This section provides a high level overview of the supported in this release of flexiWAN.
The flexiEdge software is a debian package installed on Ubuntu 18.04 LTS. The flexiEdge software can be installed on various architectures such as:
- Bare metal
- Virtual Machine
- AWS cloud server
- Support for additional installation environments will be prioritized and added based on user feedback
Since the installation comes as a package, it allows installation on a customized Ubuntu. The installation adds all the necessary components required for running the flexiEdge router including VPP, FRR, and flexiWAN Agent. All components are installed as Ubuntu systemd services.
On installation, the software performs various system checks for both Hardware and Software configuration. The system checker allows to fix Software configuration issues but does not block the service from running.
The agent provides various CLI commands for troubleshooting such as starting, stopping, resetting, and showing of information.
For more information, please refer to the flexiEdge Installation section in the documentation menu on the left.
The flexiEdge connects with flexiManage using a token created in flexiManage. Only one token is required for all flexiEdge devices of the organization. The Token is placed in a specific file in flexiEdge and can be copied to all flexiEdge devices. On registration, the flexiEdge device automatically gets a unique, per-device token, and use it for its connection and authentication with flexiManage. A pre-defined image that contain the organization token, will register automatically without further interaction required by the user (Zero Touch Provisioning).
To prevent the connection of non-permitted devices with flexiManage and the organization’s network, the device must be explicitly approved on flexiManage after registration. Once approved, the flexiEdge device connects to flexiManage and is fully operational and managable by flexiManage.
Multi-Tenant Accounts and Users¶
flexiManage is a multi-tenant, multi-user and multi-organization system. This allows for hierarchy between organizations in the account. A typical use of the multi-tenant capability will be for an MSP, SI or VAR to create in his account an organization for each of his enterprise customers while managing them from one central location and account (single login). It is important to note that each organization has its own Devices inventory and network. The network of each organization (e.g. enterprise) is isolated and one organization can’t access the network of the other organization.
Every user has access permission to various account resources. Users at an account level and organization level can invite other users with the same rights or less.
Refer to Account and Users Management page for additional information.
Every organization has an inventory that contains flexiEdge devices, tunnels and tokens. Every network operation is done at the organization level. Every organization is isolated in terms of the inventory, however users with account or group access can view and operate different organizations under the account or group to which they have access permissions to.
Every registered flexiEdge device is shown in flexiManage with its status. flexiManage collects information for every connected flexiEdge device. The information includes general configuration parameters, interfaces, monitored statistics, routes, device logs and internal configuration. Device configuration can be dynamically changed while the device is running.
flexiWAN supports IPSec over VxLAN tunnels. The tunnel structure is shown in the figure below:
The tunnels are connected through the WAN interface, where LAN subnets are learned across the tunnels using OSPF. Every tunnel is created between two flexiEdge devices using loopback interfaces (one per router) in the subnet range of 10.100.X.Y/31. Internally, subnet 10.101.X.Y is also used. As shown in the next figure, in order to send packet to a given tunnel, the traffic is routed to the tunnel next hop which is the loopback address of the other tunnel side. Packets going through the tunnel do not pass NAT and use VxLAN UDP ports 4789 for both tunnel sides.
The system supports flexible tunnel configuration such as full mesh, hub and spoke or any other combination. Tunnels are easily created by selecting devices and adding tunnels. Full mesh tunnels will be created across all selected devices.
The tunnel IPSec parameters are:
- IPSec Protocol: ESP
- IPSec Mode: Tunnel mode
- Crypto Algorithm: AES-CBC-128
- Integrity Algorithm: SHA-256-128
flexiWAN measures connectivity, latency and loss across the tunnel end-points. Every flexiEdge runs ICMP echo request every second and measure the round trip time (RTT) and loss based on these packets. If any path exists between the two end-points, the tunnel status will presented as connected.
Any flexiEdge device allows to send traffic directly to the Public Internet without going via the tunnel. Any traffic that goes to the Public Internet passes through NAT in order to hide the internal network (LAN) IP addresses.
The selection of Public Internet or Tunnel is based on routing. In a typical deployment, the internal network / LAN are accessible via the tunnel and any other traffic is routed via the default gateway which points to the Public Internet. This default behavior could be modified using static routes. Refer to the static routes page for more information on how to define static routes
NAT traversal is the ability to create tunnels when the traffic passes through NAT.
NAT traversal is supported for:
- 1:1 NAT (such as DMZ or AWS elastic IP)
- Using port forwarding on the access device (for the VxLAN port 4789)
- When NAT preserves the UDP soruce port
To further describe the last item above, flexiEdge devices use IPSec over VxLAN tunnels with UDP port 4789 on both ends. This allows to create a tunnel even when the flexiEdge device is sitting behind an access device and NAT. On the creation of the VxLAN tunnel, each flexiEdge device opens a NAT pinhole throught the access router to the other device. If the access device NAT preserves the source port and uses port 4789 on the public network side, the tunnel is created with no issue.
This release does not support STUN and TURN. These will be added to one of our following releases.
In some environments specific subnets are not learned by routing protocols. flexiManage allows to define static routes per device to route specific subnets to a desired interface and gateway.
Refer to Static Routes page for additional information.
flexiManage collects statistics per device and shows the bits per second (BPS) or packets per second (PPS) per device (in the device info page) or for the entire network (in the dashboard)
flexiManage collect events from the network and generate notifications. Notifications are measured when:
- A new software is available and the device is running an old software
- When a device disconnected from flexiManage
- When the router stopped running
- When the tunnel round trip time is high (larger than 100 milliseconds)
- When the drop rate is high (larger than 50%)
If there are unread notifications, the account owners gets an email once a day. Notifications can be marked as read and the email can be disabled from the account profile page.
Refer to System Notification page for additional information.
The dashboard on flexiManage presents the following information:
- The network connectivity and status of each tunnel
- The total network bandwidgh and packets per second
By default, flexiManage allows to register and manage 3 flexiEdge devices for free for an account. To add more flexiEdge devices, the user is required to add a valid method of payment to the system. flexiManage does not store any credit card information and all the billing transactions occurs via a secure, 3rd party billing system. Every account is charged monthly by the maximum concurrent flexiEdge devices registered to the system. The pricing is per registered device regardless of the bandwidth transmitted through that device. The price per device varies based on the number of registered devices and could be seen in the flexiWAN pricing page. The billing is done in the account level and any billing information is accessible only to the account owners.
Refer to Billing System page for additional information.
Software Auto Upgrade¶
flexiWAN release flexiEdge software updates regularly. These updates include new features and bug fixes. The account owners receives an email with the release update. A notification is shown in flexiManage for devices that require upgrade. flexiManage support backwards compatibility of one major release, devices older than one major release will not be able to connect with flexiManage. Therefore it is recommended to regularly upgrade the devices to the latest release. Upgrade can be done immediately, on a scheduled window or, if not selected, flexiManage will upgrade the device automatically at the date specified as last day for upgrade.
Refer to Software Auto Upgrade page for additional information.