Static routes are used to reach subnets that are not directly connected to or configured on the EnGenius Security Gateway, you can access this tab through Configure > Gateway > Interface > Static Route to add static routes to reach these subnets.
Enabled: Whether the EnGenius Gateway should use the route or not. Disable this setting if you wish to temporarily remove a route from the EnGenius Gateway without manually recreating it later.
Name: The name of the static route.
Destination: Use this option to enter the remote subnet that is reached via this static route (in CIDR notation).
Next-hop IP: IP address of the device (such as a router or layer 3 switches) that connects the EnGenius Gateway to the static route subnet.
This allows you to set networking parameters for your gateway, including WAN1, WAN2 settings, Cellular connection, and DDNS. You can access this page through Configure > Gateway > Interface
In this mode, the EnGenius Gateway acts as a layer 3 routing gateway between WAN and LAN interfaces. Client outbound traffic to the Internet is source Network Address Translated (NATed) with the gateway’s WAN1/WAN2 IP address. As a layer 3 routing gateway, LAN-to-LAN traffic passing through the gateway can also be bridged or routed and can be controlled by outbound firewall rules as well.
In this mode, the EnGenius Security Gateway acts as a layer 2 bridge that does not perform any routing or network address translation for client outbound traffic for Internet access. This mode is usually used when you want to put the EnGenius Security Gateway between a customer's existing external NAT device and an internal L2/L3 switch. And you want to deploy EnGenius Security Gateway to provide firewall filtering and VPN services without changing the existing IP subnet address planning.
EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. Below are the WAN1 configuration settings. For the connection type, the Interface can be configured to DHCP to dynamically obtain an IP address or to static IP to manually configure the IP address or to use PPPoE to authenticate the gateway to an Internet Service Provider (ISP)
Name: the WAN Interface Name
DHCP: When you select DHCP, the gateway will automatically configure its IP address, subnet mask, and default gateway for the WAN interface.
PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) is a specification used to authenticate a networking device to an Internet Service Provider (ISP). Selecting PPPoE will allow you to enter the following information:
Username: Enter the username associated with your ISP. This is a required field.
Password: Enter the password associated with your ISP. This is a required field.
DNS Server: you can choose the DNS server from ISP or use Google Public DNS (8.8.8.8) or specify nameservers entered in the Primary DNS and Secondary DNS.
VLAN id: Enter the VLAN id from 1-4094.
ISP Bandwidth: you should check with your ISP (Internet Service Provider) for the actual Download/Upload bandwidth. The ISP Bandwidth is used in WAN link utilization and dual WAN outbound sessions load balance calculations.
EnGenius Security Gateway can support dual WAN(WAN1/WAN2) configurations for dual WAN load balance and redundancy. To deploy dual WAN configuration, you have to enter the following WAN2 settings. After WAN2 is enabled and settings configured here, the WAN2/P3 port will act as the WAN2 port.
Primary WAN Interface: either WAN1 or WAN2 can be selected as the Primary WAN Interface in a dual WAN configuration deployment.
Load Policy:
Failover: When both WAN1 and WAN2 are up, only the Primary WAN is active for inbound and outbound services. If the Primary WAN is down, automatic WAN failover will occur then the other WAN will take over and become active for services. (PS: currently for inbound Client VPN and Site to Site VPN services, automatic WAN failover is not yet supported. When your Primary WAN is down, for the other WAN to take over Client VPN and Site to Site VPN services, you have to manually reconfigure the other WAN as the new Primary WAN.)
Load balance: For inbound services, the usage and restriction are the same as Failover. for the client's outbound Internet access traffic sessions, when both WAN1 and WAN2 are up, both WAN1 and WAN2 are used for outbound connections. The session load balance distribution algorithm is based on WRR(Weighted Round Robin) using WAN1/WAN2 upload bandwidth.
Cellular networks are high-speed, high-capacity voice and data communication networks with enhanced multimedia and seamless roaming capabilities for supporting cellular devices. With the increase in popularity of cellular devices, these networks are used for more than just entertainment and phone calls. They have become the primary means of communication for finance-sensitive business transactions, emergency services, etc. WAN connectivity options, such as cellular networks, now also serve as a reliable backup internet uplink in the event of a primary uplink failure. You can plug in the USB modern in the EnGenius Gateway and configure the following settings.
SIM PIN: Enter the Security Code on the SIM to prevent unauthorized use of the card.
Dial on Demand: Only connect when traffic is sent over the interface.
Idle timeout: If there is no traffic on the interface for the given minutes, the gateway will disconnect the link.
We offer the EnGenius Security Gateway that supports Dynamic DNS (DDNS) service by default. With this feature, users can have a hostname associated specifically with the ESG WAN interfaces. ESG uses Dynamic DNS (DDNS) to update a registered DNS hostname A record automatically each time its Primary WAN IP address changes. This feature is useful because it allows the administrator to configure applications such as client VPN to access the EnGenius Gateway by its hostname which is static instead of an IP address that may change over time. When the Primary WAN is down, EnGenius Security Gateway will use the public WAN IP of the other WAN for DDNS update.
Better to know
It's important to be aware that DDNS hostnames are associated with the specific network to which the ESG belongs. If the device is moved to a different organization or network, the DDNS hostname will change accordingly.
DDNS Enable: click the button to enable/disable the DDNS service.
DDNS Providers: Select your DDNS service provider from the pull-down menu, if your DDNS service provider is not in the list, please select Custom
Username: input your registered username
Password: input your registered password
Hostname: input your registered DDNS FQDN hostname
Enter other required information from your DDNS Service Provider
LAN allows you to partition your network into different subnets such that downstream hosts are separated into different broadcast domains based on the VLAN they operate in. VLAN-based network separation can be an effective tool for isolating and identifying different segments of your network and therefore provides an additional layer of security and control. The EnGenius Gateway can have multiple LAN IPs, each of which is the default gateway address on its particular VLAN.
You can access this page through Configure > Gateway > Interface > LAN
There are two modes for the LAN Interface
The ESG can support a single Bridge and multiple VLANs. The same LAN port can be added to both a bridge and VLAN simultaneously.
the ESG provides the flexibility to operate in multiple untagged subnets (Bridges) and multiple tagged subnets (VLANs) on the LAN side. If you want to have multi-untagged subnet environments, you can use Multiple bridge mode. However, The same LAN port cannot be added to both a bridge and VLAN simultaneously.
Select the "Multiple Bridge"
Add another interface and set Bridge mode
Verify the Untagged subnets if this is OK
To add a new Interface, click Add Interface at the top right of the LAN table. To modify an existing LAN, click the Interface name in the LAN table.
Good to know
The max LAN Interface will be 128.
The default LAN(VLAN 1) sends and receives untagged Ethernet frames only. The other VLANs must be tagged with 802.1Q VLAN ID.
You can click the LAN interface name to access the below screens.
Name: Enter the LAN interface name
IP address: Use this option to enter the IP subnet and IP address of the gateway for the LAN Interface. For example, if the IP subnet is 192.168.100.0/24 and the gateway's IP Address is 192.168.100.1/24, please enter 192.168.100.1/24.
Use VPN: Determines whether the EnGenius Gateway advertises this LAN Interface to site-to-site VPN peers.
Port: select the port to use the LAN Interface.
The EnGenius gateway provides a fully-featured DHCP service when configured in Routed mode on the Configure > Gateway > Interface > WAN > Operation mode page. You can enable and configure the DHCP service on each LAN Interface individually, You can access this screen on the Configure >Gateway > Interface > DHCP page.
The configuration options include:
Client Addressing: Choose Run a DHCP server to enable DHCP services on that particular VLAN
DNS Servers: DNS servers that the DHCP server will instruct the clients to use
Reserved IP range: IP ranges that are reserved and therefore will not be assigned to clients.
Fixed IP List: IP addresses that are allocated to specific devices by MAC address to ensure that these devices always get the same IP address when they make a DHCP request.
Lease Time: Specify the DHCP address lease time, the default is 1 day. You can select 30 minutes,1 hour, 4 hours, 12 hours, 1 day, and 1 week.
Additional Options: Specify additional DHCP options sent to the DHCP client by clicking +Add
The Largest DHCP pool the EnGenius Gateway will serve is equivalent in size to a /19 subnet, even on a LAN configured with a larger subnet.
If you want to forward DHCP requests for a configured subnet or VLAN to another DHCP server rather than serving DHCP on the EnGenius Gateway, you can do so by choosing the Relay DHCP to another subnet DHCP server option for Client addressing and entering the IP address of the DHCP server you wish to forward requests to.
The DHCP relay server must be reachable in one of the following three ways:
The DHCP server is in a local VLAN configured on the EnGenius Gateway
EnGenius Gateway's DHCP server in all LAN interfaces is disabled.
The DHCP server is in a subnet for which a static LAN route is configured on the EnGenius Gateway.
This option will only appear if you have VLANs enabled at the EnGenius Gateway.
There are 2 options, Click-through and Custom RADIUS (External)
Click-through: After a client opens and enters a URL on his/her browser, the Client browser will be redirected to a Captive Portal splash page without username/password authentication required. But the client must view and acknowledge the splash page before being allowed to access the network.
Custom RADIUS (External): After a client opens and enters a URL on his/her browser, the client will be redirected to a Captive Portal splash page where username/password authentication is required before being allowed to access the network. An external RADIUS server must be set up to authenticate the client’s username/password. Enter the following settings for your gateway to access external RADIUS servers for authentication. You can configure 2 RADIUS servers for redundancy.
Server 1: IP address, Port number, and shared secret
Server 2: IP address, Port number, and shared secret
NAS ID: For NAS(Network Access Server) ID, please enter an ID for your gateway to access the RADIUS servers specified.
NAS IP: For NAS(Network Access Server) IP, please enter a VLAN IP address of your gateway for your gateway to access the RADIUS servers specified as the source IP address.
NAS Port: For NAS(Network Access Server) port, please enter a port number for your gateway to access the RADIUS servers specified as the source TCP port number.
Select one of the 2 options below to redirect the client after successfully passing the Cut-through splash page or the Custom RADIUS (External) splash authentication page.
Redirect to the original URL: Select this option to cache the initial website from the client during the authentication process and then forward it to the originally targeted web server after the user successfully authenticates.
Redirect users to a new URL: Select this option to redirect users to a pre-designated URL after the user successfully authenticates.
Session Timeout: Specify a time limit after which users will be disconnected and required to log in again.
Idle Timeout: Specify a time limit for an idle client after which users will be disconnected and required to log in again.
Walled Garden: This option allows users to define network destinations that users can access before authenticating. For example, your company's website.
With a splash page, you can channel LAN users to see a custom page before they can access the Internet.
You can click here to see the details
PBR (Policy-Based Routing) enables precise control over network traffic by defining routing policies based on criteria like source/destination IP addresses or layer 4 port numbers. This capability resolves challenges related to inefficient network resource management, providing organizations with greater flexibility and control over traffic routing and optimization.
By defining routing policies, you can route traffic over preferred network paths, prioritize certain types of traffic, or balance traffic across multiple links for load balancing and optimization purposes.
PBR can be used to implement Quality of Service (QoS) policies to prioritize critical traffic types, such as voice or video communications, over less time-sensitive traffic.
You can access this page through Configure > Gateway > Interface > Policy Route
You can create policy-based routing rules to direct specific applications to different WAN interfaces without specifying IP addresses or port ranges
Optimized Traffic Management: Direct critical applications to a primary WAN while routing less important traffic to a secondary WAN
Enhanced Network Performance: Improve network efficiency by balancing load between WAN interfaces based on application
Simplified Rule Management: No need to update routing rules for changing IP addresses or port ranges
Enterprises are increasingly relying on SaaS services such as Gmail, Windows 365, and CRM tools like Salesforce.com, making these services more critical than other internet traffic that it is better to separate the traffic from others. In this scenario, users can strategize as follows:
Designate WAN1 as the primary WAN and WAN2 as the failover WAN, with most traffic routed through WAN1
Route business-critical SaaS traffic, such as Gmail, Windows 365, and Salesforce.com, through WAN2
The figure below illustrates layer 7 policy-based routing rules for directing entire categories and specific applications within a category to different WAN interfaces
Go to Configure > Gateway > Interfaces > Policy Routes > Layer 7> Add Rule
Better to know
PBR preference uplink is WAN1 and WAN2 only
Failover order options are as follows:
Option WAN1: WAN1 is the preferred uplink, followed by WAN2 and then WWAN.
Option WAN2: WAN2 is the preferred uplink, followed by WAN1 and then WWAN.
Note: PRB fail-over will NOT refer to the "Fail-over preference" order set in WWAN (Configure > WWAN > Failover Preference)
