Feature Overview

This page provides a high level overview of the supported and planned flexiWAN features. Schedule and content of versions may change without further notice.

Summary of supported and planned features

Feature Summary
Feature Supported?
Debian based installation
Zero-Touch Provisioning
Multi-Tenant Accounts and Users
Organization based inventory
IPSec over VxLAN tunnels
Flexible tunnel configuration: Full-Mesh, Hub & Spoke, Partial-Mesh
Tunnel quality metrics
Application Identification (L3/L4)
Multiple WAN/LAN interfaces
Application based path selection policy
Internet Breakout
DHCP server
Static routes configuration
Dynamic flexiEdge configuration changes
Monitoring & Dashboards
flexiEdge error detection and notifications
Credit card based billing
Scheduled auto software upgrade of flexiEdge
Northbound REST API and access keys
Troubleshooting improvements
WAN side DHCP
Devices handling and viewing improvements
More NAT Traversal options
Monitoring enhancements
Additional, non-ethernet, interfaces (LTE, WiFi)
flexiEdge side APIs and UI
Security features Q2/2021
Advanced QoS Q2/2021
Quality based routing Q2/2021
Additional applications and application framework On-Going
More enhancements based on customer input and priorities On-Going

Feature Description

flexiEdge Installation

The flexiEdge software is a debian package installed on Ubuntu 18.04 LTS. The flexiEdge software can be installed on various architectures such as:

  • Bare metal
  • Virtual Machine
  • AWS cloud server
  • Support for additional installation environments will be prioritized and added based on user feedback

Since the installation comes as a package, it allows installation on a customized Ubuntu. The installation adds all the necessary components required for running the flexiEdge router including VPP, FRR, and flexiWAN Agent. All components are installed as Ubuntu systemd services.

On installation, the software performs various system checks for both Hardware and Software configuration. The system checker allows to fix Software configuration issues but does not block the service from running.

The agent provides various CLI commands for troubleshooting such as starting, stopping, resetting, and showing of information.

For more information, please refer to the flexiEdge Installation section in the documentation menu on the left.

Zero-Touch Provisioning

The flexiEdge connects with flexiManage using a token created in flexiManage. Only one token is required for all flexiEdge devices of the organization. The Token is placed in a specific file in flexiEdge and can be copied to all flexiEdge devices. On registration, the flexiEdge device automatically gets a unique, per-device token, and use it for its connection and authentication with flexiManage. A pre-defined image that contain the organization token, will register automatically without further interaction required by the user (Zero Touch Provisioning).

To prevent the connection of non-permitted devices with flexiManage and the organization’s network, the device must be explicitly approved on flexiManage after registration. Once approved, the flexiEdge device connects to flexiManage and is fully operational and managable by flexiManage.

Multi-Tenant Accounts and Users

flexiManage is a multi-tenant, multi-user and multi-organization system. This allows for hierarchy between organizations in the account. A typical use of the multi-tenant capability will be for an MSP, SI or VAR to create in his account an organization for each of his enterprise customers while managing them from one central location and account (single login). It is important to note that each organization has its own Devices inventory and network. The network of each organization (e.g. enterprise) is isolated and one organization can’t access the network of the other organization.

Every user has access permission to various account resources. Users at an account level and organization level can invite other users with the same rights or less.

Refer to Account and Users Management page for additional information.

Organization Network Inventory

Each organization has an inventory that contains flexiEdge devices, tunnels, tokens, path labels, and application identification. Network operations are done at the organization level. For security reasons, each organization is isolated in terms of the inventory and it is not possible to create tunnels between networks of different organizations, however users with account or group access can view and operate different organizations under the account or group to which they have access permissions to.

Devices

Every registered flexiEdge device is shown in flexiManage with its status. flexiManage collects information for every connected flexiEdge device. The information includes general configuration parameters, interfaces, monitored statistics and health, routes, device logs and internal configuration. Device configuration can be dynamically changed while the device is running.

Tunnels

flexiWAN supports IPSec over VxLAN tunnels. The tunnel structure is shown in the figure below:

@startuml
skinparam defaultTextAlignment center
rectangle PKT [
   VxLAN + UDP
   --
   IPSec Tunnel
   --
   GRE
   --
   Original Packet
]
@enduml

The tunnels are connected through the WAN interface, where LAN subnets are learned across the tunnels using OSPF. Every tunnel is created between two flexiEdge devices using loopback interfaces (one per router) in the subnet range of 10.100.X.Y/31. Internally, subnet 10.101.X.Y is also used. As shown in the next figure, in order to send packet to a given tunnel, the traffic is routed to the tunnel next hop which is the loopback address of the other tunnel side. Packets going through the tunnel do not pass NAT and use VxLAN UDP ports 4789 for both tunnel sides.

@startuml

skinparam linetype ortho

left to right direction
skinparam rectangle {
   borderColor Transparent
   backgroundColor Transparent
   fontColor Transparent
   stereotypeFontColor Transparent
   shadowing false
}

node "flexiEdge" as FE {
   usecase "LAN" as LAN
   rectangle GRP1 {
      usecase "LB1" as LB
      queue "VxLAN IPSec" as TUN
   }
   rectangle GRP2 {
      usecase "LB2" as LB2
      queue "VxLAN IPSec" as TUN2
   }
   rectangle GRP3 {
      usecase "R" as R
      usecase "WAN" as WAN
   }
   node "NAT" as NAT
}
cloud "Public Internet" as INET

LAN -- R
R -- LB
R -- LB2
R ---- WAN
WAN -- NAT
NAT -- INET
LB -- TUN : 10.100.0.4/31
LB2 -- TUN2 : 10.100.0.6/31
TUN -- WAN
TUN2 -- WAN


@enduml

The system supports flexible tunnel configuration such as full mesh, hub and spoke or any other combination. Tunnels are easily created by selecting devices and adding tunnels. Full mesh tunnels will be created across all selected devices.

The tunnel IPSec parameters are:

  • IPSec Protocol: ESP
  • IPSec Mode: Tunnel mode
  • Crypto Algorithm: AES-CBC-128
  • Integrity Algorithm: SHA-256-128

flexiWAN measures connectivity, latency and loss across the tunnel end-points. Every flexiEdge runs ICMP echo request every second and measure the round trip time (RTT) and loss based on these packets. If any path exists between the two end-points, the tunnel status will presented as connected.

Path labels

Path labels offer a powerful way to organize networks and tunnels in flexiWAN. Path labels define unique underlay networks scheme where each label represent a separate logical underlay networks.

Application Identification

The flexiEdge devices have the capability to identify network applications based on IP and Ports. Occasionally, a flexiWAN cloud service generates a list of rules and categorization for every network application. This list is read by every flexiManage instance and is pushed to the flexiEdge devices it manages. The administrator can define new applications specific for the organization or modify the categorizations of the provided applications. The applications are then used for traffic classification in various policies (such as Path Selection).

Refer to Application Identification page for additional information.

Multiple WAN/LAN interfaces

flexiEdge supports multiple WAN/LAN access interfaces and a different gateway for every interface. An application based policy is used to select the outgoing WAN interface for a given application.

Application based Path Selection policy

Path Selection policy enables application based routing in flexiWAN. With Path Selection and its policies, users can decide through which WAN interface certain traffic is routed. It also brings load balancing, redundancy, traffic differentiation and blocking of applications.

Refer to Path Selection Policy page for additional information.

Internet Breakout

Any flexiEdge device allows to send traffic directly to the Public Internet without going via the tunnel. Any traffic that goes to the Public Internet passes through NAT in order to hide the internal network (LAN) IP addresses.

The selection of Public Internet or Tunnel is based on routing. In a typical deployment, the internal network / LAN are accessible via the tunnel and any other traffic is routed via the default gateway which points to the Public Internet. This default behavior could be modified using static routes. Refer to the static routes page for more information on how to define static routes

NAT Traversal

NAT traversal is the ability to create tunnels when the traffic passes through NAT.

NAT traversal is supported for:

  • Public IP and Port learning using STUN (default)
  • 1:1 NAT (such as DMZ or AWS elastic IP)
  • Using port forwarding on the access device (for the VxLAN port 4789)

The STUN mode allows to create a tunnel even when the flexiEdge device is located behind an access device and NAT. On the creation of the VxLAN tunnel, each flexiEdge device opens a NAT pinhole throught the access router to the other device using STUN and learns the public IP and port. The tunnel is created using the learned IP and port.

DHCP server

flexiEdge devices support DHCP server configuration per device. The DHCP server allows for LAN side end-points to auto connect to the device and get its IP and DNS server. The DHCP server supports static MAC based lease.

Static Routes

In some environments specific subnets are not learned by routing protocols. flexiManage allows to define static routes per device to route specific subnets to a desired interface and gateway.

Refer to Static Routes page for additional information.

Monitoring & Dashboards

flexiManage collects statistics per device and shows the bits per second (BPS) or packets per second (PPS) per device (in the device info page) or for the entire network (in the dashboard)

The dashboard on flexiManage presents the following information:

  • The network connectivity and status of each tunnel
  • The total network bandwidgh and packets per second

The device page presents network bandwidth and packets per second per device

Notifications

flexiManage collect events from the network and generate notifications. Notifications are measured when:

  • A new software is available and the device is running an old software
  • When a device disconnected from flexiManage
  • When the router stopped running
  • When the tunnel round trip time is high (larger than 100 milliseconds)
  • When the drop rate is high (larger than 50%)

If there are unread notifications, the account owners gets an email once a day. Notifications can be marked as read and the email can be disabled from the account profile page.

Refer to System Notification page for additional information.

Billing

By default, flexiManage allows to register and manage 3 flexiEdge devices for free for an account. To add more flexiEdge devices, the user is required to add a valid method of payment to the system. flexiManage does not store any credit card information and all the billing transactions occurs via a secure, 3rd party billing system. Every account is charged monthly by the maximum concurrent flexiEdge devices registered to the system. The pricing is per registered device regardless of the bandwidth transmitted through that device. The price per device varies based on the number of registered devices and could be seen in the flexiWAN pricing page. The billing is done in the account level and any billing information is accessible only to the account owners.

Refer to Billing System page for additional information.

Software Auto Upgrade

flexiWAN release flexiEdge software updates regularly. These updates include new features and bug fixes. The account owners receives an email with the release update. A notification is shown in flexiManage for devices that require upgrade. flexiManage support backwards compatibility of one major release, devices older than one major release will not be able to connect with flexiManage. Therefore it is recommended to regularly upgrade the devices to the latest release. Upgrade can be done immediately, on a scheduled window or, if not selected, flexiManage will upgrade the device automatically at the date specified as last day for upgrade.

Refer to Software Auto Upgrade page for additional information.

flexiManage and flexiEdge configuration synchronization

flexiManage is the single source of truth, any user or REST configuration is executed with no blocking. When a configuration change required on the flexiEdge device, a job is created which is sent based on its priority. flexiManage makes sure to synchronize the flexiEdge device with the desired configuration and show the device in ‘sync’ status

Northbound API

flexiManage operations can be done via the flexiWAN UI. flexiManage also supports REST based Northbound API to manage and provision the networks.

Refer to Software Auto Upgrade page for additional information.

Troubleshooting

flexiManage provides various troubleshooting capabilities such as show device logs, packet traces, monitor jobs sent to every device

DHCP Client

Allow to provision DHCP client for WAN interfaces. The DHCP client detects an IP change and provisions the relevant tunnels in the network to use the new IP address. This allows to dynamically allocate IPs or move devices between locations and maintain the same network connectivity.

LTE Module

LTE interfaces are not DPDK based and therefore requires a unique connectivity. The LTE device is owned and handled by Linux but connected using a tap interface to VPP for executing the routing and services. The next diagram shows a sketch of the connectivity. Traffic to/from LTE goes between the tap interfaces of Linux and VPP and to the LTE device converting between L2 and L3 packets. This way all flexiWAN features are supported for LTE interfaces as for any other DPDK interface.

@startuml
skinparam linetype ortho
left to right direction
skinparam rectangle {
   borderColor Transparent
   backgroundColor Transparent
   fontColor Transparent
   stereotypeFontColor Transparent
   shadowing false
}
node "Linux" as FE {
   rectangle GRP3 {
      usecase "Local LTE Loopback\n<size:10>(100.97.204.240)</size>" as LB
      usecase "TAP-Linux" as TAP
      usecase "WWAN0" as WAN
   }
}
node "VPP" as VPP {
   usecase "LAN" as LAN2
   rectangle GRP4 {
      usecase "R" as R2
      usecase "TAP-vpp\n<size:10>(100.97.204.240)</size>" as LTE
      node "NAT" as NAT
   }
}
cloud "LTE Network" as INET
WAN -- INET
TAP -- WAN
LAN2 -- R2
R2 -- NAT
NAT -- LTE
LTE - TAP
R2 - LB
@enduml

WiFi Module

Similar to LTE, WiFi devices are owned and processed by Linux and connected using a tap interface to VPP. The WiFi interface is connected via bridge to the Linux tap.

@startuml
skinparam linetype ortho
left to right direction
skinparam rectangle {
   backgroundColor Transparent
   stereotypeFontColor Transparent
   BorderStyle dashed
   shadowing false
}
node "Linux" as FE {
   rectangle "Bridge" as BR {
      usecase "WLAN0" as LAN
      usecase "TAP-Linux" as TAP
   }
   usecase "Local LAN Loopback" as LB
}
node "VPP" as VPP {
   usecase "WAN" as WAN
   usecase "R" as R2
   usecase "TAP-vpp" as VTAP
   node "NAT" as NAT
}
cloud "WIFI Network" as WIFI
cloud "Internet" as INET

WIFI -- LAN
VTAP -- R2
R2 -- NAT
NAT -- WAN
WAN -- INET
R2 - LB
LAN -- TAP
TAP -- VTAP
@enduml