Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
This allows you to set networking parameters for your gateway, including WAN1, WAN2 settings, Cellular connection, and DDNS. You can access this page through Configure > Gateway > Interface
In this mode, the EnGenius Gateway acts as a layer 3 routing gateway between WAN and LAN interfaces. Client outbound traffic to the Internet is source Network Address Translated (NATed) with the gateway’s WAN1/WAN2 IP address. As a layer 3 routing gateway, LAN-to-LAN traffic passing through the gateway can also be bridged or routed and can be controlled by outbound firewall rules as well.
In this mode, the EnGenius Security Gateway acts as a layer 2 bridge that does not perform any routing or network address translation for client outbound traffic for Internet access. This mode is usually used when you want to put the EnGenius Security Gateway between a customer's existing external NAT device and an internal L2/L3 switch. And you want to deploy EnGenius Security Gateway to provide firewall filtering and VPN services without changing the existing IP subnet address planning.
EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. Below are the WAN1 configuration settings. For the connection type, the Interface can be configured to DHCP to dynamically obtain an IP address or to static IP to manually configure the IP address or to use PPPoE to authenticate the gateway to an Internet Service Provider (ISP)
Name: the WAN Interface Name
DHCP: When you select DHCP, the gateway will automatically configure its IP address, subnet mask, and default gateway for the WAN interface.
PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) is a specification used to authenticate a networking device to an Internet Service Provider (ISP). Selecting PPPoE will allow you to enter the following information:
Username: Enter the username associated with your ISP. This is a required field.
Password: Enter the password associated with your ISP. This is a required field.
DNS Server: you can choose the DNS server from ISP or use Google Public DNS (8.8.8.8) or specify nameservers entered in the Primary DNS and Secondary DNS.
VLAN id: Enter the VLAN id from 1-4094.
ISP Bandwidth: you should check with your ISP (Internet Service Provider) for the actual Download/Upload bandwidth. The ISP Bandwidth is used in WAN link utilization and dual WAN outbound sessions load balance calculations.
EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. To deploy dual WAN configuration, you have to enter the following WAN2 settings. After WAN2 is enabled and settings configured here, the WAN2/P3 port will act as the WAN2 port.
Primary WAN Interface: either WAN1 or WAN2 can be selected as the Primary WAN Interface in a dual WAN configuration deployment.
Load Policy:
Failover: When both WAN1 and WAN2 are up, only the Primary WAN is active for inbound and outbound services. If the Primary WAN is down, automatic WAN failover will occur then the other WAN will take over and become active for services. (PS: currently for inbound Client VPN and Site to Site VPN services, automatic WAN failover is not yet supported. When your Primary WAN is down, for the other WAN to take over Client VPN and Site to Site VPN services, you have to manually reconfigure the other WAN as the new Primary WAN.)
Load balance: For inbound services, the usage and restriction are the same as Failover. for the client's outbound Internet access traffic sessions, when both WAN1 and WAN2 are up, both WAN1 and WAN2 are used for outbound connections. The session load balance distribution algorithm is based on WRR(Weighted Round Robin) using WAN1/WAN2 upload bandwidth.
Cellular networks are high-speed, high-capacity voice and data communication networks with enhanced multimedia and seamless roaming capabilities for supporting cellular devices. With the increase in popularity of cellular devices, these networks are used for more than just entertainment and phone calls. They have become the primary means of communication for finance-sensitive business transactions, emergency services, etc. WAN connectivity options, such as cellular networks, now also serve as a reliable backup internet uplink in the event of a primary uplink failure. You can plug in the USB modern in the EnGenius Gateway and configure the following settings.
SIM PIN: Enter the Security Code on the SIM to prevent unauthorized use of the card.
Dial on Demand: Only connect when traffic is sent over the interface.
Idle timeout: If there is no traffic on the interface for the given minutes, the gateway will disconnect the link.
We offer the EnGenius Security Gateway that supports Dynamic DNS (DDNS) service by default. With this feature, users can have a hostname associated specifically with the ESG WAN interfaces. ESG uses Dynamic DNS (DDNS) to update a registered DNS hostname A record automatically each time its Primary WAN IP address changes. This feature is useful because it allows the administrator to configure applications such as client VPN to access the EnGenius Gateway by its hostname which is static instead of an IP address that may change over time. When the Primary WAN is down, EnGenius Security Gateway will use the public WAN IP of the other WAN for DDNS update.
Better to know
It's important to be aware that DDNS hostnames are associated with the specific network to which the ESG belongs. If the device is moved to a different organization or network, the DDNS hostname will change accordingly.
DDNS Enable: click the button to enable/disable the DDNS service.
DDNS Providers: Select your DDNS service provider from the pull-down menu, if your DDNS service provider is not in the list, please select Custom
Username: input your registered username
Password: input your registered password
Hostname: input your registered DDNS FQDN hostname
Enter other required information from your DDNS Service Provider
Static routes are used to reach subnets that are not directly connected to or configured on the EnGenius Security Gateway, you can access this tab through Configure > Gateway > Interface > Static Route to add static routes to reach these subnets.
Enabled: Whether the EnGenius Gateway should use the route or not. Disable this setting if you wish to temporarily remove a route from the EnGenius Gateway without manually recreating it later.
Name: The name of the static route.
Destination: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
Next-hop IP: IP address of the device (such as a router or layer 3 switches) that connects the EnGenius Gateway to the static route subnet.
The Client VPN service uses IPsec VPN technology and can support VPN clients running on Windows10, macOS, iOS devices, and Android devices
To enable client VPN, choose Enabled from Configure > Gateway > Client VPN page.
The following client VPN options can be configured:
Hostname: This is the hostname of the EnGenius Gateway that client VPN users will use to connect to. If you have enabled DDNS service in your WAN settings, then the registered DDNS FQDN hostname is displayed which can be resolved to the Primary WAN public IP address of the EnGenius Security Gateway. If the DDNS service is not enabled or the DDNS update fails then the Primary WAN public IP address is displayed.
VPN Client Subnet: The subnet that will be used for client VPN connections. This should be a private subnet that is not in use anywhere else in the network. The EnGenius Gateway will be the default gateway on this subnet and will route traffic to and from this subnet.
DNS server: The server's VPN clients will use to resolve DNS hostnames. Choose from Google Public DNS or specify custom DNS servers by IP address.
WINS server: If VPN clients should use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.
Pre-Shared Key: The shared secret that will be used to establish the client's VPN connection.
Authentication type: Use this option to authenticate Client VPN users with the local ESG VPN User database or select Custom RADIUS to use external RADIUS servers for authentication.
For detailed instructions on how to configure a client VPN connection on various client device platforms. please refer to the following instructions
Site-to-site VPNs connect Multiple locations with static public IP addresses and allow traffic to be routed among the networks. This is most commonly used to connect an organization’s branch offices back to its main office, so branch users can access network resources in the main office.
Site-to-site VPN settings are accessible through the Configure > Gateway> Site-to-site VPN page
There are two options for configuring the EnGenius Gateway's role in the Auto VPN topology
Hub (Mesh): This EnGenius Security Gateway acts as a VPN Hub(Mesh) node and will establish VPN tunnels to all remote EnGenius VPN peers in the same organization that are also configured in this mode. It will also establish VPN tunnels to Spoke nodes that specify this gateway as their common Hub node.
Spoke: This EnGenius Security Gateway acts as a VPN Spoke node and will establish only one tunnel to the specified remote EnGenius Security Gateway which acts as this gateway’s Hub node. All Spoke nodes with a common Hub node can reach each other through Hub-and-Spoke tunnels unless blocked by Site-to-Site VPN firewall rules.
If you have multiple LAN subnets, you have the option to specify which LAN Interface could participate in the VPN.
If the EnGenius Gateway is behind a firewall or other NAT device, there are two options for establishing the VPN tunnel:
Automatic: In the vast majority of cases, the EnGenius Gateway can automatically establish site-to-site VPN connectivity to remote EnGenius VPN peers even through a firewall or NAT device using a technique known as "UDP hole punching". This is the recommended (and default) option.
Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, EnGenius VPN peers contact this EnGenius Security Gateway using the specified public IP address and UDP port number 500. You still need to configure port forwarding rules on the upstream NAT/firewall device to forward all incoming traffic with the specified destination IP and destination UDP 500 and UDP 4500 to the Primary WAN IP address of the EnGenius Security Gateway.
Auto VPN(Mesh VPN or Hub and Spoke VPN) works on EnGenius Security Gateways in the same organization only. For the following conditions, you must use the Add Non-EnGenius Gateway option.
To establish a Site-to-Site VPN connection between an EnGenius Security Gateway and a 3rd party VPN device.
To establish a Site-to-Site VPN connection between 2 EnGenius Security Gateways in 2 different organizations.
Click "Add " and enter the following information
Gateway Name: A name for the remote gateway
Public WAN IP: The Primary WAN public IP address of the remote gateway.
Private Subnet: Enter the local network address or subnet behind the remote gateway.
IKE Version: What IKE version to use (IKEv1 or IKEv2).
Local ID: Enter the identity of the remote gateway during authentication. Only IKEV2 needs this ID.
Remote ID: Enter the Remote ID of the remote peer. The remote Gateway’s Primary WAN public IP is recommended. Do not enter the remote peer’s Primary WAN native private IP if it is behind an external NAT device.
IPsec Policy: Select a pre-defined policy or have a custom one.
Diffie-Hellman group: Select which Diffie-Hellman group you want to use for encryption keys
Encryption: Select which key size and encryption to use.
Authentication: Select between MD5 and SHA1 authentication. Only phase2 can be multi-selected.
PFS key Group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select groups 1, 2, 5, or 14 to enable PFS using that Diffie Hellman group.
Lifetime: Type the maximum number of seconds that the IKE security association can last.
Pre-shared Key: Enter the pre-shared secret key to use.
You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all EnGenius Gateway in the Organization that participates in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.
LAN allows you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The EnGenius Gateway can have multiple LAN IPs, each of which is the default gateway address on its particular VLAN.
You can access this page through Configure > Gateway > Interface > LAN
There are two modes for the LAN Interface
The ESG can support a single Bridge and multiple VLANs. The same LAN port can be added to both a bridge and VLAN simultaneously.
the ESG provides the flexibility to operate in multiple untagged subnets (Bridges) and multiple tagged subnets (VLANs) on the LAN side. If you want to have multi-untagged subnet environments, you can use Multiple bridge mode. However, The same LAN port cannot be added to both a bridge and VLAN simultaneously.
Select the "Multiple Bridge"
Add another interface and set Bridge mode
Verify the Untagged subnets if this is OK
To add a new Interface, click Add Interface at the top right of the LAN table. To modify an existing LAN, click the Interface name in the LAN table.
Good to know
The max LAN Interface will be 128.
The default LAN(VLAN 1) sends and receives untagged Ethernet frames only. The other VLANs must be tagged with 802.1Q VLAN ID.
You can click the LAN interface name to access the below screens.
Name: Enter the LAN interface name
IP address: Use this option to enter the IP subnet and IP address of the gateway for the LAN Interface. For example, if the IP subnet is 192.168.100.0/24 and the gateway's IP Address is 192.168.100.1/24, please enter 192.168.100.1/24.
Use VPN: Determines whether the EnGenius Gateway advertises this LAN Interface to site-to-site VPN peers.
Port: select the port to use the LAN Interface.
The EnGenius gateway provides a fully-featured DHCP service when configured in Routed mode on the Configure > Gateway > Interface > WAN > Operation mode page. You can enable and configure the DHCP service on each LAN Interface individually, You can access this screen on the Configure >Gateway > Interface > DHCP page.
The configuration options include:
Client Addressing: Choose Run a DHCP server to enable DHCP services on that particular VLAN
DNS Servers: DNS servers that the DHCP server will instruct the clients to use
Reserved IP range: IP ranges that are reserved and therefore will not be assigned to clients.
Fixed IP List: IP addresses that are allocated to specific devices by MAC address to ensure that these devices always get the same IP address when they make a DHCP request.
Lease Time: Specify the DHCP address lease time, the default is 1 day. You can select 30 minutes,1 hour, 4 hours, 12 hours, 1 day, and 1 week.
Additional Options: Specify additional DHCP options sent to the DHCP client by clicking +Add
The Largest DHCP pool the EnGenius Gateway will serve is equivalent in size to a /19 subnet, even on a LAN configured with a larger subnet.
If you want to forward DHCP requests for a configured subnet or VLAN to another DHCP server rather than serving DHCP on the EnGenius Gateway, you can do so by choosing the Relay DHCP to another subnet DHCP server option for Client addressing and entering the IP address of the DHCP server you wish to forward requests to.
The DHCP relay server must be reachable in one of the following three ways:
The DHCP server is in a local VLAN configured on the EnGenius Gateway
EnGenius Gateway's DHCP server in all LAN interfaces is disabled.
The DHCP server is in a subnet for which a static LAN route is configured on the EnGenius Gateway.
This option will only appear if you have VLANs enabled at the EnGenius Gateway.
There are 2 options, Click-through and Custom RADIUS (External)
Click-through: After a client opens and enters a URL on his/her browser, the Client browser will be redirected to a Captive Portal splash page without username/password authentication required. But the client must view and acknowledge the splash page before being allowed to access the network.
Custom RADIUS (External): After a client opens and enters a URL on his/her browser, the client will be redirected to a Captive Portal splash page where username/password authentication is required before being allowed to access the network. An external RADIUS server must be set up to authenticate the client’s username/password. Enter the following settings for your gateway to access external RADIUS servers for authentication. You can configure 2 RADIUS servers for redundancy.
Server 1: IP address, Port number, and shared secret
Server 2: IP address, Port number, and shared secret
NAS ID: For NAS(Network Access Server) ID, please enter an ID for your gateway to access the RADIUS servers specified.
NAS IP: For NAS(Network Access Server) IP, please enter a VLAN IP address of your gateway for your gateway to access the RADIUS servers specified as the source IP address.
NAS Port: For NAS(Network Access Server) port, please enter a port number for your gateway to access the RADIUS servers specified as the source TCP port number.
Select one of the 2 options below to redirect the client after successfully passing the Cut-through splash page or the Custom RADIUS (External) splash authentication page.
Redirect to the original URL: Select this option to cache the initial website from the client during the authentication process and then forward it to the originally targeted web server after the user successfully authenticates.
Redirect users to a new URL: Select this option to redirect users to a pre-designated URL after the user successfully authenticates.
Session Timeout: Specify a time limit after which users will be disconnected and required to log in again.
Idle Timeout: Specify a time limit for an idle client after which users will be disconnected and required to log in again.
Walled Garden: This option allows users to define network destinations that users can access before authenticating. For example, your company's website.
With a splash page, you can channel LAN users to see a custom page before they can access the Internet.
You can click here to see the details
To configure an iOS device to connect to the client VPN, follow these steps:
Navigate to Settings > General > VPN & Device Management > Add VPN Configuration.
Type: Set to IPsec.
Description: This can be anything you want to name this connection, for example, "Work VPN"
4. Server: Enter the hostname, the admin can find the hostname from Configure > Gateway> Client VPN
5. Account: Enter the username that the admin created on the Configure > Users > ESG VPN Users
6. Password: Enter the password that the admin created on the Configure > Users > ESG VPN Users
7. Secret: Enter the Pre-shared key that the admin find the key from Configure > Gateway> Client VPN
8. Click Done and Enable the VPN connection on the IOS Device.
1. Go to Setting > Connection & Sharing
2. Click VPN
3. Click add VPN
4. Set Office Profile Name, Security type, Server address IP, IPsec pre-share key, Username, and Password, and Click the Save button.
5. Click Office VPN profile to start a connection, When the VPN client connects to the VPN server, it will show the key icon on the top bar status, and the Profile name will show connected.
6. When you want to disconnect the VPN connection, please click the toggle button to disconnect VPN.
Must know
EnGenius Gateway supports IKEv1, so if you use Android 13 or a later version you will not to use the Client VPN because Android 13 only supports IKEv2.
Create a new service and select VPN connection with Cisco IPSec
2. Enter server address and account/password
3. Enter the pre-shared key
4. Connect to VPN server
The following describes the labels on this screen:
Name: Shows the descriptive name of the user account.
Created by: This User is created by whom.
Created time: When the user has been created.
Description: the remark that you can add the note on this user.
Note: ESG510 Local Identify Type should change to IP address.
This allows you to configure the EnGenius Gateway VPN user to use the You can access this page from Configure > EnGenius Auth. > ESG VPN Users
This section describes the various firewall configuration options and capabilities of the EnGenius Security Gateway. You can access this page from Configure > Gateway > Firewall
Here you can configure permit or deny Access Control List (ACL) statements to determine what traffic is allowed between VLANs or out from the LAN to the Internet. These ACL statements can be based on protocol, source IP address and port, and destination IP address and port. These rules do not apply to VPN traffic. To configure firewall rules that affect traffic between VPN peers, please refer to Site-to-site VPN Settings
Click Add a rule to add a new outbound firewall rule.
The Protocol field allows you to specify TCP traffic, UDP traffic, ICMP traffic, or Any.
The Policy field determines whether the ACL statement permits or blocks traffic that matches the criteria specified in the statement.
The Src.IP and Dest.IP fields support IPs or CIDR subnets. Multiple IPs or subnets can be entered comma-separated.
The Src. Port and Dest.Port fields support port numbers. Multiple ports can be entered comma-separated. You can enter additional information in the Description field
Apply to all ESG in the org: It is used when you want to have the same firewall rules in all gateways in one organization. so the outbound rules will be replicated to all EnGenius Gateway in the same Organization.
This allows you to generate a documented record of your outbound firewall rules in a CSV format. This documentation serves various purposes, including backup, future reference, and troubleshooting.
You can click on the Export button located at the top right corner to export current Outbound rules in a CSV format.
Use this option to forward traffic destined for the WAN IP of the EnGenius Gateway on a specific port to any IP address within a local subnet or VLAN. Click Add rule to create a new port forward. You need to provide the following:
Protocol: TCP or UDP.
Public IP: Listen on the Public IP of WAN 1, WAN 2, or WAN1 & WAN2.
Public port: Destination port of the traffic that is arriving on the WAN.
LAN IP: Local IP address to which traffic will be forwarded.
Local port: Destination port of the forwarded traffic that will be sent from the EnGenius Gateway to the specified host on the LAN. If you simply wish to forward the traffic without translating the port, this should be the same as the Public port.
Allowed remote IPs: Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule.
Description: A description of the rule.
This allows you to generate a documented record of your port forwarding rules in a CSV format. This documentation serves various purposes, including backup, future reference, and troubleshooting.
You can click on the Export button located at the top right corner to export current Port forwarding rules in a CSV format.
Use this option to map an IP address on the WAN side of the EnGenius gateway (other than the WAN IP of the EnGenius Gateway itself) to a local IP address on your network. Click Add a 1:1 NAT mapping to create a new mapping. You need to provide the following:
Uplink: The physical WAN interface on which the traffic will arrive.
Public IP: The inbound destination public IP address that will be matched to access the internal resource from the WAN.
LAN IP: The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN.
Rules: You can add rules to specify the matching conditions that only incoming connections matching the following conditions are accepted for 1:1 NAT service to access internal LAN resources.
Allowed Remote IPs: Enter the source IP addresses/ranges that will be matched. You can specify multiple WAN IP addresses/ranges separated by commas.
Protocol: Choose from TCP, UDP, ICMP, or any.
Public Ports: Enter the destination port that will be matched. You can specify multiple ports separated by commas.
Creating a 1:1 NAT rule does not automatically allow inbound traffic to the public IP listed in the 1:1 NAT mapping. By default, all inbound connections are denied. You have to configure matching Rules as described above in order to allow the inbound 1:1 NAT traffic.
This allows you to configure the allowed services to access EnGenius Gateway
ICMP Ping: Use this setting to allow the EnGenius Gateway to reply to inbound ICMP ping requests coming from the specified address(es). Supported values for the remote IP address field include None, Any, or a specific IP range (using CIDR notation). You can also enter multiple IP ranges separated by commas.
Web (local status & configuration): Use this setting to allow or disable access to the local management page via the WAN IP of the EnGenius Gateway. Supported values for the remote IPs field are the same as for ICMP Ping.