This page provides a high level overview of the supported and planned flexiWAN features. Schedule and content of versions may change without further notice.
Summary of supported and planned features¶
|Debian based installation||✅|
|Multi-Tenant Accounts and Users||✅|
|Organization based inventory||✅|
|IPSec over VxLAN tunnels||✅|
|Flexible tunnel configuration: Full-Mesh, Hub & Spoke, Partial-Mesh||✅|
|Tunnel quality metrics||✅|
|Application Identification (L3/L4)||✅|
|Multiple WAN/LAN interfaces||✅|
|Application based path selection policy||✅|
|Static routes configuration||✅|
|Dynamic flexiEdge configuration changes||✅|
|Monitoring & Dashboards||✅|
|flexiEdge error detection and notifications||✅|
|Credit card based billing||✅|
|Scheduled auto software upgrade of flexiEdge||✅|
|Northbound REST API and access keys||✅|
|WAN side DHCP||✅|
|Devices handling and viewing improvements||✅|
|More NAT Traversal options||✅|
|Additional, non-ethernet, interfaces (LTE, WiFi)||✅|
|flexiEdge side APIs and UI||✅|
|Quality based routing||Q2/2021|
|Additional applications and application framework||On-Going|
|More enhancements based on customer input and priorities||On-Going|
The flexiEdge software is a debian package installed on Ubuntu 18.04 LTS. The flexiEdge software can be installed on various architectures such as:
- Bare metal
- Virtual Machine
- AWS cloud server
- Support for additional installation environments will be prioritized and added based on user feedback
Since the installation comes as a package, it allows installation on a customized Ubuntu. The installation adds all the necessary components required for running the flexiEdge router including VPP, FRR, and flexiWAN Agent. All components are installed as Ubuntu systemd services.
On installation, the software performs various system checks for both Hardware and Software configuration. The system checker allows to fix Software configuration issues but does not block the service from running.
The agent provides various CLI commands for troubleshooting such as starting, stopping, resetting, and showing of information.
For more information, please refer to the flexiEdge Installation section in the documentation menu on the left.
The flexiEdge connects with flexiManage using a token created in flexiManage. Only one token is required for all flexiEdge devices of the organization. The Token is placed in a specific file in flexiEdge and can be copied to all flexiEdge devices. On registration, the flexiEdge device automatically gets a unique, per-device token, and use it for its connection and authentication with flexiManage. A pre-defined image that contain the organization token, will register automatically without further interaction required by the user (Zero Touch Provisioning).
To prevent the connection of non-permitted devices with flexiManage and the organization’s network, the device must be explicitly approved on flexiManage after registration. Once approved, the flexiEdge device connects to flexiManage and is fully operational and managable by flexiManage.
Multi-Tenant Accounts and Users¶
flexiManage is a multi-tenant, multi-user and multi-organization system. This allows for hierarchy between organizations in the account. A typical use of the multi-tenant capability will be for an MSP, SI or VAR to create in his account an organization for each of his enterprise customers while managing them from one central location and account (single login). It is important to note that each organization has its own Devices inventory and network. The network of each organization (e.g. enterprise) is isolated and one organization can’t access the network of the other organization.
Every user has access permission to various account resources. Users at an account level and organization level can invite other users with the same rights or less.
Refer to Account and Users Management page for additional information.
Organization Network Inventory¶
Each organization has an inventory that contains flexiEdge devices, tunnels, tokens, path labels, and application identification. Network operations are done at the organization level. For security reasons, each organization is isolated in terms of the inventory and it is not possible to create tunnels between networks of different organizations, however users with account or group access can view and operate different organizations under the account or group to which they have access permissions to.
Every registered flexiEdge device is shown in flexiManage with its status. flexiManage collects information for every connected flexiEdge device. The information includes general configuration parameters, interfaces, monitored statistics and health, routes, device logs and internal configuration. Device configuration can be dynamically changed while the device is running.
flexiWAN supports IPSec over VxLAN tunnels. The tunnel structure is shown in the figure below:
The tunnels are connected through the WAN interface, where LAN subnets are learned across the tunnels using OSPF. Every tunnel is created between two flexiEdge devices using loopback interfaces (one per router) in the subnet range of 10.100.X.Y/31. Internally, subnet 10.101.X.Y is also used. As shown in the next figure, in order to send packet to a given tunnel, the traffic is routed to the tunnel next hop which is the loopback address of the other tunnel side. Packets going through the tunnel do not pass NAT and use VxLAN UDP ports 4789 for both tunnel sides.
The system supports flexible tunnel configuration such as full mesh, hub and spoke or any other combination. Tunnels are easily created by selecting devices and adding tunnels. Full mesh tunnels will be created across all selected devices.
The tunnel IPSec parameters are:
- IPSec Protocol: ESP
- IPSec Mode: Tunnel mode
- Crypto Algorithm: AES-CBC-128
- Integrity Algorithm: SHA-256-128
flexiWAN measures connectivity, latency and loss across the tunnel end-points. Every flexiEdge runs ICMP echo request every second and measure the round trip time (RTT) and loss based on these packets. If any path exists between the two end-points, the tunnel status will presented as connected.
Path labels offer a powerful way to organize networks and tunnels in flexiWAN. Path labels define unique underlay networks scheme where each label represent a separate logical underlay networks.
The flexiEdge devices have the capability to identify network applications based on IP and Ports. Occasionally, a flexiWAN cloud service generates a list of rules and categorization for every network application. This list is read by every flexiManage instance and is pushed to the flexiEdge devices it manages. The administrator can define new applications specific for the organization or modify the categorizations of the provided applications. The applications are then used for traffic classification in various policies (such as Path Selection).
Refer to Application Identification page for additional information.
Multiple WAN/LAN interfaces¶
flexiEdge supports multiple WAN/LAN access interfaces and a different gateway for every interface. An application based policy is used to select the outgoing WAN interface for a given application.
Application based Path Selection policy¶
Path Selection policy enables application based routing in flexiWAN. With Path Selection and its policies, users can decide through which WAN interface certain traffic is routed. It also brings load balancing, redundancy, traffic differentiation and blocking of applications.
Refer to Path Selection Policy page for additional information.
Any flexiEdge device allows to send traffic directly to the Public Internet without going via the tunnel. Any traffic that goes to the Public Internet passes through NAT in order to hide the internal network (LAN) IP addresses.
The selection of Public Internet or Tunnel is based on routing. In a typical deployment, the internal network / LAN are accessible via the tunnel and any other traffic is routed via the default gateway which points to the Public Internet. This default behavior could be modified using static routes. Refer to the static routes page for more information on how to define static routes
NAT traversal is the ability to create tunnels when the traffic passes through NAT.
NAT traversal is supported for:
- Public IP and Port learning using STUN (default)
- 1:1 NAT (such as DMZ or AWS elastic IP)
- Using port forwarding on the access device (for the VxLAN port 4789)
The STUN mode allows to create a tunnel even when the flexiEdge device is located behind an access device and NAT. On the creation of the VxLAN tunnel, each flexiEdge device opens a NAT pinhole throught the access router to the other device using STUN and learns the public IP and port. The tunnel is created using the learned IP and port.
flexiEdge devices support DHCP server configuration per device. The DHCP server allows for LAN side end-points to auto connect to the device and get its IP and DNS server. The DHCP server supports static MAC based lease.
In some environments specific subnets are not learned by routing protocols. flexiManage allows to define static routes per device to route specific subnets to a desired interface and gateway.
Refer to Static Routes page for additional information.
Monitoring & Dashboards¶
flexiManage collects statistics per device and shows the bits per second (BPS) or packets per second (PPS) per device (in the device info page) or for the entire network (in the dashboard)
The dashboard on flexiManage presents the following information:
- The network connectivity and status of each tunnel
- The total network bandwidgh and packets per second
The device page presents network bandwidth and packets per second per device
flexiManage collect events from the network and generate notifications. Notifications are measured when:
- A new software is available and the device is running an old software
- When a device disconnected from flexiManage
- When the router stopped running
- When the tunnel round trip time is high (larger than 100 milliseconds)
- When the drop rate is high (larger than 50%)
If there are unread notifications, the account owners gets an email once a day. Notifications can be marked as read and the email can be disabled from the account profile page.
Refer to System Notification page for additional information.
By default, flexiManage allows to register and manage 3 flexiEdge devices for free for an account. To add more flexiEdge devices, the user is required to add a valid method of payment to the system. flexiManage does not store any credit card information and all the billing transactions occurs via a secure, 3rd party billing system. Every account is charged monthly by the maximum concurrent flexiEdge devices registered to the system. The pricing is per registered device regardless of the bandwidth transmitted through that device. The price per device varies based on the number of registered devices and could be seen in the flexiWAN pricing page. The billing is done in the account level and any billing information is accessible only to the account owners.
Refer to Billing System page for additional information.
Software Auto Upgrade¶
flexiWAN release flexiEdge software updates regularly. These updates include new features and bug fixes. The account owners receives an email with the release update. A notification is shown in flexiManage for devices that require upgrade. flexiManage support backwards compatibility of one major release, devices older than one major release will not be able to connect with flexiManage. Therefore it is recommended to regularly upgrade the devices to the latest release. Upgrade can be done immediately, on a scheduled window or, if not selected, flexiManage will upgrade the device automatically at the date specified as last day for upgrade.
Refer to Software Auto Upgrade page for additional information.
flexiManage and flexiEdge configuration synchronization¶
flexiManage is the single source of truth, any user or REST configuration is executed with no blocking. When a configuration change required on the flexiEdge device, a job is created which is sent based on its priority. flexiManage makes sure to synchronize the flexiEdge device with the desired configuration and show the device in ‘sync’ status
flexiManage operations can be done via the flexiWAN UI. flexiManage also supports REST based Northbound API to manage and provision the networks.
Refer to Software Auto Upgrade page for additional information.
flexiManage provides various troubleshooting capabilities such as show device logs, packet traces, monitor jobs sent to every device
Allow to provision DHCP client for WAN interfaces. The DHCP client detects an IP change and provisions the relevant tunnels in the network to use the new IP address. This allows to dynamically allocate IPs or move devices between locations and maintain the same network connectivity.
LTE interfaces are not DPDK based and therefore requires a unique connectivity. The LTE device is owned and handled by Linux but connected using a tap interface to VPP for executing the routing and services. The next diagram shows a sketch of the connectivity. Traffic to/from LTE goes between the tap interfaces of Linux and VPP and to the LTE device converting between L2 and L3 packets. This way all flexiWAN features are supported for LTE interfaces as for any other DPDK interface.
Similar to LTE, WiFi devices are owned and processed by Linux and connected using a tap interface to VPP. The WiFi interface is connected via bridge to the Linux tap.