 802.11e wireless LAN (WLAN) specification that enhances quality of service (QoS) on a network by prioritizing data packets according to four categories.

WMM defines four access categories (voice, video, best effort, and background) that are used to prioritize traffic to provide enhanced multimedia support.

AP Availability Schedule

A configured schedule can be applied to one or more device to turn AP radios on and off according to that schedule.

This section only becomes available after a schedule has been configured in the device schedule section .

The Organisation Level SIM Card Reports section gives access to a detailed overview of all SIM Cards in usage in a specific organisation.
The Group Level SIM Card Reports section shows the same information as the Organisation Level SIM Card Reports, but on a Group level.

Custom pools of SIM cards can be created to report on data usage for each SIM Pool.
Reports on data usage are also available per cellular provider and per individual SIM.

SIM Pool Data Usage

A SIM pool profile monitors the total data usage of a collection of SIM cards in billing cycles. SIM cards are specified by their IMSI identifier, which could be specified in more than one SIM pool. Carrier Pools are system-generated pools for every carrier and for all carriers. Their IMSI’s are automatically maintained. Custom Pools are user-defined and maintained.

To create a new SIM Pool, select the “New SIM Pool” button.

A window pops up allowing the administrator to set the details of each SIM Pool.
Features included are Monthly Bandwidth Usage, Initial SIM Pool Usage, start day of each month for bandwidth calculation, and configurable email notification when bandwidth usage reaches a certain level.

Click on the report icon to show a Monthly Bandwidth Usage Report for a SIM pool

The usage report is interactive, click on the “hamburger” menu to download the chart, select points in the charts to see more details.

Per-SIM Daily Data Usage

Per-SIM Daily Data Usage can be downloaded in csv format in this section.
Add one or multiple IMSIs to the matching filed and select a date range.
The result is a report showing usage in KB per day.

Devices and SIM Cards

A detailed, searchable overview of Devices with SIM cards within an Organisation is available in the Devices and SIM cards section of the Organisational Sim Card Reports.
The complete report can be downloaded as csv file for further editing in other applications.

This Wi-Fi reports section is identical to the group’s device reports and is available on the group level and device level.
This report shows information about clients connected to Wi-Fi only.
The SSID usage table is helpful for checking which of the access points has the highest usage

The Group Usage Report shows hourly, daily, and monthly
usage statistics for the devices in a group.
The report can show the statistics for
Hover your mouse over datapoints in the chart to display the data used in the selected time periods.
Click on the categories underneath the chart area to hide or show the selected category (Download, Upload or Total)

The same data is displayed in a table underneath the chart.

The Captive Portal Reports section shows detailed information about clients and sessions that have been connected to a Captive Portal during the selected period. The report is divided in several sections.
The report is available on Group level and Device level.

Summary

The summary shows the amount of guest clients, sessions, data usage, average session time and average session usage for the selected time period.

Portal Access

Overview

As the title implies this section shows an overview of the Captive Portal usage. The following details are displayed in the table.

Date	Manufacturer name based on MAC address
Sessions	New session count: sign-in’s into existing sessions are not counted
Sign-In Page Views	Number of sign-in page views
Guest Clients	Number of unique clients that visited the sign-in page
Successful Sign-in’s	Number of redirections to the landing page
Failed Sign-in’s	Number of times the sign-in failed page is displayed*
Total Data Usage	Total data usage of sessions, including temporary sessions for the sign-in process.
Total Session Time	Total session time, including time usage on temporary sessions used for the sign-in process.
Avg. Session Time	Average session time

* Typical examples of sign-in failures are an invalid email address entered in email access mode, and invalid token code, attempt to sign in after a quota has exceeded.

Visits in Each Access Mode

This section shows sign-in statistics for each configured Captive Portal and each configured Sign- In Type. Other data shown here includes:

Guest User Information Download

The Guest User- User Information report can be download in CSV format.
After agreeing to the InControl Data Sharing Policy the following user information can be collected and viewed, depending on the configured Access Mode.

Access Mode	Social Network ID	E-Mail Address
Mobile Number	Name	Gender
Country	Visit Count	First Login time
Last Login Time	Market Opt-In

E-mail Reports

Captive Portal reports can be e-mailed automatically on a daily, weekly or monthly basis by enabling this option.
After choosing a schedule, select the recipients in the drop-down list.
Add the email addresses of the recipients when using “other email addresses” and save the changes to activate the e-mail reports.

The Group Level Device Reports section gives access to an overview of all devices and connected clients in a specific group.
The report is divided in several sections.

By default, a time period of the last 7 days is selected, this can be changed in the top of the page to a daily, monthly or custom time period.

Summary

The summary shows the sum and average amount of daily clients that used bandwidth.
It also shows the total usage of all clients for the selected time period and the average daily per client data usage.

Usage

The next section shows a chart showing the total Bandwidth Usage of all devices in that group for the selected time period. 
Hover your mouse over datapoints to see the detailed usage, which can also be downloaded as CSV using the link under the chart.

Top devices

A table of devices in the group showing the following information

Name	Device host name
Model	Device model
Usage	The amount of data consumed by all clients per devices in the selected period
Clients	The number of unique clients with bandwidth usage in the selected period
Internet Availability	Internet availability per device in the selected period
Device Availability	Device availability per device in the selected period

Top Clients by usage

Table showing the client’s bandwidth usage figures on all devices within the selected period.

Name	Device name*
Upload	Upload bandwidth usage
Download	Download bandwidth usage
Total	Total bandwidth usage
% Usage	%usage calculated by total bandwidth used in a group

* The clients name by default is the client’s Mac address with the assigned IP address in brackets.
Client names can be edited in the device’s web admin GUI.

The Clients Name links to a page with detailed information about that individual client.

Top Client Device Manufacturers

Manufacturer	Manufacturer name based on MAC address
# Clients	Number of clients of the same manufacturer
% Clients	Percentage of clients of the same manufacturer
Usage	Total bandwidth usage per manufacturer
% Usage	% usage per manufacturer

Clients

“Clients with usage” represents the number of unique clients who have accessed devices and consumed data on each indicated date.
“Connected Wi-Fi Clients” represents the number of connected Wi-Fi clients only. Ethernet clients are excluded.
Clicking on the bars for any date will open a chart displaying the connected client count figures for each hour.
 If a client was connected for multiple hours, the client will be counted once each hour.
However, the client will be counted only once for the daily count.

The Device Level Device Reports section gives access to a detailed overview of client devices that have connected to the router.
The report is divided in several sections.

By default, a time period of the last 7 days is selected, this can be changed in the top of the page to a daily, monthly or custom time period.

Summary

The summary shows the sum and average amount of daily clients that used bandwidth.
It also shows the total usage of all clients for the selected time period and the average daily per client data usage.

The image below shows a chart showing Internet and Device Availability in the selected time period.

Internet availability Total amount of InControl online time of the device in the day / Total uptime of the device for a specific day
Device availability Total uptime of the device in a specific day / 24 hours

Top Clients by usage

Table showing the client’s bandwidth usage within the selected period.

Name	Device name*
Upload	Upload bandwidth usage
Download	Download bandwidth usage
Total	Total bandwidth usage
% Usage	%usage calculated by total bandwidth used in a group

* The clients name is the client’s Mac address by default with the assigned IP address in brackets.

The Clients Name links to a page with detailed information about that individual client.

Top Client Device Manufacturers

Manufacturer	Manufacturer name based on MAC address
# Clients	Number of clients of the same manufacturer
% Clients	Percentage of clients of the same manufacturer
Usage	Total bandwidth usage per manufacturer
% Usage	% usage per manufacturer

Clients

This section contains a chart showing the connected clients with usage and connected Wi-Fi clients

Clients with usage represents the number of unique clients who have accessed the device and consumed data on each indicated date.
Connected Wi-Fi Clients represents the number of connected Wi-Fi clients only.
 Ethernet clients are excluded.

Clicking on the bars for any date will open a chart displaying the connected client count figures for each hour. If a client was connected for multiple hours, the client will be counted once each hour. However, the client will be counted only once for the daily count. Clients are identified primarily by MAC address, and then by IP address.

Deep packet inspection (DPI) is a type of data processing that inspects in detail the data that is being sent from the router.
Deep Packet Inspection reports are only available on InControl, on supported devices.

Supported devices:

Balance: ​30 LTE HW3, One, 210 HW4, 310 HW4, 305 HW2, 380 HW6, 580 HW2, 710 HW3, 1350 HW2, 2500
MAX:​ HD4, Transit, HD2 Mini, 700 HW3, HD2 HW5, BR1 ENT
MediaFast: ​200, 500, 750, HD2, HD4

DPI needs to be enabled in the Device Details before the data is collected.
Select “edit” and scroll down to the “Enable DPI” section and switch the button to “ON”.
The DPI report will become available after the changes have been saved.

Using the Deep Packet Inspection reports, you have insight in the type of traffic that passes through your router, how big a percentage of the bandwidth they occupy and during what time.

For example, in the above pie chart, you can identify that “HTML5 video” accounts for 20.8% of the total bandwidth used.

The WAN Quality report is a helpful tool when investigating WAN connectivity issues.
The chart contains the following information depending on the chosen WAN connection.

Data	Description	WAN Type
3G -RSSI	3G – Signal Strength	cellular
LTE – RSRP	LTE – Signal Strength	cellular
3G- Ec /Io	3G – Signal Quality	cellular
LTE – SINR	LTE – Signal Throughput	cellular
LTE – RSRQ	LTE – Signal Quality	cellular
Latency	Latency	Cellular / Wired

A specific date can be chosen using the date selector.
The time period can be selected in the chart.

When hovering over data points in the chart additional information is shown.
When using cellular WAN datapoints, this contains information about the carrier, band /frequency, mobile country and network code (MCC /MNC).

View detailed information about bandwidth and usage of your router in this section.
To see more information, select different checkboxes, options from drop-down lists and points in the available charts.

Choose to see a chart with Real-Time or Per-Minute Bandwidth usage, or view a chart showing the hourly, daily or monthly bandwidth usage.

From the drop-down list select all WANs or an individual WAN.

Click on a specific day to view top client usage and PepVPN bandwidth usage.
The client name in the Top Client Usage table links to a report on an individual client device.

The Event Log, available in Group- and Device Level, keeps track any kind of system events.
By default, System, Speedfusion and Admin events are visiable, but other options can be included by selecting the checkbox for that category.

There is a search function to search for specific events, which is particularly useful when searching for events involving specific mac addresses, IP addresses or tags.

This report shows the up and down history for each available WAN and PepVPN profile.
Choose the WAN connection form the drop-down list to view the details.

Available from Firmware 8.1.1.
The Airprobe report – airmonitor is available for models with an access point when this feature is turned on in the support.cgi page of the Peplink router.

The support.cgi page can be accessed from the local web admin interface
If you are accessing your device via IC2 from the Remote Web Admin feature, you’ll see this:

.ic.peplink.com/ra/remote//cgi-bin/MANGA/index.cgi
Change the index.cgi to support.cgi

Once enabled the WiFi Air Monitoring report will be available in InControl from the Device Level > Reports menu

Report Details

The AirMonitor report shows the Wi-Fi utilization, channel utilization, packet distribution, and signal strength for each Wi-Fi device.
The report shows which devices are connected to which hotspots at a glance.
By drilling down in several parts of the report (nodes, or channels), detailed information about access points, connected devices, SSIDs and signal strength is shown in clear charts that can be printed or downloaded separately by clicking on the menu icon in the top right corner of each
individual chart.

Select a report date, time and channel and click retrieve

A Nodes and Utilization chart will show the utilization of WiFi channels on the report.

Utilization Chart

When hovering the mouse pointer over a channel in the Utilization chart, details of the Utilization is shown.
Click on a column to view the channel’s details and the following chart becomes visible.

This shows the data type and rate being used on that channel.
The Type chart shows the percentage of Data, Control and Management traffic which in its turn shows the percentage of what kind of packets are being transmitted in that Channel.

The Rate chart shows the Data rate (or throughput) of data within that channel, which is used to indicate the speed of a wireless connection.

The Nodes Chart

The Nodes chart shows columns of each channel with the amount of Access Points, Stations and Station probes transmitting on these channels.
Choose to show nodes from neighbouring channels by toggling the box in the top left corner.
Clicking on a column shows a table with all connected devices on that channel.
Details of each device shown are Mode, Channel, Mac Address, SSID, Encryption, Utilization, Retries and Max. RSSI.
Selecting the device will show connected clients to that device as shown in the chart below.

AP Distribution

The AP Distribution chart shows which access points are transmitting on which channels with the received signal strength.

The device details page shows a dashboard with all relevant information about a device.
The Show All link behind the Device Name shows additional information.

The available information available depends on the device model; only supported features are shown on the dashboard.

Detailed WAN information is available when clicking the Details link next to each WAN connection.
The information available includes:

Device Name	Serial Number	LAN MAC Address	Model
Product Code	Hardware Revision	Cellular Module	Tag
Find My Peplink Address	Web Admin Authentication	Uptime	Online
First Appeared	Last Config Applied	PepVPN / SpeedFusion Peer Connections	History (link to Event Log)
Firmware version	Last Config Updated by	Configuration Backups	Warranty and InControl Subscription Status
Feature Activation	LAN and VLAN IP address information	WAN Priority information	Cellular Network
WAN Type	WAN IP Address	IP Subnet	Routing Mode
MTU	SIM Card IMSI	SIM Card ICCID	SIM Card MTN
MEID HEX	IMEI	Carrier	Carrier Settings
APN	Username	Password	Cell ID
Network (LTE, LTEA)	Network Band	Signal Strength (RSRP: -x dBm RSSI: -x dBm)	Signal Quality (RSRQ: -x dB)
Health Check Method	WAN status	Connection Method	Routing Mode
Current Usage	Number of Clients	CPU Load	Location details and map
WAN and LAN port details	Power Consumption	Fan Speed	Temperature
Management VLAN IP	Connected GE ports	Connected SFP/SFP+ ports

The Device Name, Tags, Location, Time Zone, Notes and Map Marker can be changed after selecting the edit link.

The Map Marker used for your Peplink can be changed to reflect the installation of the device.
The selected marker will only be displayed on the Device Details map.

The Cellular WAN details are extremely useful when troubleshooting.
Not only signal strength and quality are shown, but other about the SIM can be found here if an issue needs to be reported including:

ICCID	(Integrated Circuit Card Identifier) identifies each SIM internationally; it is the SIM cards unique identifier.
IMSI	The unique International Mobile subscriber Identity. It is stored inside the SIM.
MNC	Mobile network code
MCC	Mobile country code
IMEI	(International Mobile Equipment Identity) number of a mobile phone is a 15-digit number unique to a mobile handset.

The first 3 digits of the IMSI is the Mobile Country Code (MCC) and the following 3 digits is the Mobile Network Code (MNC); together this information uniquely identifies the mobile phone network the phone is currently connected to.

Using the “Find My Peplink” feature, you can look up your device and find the IP addresses of all its healthy public WAN connections using a DNS hostname.

Find My Peplink is disabled by default. To activate it, follow the instructions below:

On your device’s IC2 management page, click the edit button next to the device name (near the top left corner).
Scroll down and click the on/off button next to Find My Peplink Service.
Click the On Button and change your Find My Peplink Address if desired.
Please note that each address needs to be unique, and are given on a first come, first served basis.

The Wan and LAN port information is shown for supported models.
It shows the available WAN and LAN ports and their status.

The port list shows the port status, name, speed, port type, VLAN and RSTP.

Port status glossary:

Ports can be edited from this section by selecting an individual port.
Ports can be enabled or disabled, if PoE can be enabled or disabled separately.
The port speeds, type and VLAN access can be configured here too.

The Remote Web Admin tool in Peplink’s InControl allows for single click access to the admin web interfaces of your remote Peplink devices without the need for a static IP address.
Select Remote Web admin within the device settings, which will open a new tab redirected to an authenticated router admin page.

When selecting the WebCLI a new tab opens within the browser with a CLI connection to the device.
The CLI + SSH guide with supported commands is available on the Peplink website.

Select one of the following device tools from the command drop down list.

Ping

Traceroute

Remote Assistance

If you have a firewall in front of the device, you will need to make sure that it allows access to ra.peplink.com through TCP port 443

Reboot

Reset to Factory details