- Will IPVPN speed up a single connection to the Internet?
No, IPVPN provides increased speed by providing load balancing utilizing multiple lines bandwidth.
- What methods of load balancing does IPVPN provide?
There are 4 different types of Load Balancing you can set on the FatPipe.
- Round Robin would be used if you had 3 lines of similar speed, 3 T1’s 3 DSL’s. Round Robin load balancing will split up traffic equally across all 3 lines.
- Response Time would be used if you had lines of dissimilar speed such as a DSL and a T1. This algorithm will send more traffic out the line that has more bandwidth so you actually get to use the added bandwidth of your second line instead of all traffic going out at the speed of the slowest line.
- Fastest Route will send traffic out the line that has the best connection to each site that you are going to. It picks the fastest line by sending out SYN packets across all lines to each site and then using the line that receives that ACK packet first.
- Weighted algorithm configures FatPipe IPVPN to balance traffic in proportion to the WAN weights defined by you. Each interface needs to be assigned a weight. For each new outbound session, this algorithm finds the interface whose current throughput to total throughput ratio is farthest below the ratio determined by its weight, and send the session on that interface.
- I have one DSL and one ISDN line. Can IPVPN balance load over these two lines even though they have different speeds?
Yes, IPVPN balances load over lines of similar or dissimilar speeds. In cases like this where lines are of extremely unequal speeds, we recommend using Response Time or On-Failure.
- What happens to the data when one line fails?
All FatPipe products provide automatic failover to available lines. However, a line failure can occur in the middle of a session. Depending on the client software being used, a reload may be requested or the client will automatically reconnect.
- Is it possible to set Link Speed / Duplex Mode in LAN and WAN interfaces?
Yes, this option is used to set or change the Ethernet mode such as speed and duplex for each interface. This can be set through the Graphical User Interface (GUI), under each interface by clicking on the Interface button in the main menu, and then the LAN and WAN tabs respectively.
- What is DNS?
The Domain Name System (DNS) provides translation of Internet domain names into numeric IP addresses. For example, www.yahoo.com might translate to an IP address of 216.115.108.243. DNS gives us a more meaningful and easier-to-remember way to get to locations on the Internet.
- How do name server addresses get resolved on the Internet?
There are multiple root DNS servers on the Internet that handle resolution for name server addresses. Once you register the name servers with InterNIC, the root DNS servers are updated with your name server information.
- Does IPVPN do incoming data load balancing?
Yes. IPVPN balances incoming as well as outgoing data. FatPipe’s patent pending technology called SmartDNS™ provides for the inbound line failover as well as round robin load balancing.
- What does SmartDNS accomplish?
SmartDNS accomplishes load balancing through round robin DNS. Clients on the Internet will connect to internal servers through different WAN connections at different times, in a round-robin fashion.
SmartDNS provides redundancy by allowing internal servers on the LAN to be accessible through multiple connections.
When the DNS server makes the adjustment for a connection that is down, SmartDNS™ will help clients on the Internet connect to internal servers using a route that is open instead of trying to access the host using an IP that is not accessible.
SmartDNS™ features:
An inbound-only DNS server
Simple web-based remote configuration
Ability to adjust TTL (Time to Live)
- How does SmartDNS™ work?
SmartDNS™ is a feature of IPVPN that dynamically senses when WAN lines are up or down. It provides inbound redundancy by resolving domain name requests for hosts behind the IPVPN and only gives out IP address from lines that are up. It provides inbound load balancing through round-robin DNS. To prevent outside name servers from caching the domain name requests for too long, SmartDNS™ uses a short TTL (Time to Live), which can be changed by the administrator, if needed. For more information about SmartDNS™, please refer to the manual.
- What is TTL (Time to Live)?
TTL specifies the length of time used by DNS servers to determine how long to cache information for a domain name record before expiring and discarding it. The TTL on the SmartDNS server can be adjusted through IPVPN's Remote Configuration page.
- What is needed to setup DNS on IPVPN?
Please read the SmartDNS section of your manual to learn how to setup DNS on IPVPN.
- What are the steps to setting up SmartDNS to use all three WAN connections?
1. Create three name server addresses that resolve to the three WAN IP addresses.
2. Enter the three name servers and their IPs in the SmartDNS page.
3. Enter your hosts and their IP addresses in the SmartDNS page.
- What is Reverse Mapping?
Reverse mapping is a static 1-to-1 NAT translation for inbound traffic. This will allow you to change the destination address in the packets coming in on your secondary line to match the addresses from your primary line. This “tricks” your firewall into thinking that it’s all coming from the same place. The benefit of this is that in a typical installation, no changes are required to the firewall configuration. Reverse Mapping rules are configured in the Inbound Policy page in the GUI.
- How does IPVPN conserve IP addresses?
By using Reverse Mapping, servers on the LAN side of the IPVPN are accessible from computers on the Internet through the mapping of a public IP address to a private IP address. In order for a server to be visible over multiple ISPs, it has to have IP addresses in the range of IP addresses provided by each ISP. For example, if there are three ISPs, three IP addresses per server are required. If one ISP fails, the data is routed over the other two. Without Reverse Mapping, each server that needs to be accessed from the outside will need three IP addresses. If there are ten servers, 3 x 10 = 30 IP addresses will be required. With Reverse Mapping, only three IP addresses are required.
Here is how it works: Each application (e.g., web server or mail server), is assigned a port number, which is universally known. For example, the standard port number for HTTP (web) is 80 and SMTP (mail) is port 25. Thus, port numbers are assigned to each server based on its applications. Three IP addresses are assigned to IPVPN -- one from each ISP -- so that inbound traffic comes from all three WAN lines. When a web page request comes in, IPVPN sends all requests to port 80, which hosts the web server. Similarly, emails are sent to the port that handles the email server. Thus, three IP addresses handle ALL servers.
- What is the key benefit of Reverse Mapping?
The key benefit of Reverse Mapping is the conservation of public IP space. There is no need to waste public IPs on LAN computers that only need outbound access to the Internet when they can use private IP addresses instead. Meanwhile, only those computers that need to be accessible from the Internet will need public IP addresses mapped to them. For further savings, a single public IP address can be mapped to multiple internal servers based on different port numbers.
- What is Pass-Through?
A Pass-Through statement will simply allow certain traffic based on IP address and/or port to pass through the FatPipe unchanged. This is useful because it helps with the overall goal of not making any configuration changes on the firewall during installation. Pass-Through rules are applied to control inbound traffic and can be configured in Inbound Policy page of GUI.
- Does Pass-Through require the use of Proxy ARP?
Yes. You must setup the WAN interface using the rules of Proxy ARP for Pass-Through to work.
- What is the benefit of Proxy ARP? How does it help with installing IPVPN?
Proxy ARP is a special feature of IPVPN. It allows you to integrate IPVPN into a network with very little change to your existing LAN and WAN IP configuration. It works by taking a small subnet of your existing IP subnet and using that on the WAN interface while using the full IP subnet on the LAN interface. IPVPN will automatically recognize this and route packets between the two interfaces. (The FatPipe responds to external ARP requests on behalf of internal devices using Inbound Policy rules by means of ProxyArp.)
Example
If you purchased a block of 16 IP addresses from your ISP and your network was setup with a 255.255.255.240 (/28) subnet, you would have 14 usable hosts on your network (first and last IP are unusable). Now let's assume that the router is assigned the first usable IP address, such as 12.34.56.1. To take advantage of Proxy ARP, you would assign the next IP address, 12.34.56.2 to the WAN interface with a subnet mask of 255.255.255.252 (/30). Now since 12.34.56.3 is the broadcast IP of this /30 subnet, it will be unusable on the LAN. That leaves 11 usable IPs on the LAN side: 12.34.56.4 to 12.34.56.14.
Please note that you can use a subnet larger than 255.255.255.252 (/30) on the WAN interface and still have Proxy ARP work (as long as that subnet is smaller than the full subnet assigned to you by the ISP). A/30 subnet is the smallest subnet possible and therefore uses up the least amount of IP addresses. This is why we recommend using a /30 subnet whenever possible.
- How does Proxy ARP know what ARP requests to respond to?
The IPVPN will respond to ARP requests for any IP address that is in the subnets specified on the LAN interface. It will also respond to ARP requests for IP addresses that are in the Inbound Policy statements.
- When would I need to use multi-homing on the LAN?
You will want to use multi-homing on the LAN when you want a server on the private LAN to be accessible from the Internet and choose to use Inbound policy to Pass-Through instead of NATing the IP. The server would need both a public and private IP for it to be available to both clients on the Internet as wells as clients on the private LAN.
- Can I configure the IPVPN remotely?
Yes. IPVPN has a web-based Remote Configuration page that you can access from the Internet using any java-compliant browser and by having the “enable remote management” box checked on the WAN interface. You can view your line speeds, configure settings, and even reboot the IPVPN box using the remote configuration page. You’ll need to setup a login and password. Note that the communication is encrypted.
- I cannot access the IPVPN Remote Configuration page. What can I do?
If you cannot open IPVPN's web-based Remote Configuration page, please check the following: From Remote: Make sure you have typed your user name and password correctly. If you're trying to access it from the LAN side, make sure the computer on the LAN is on the same IP subnet as the IPVPN. Double-check the IP address and subnet on the LAN interface of the IPVPN and the IP address and subnet on the client computer. Make sure the LAN line is completely inserted into the LAN port and that you have a link light. Also make sure the Firewall is set to pass port 5001 as this is the port the FatPipe GUI uses.
- What do I do when the WAN ports show up on the Remote Configuration page, but it indicates that a router is down?
Make sure the router is functional. Check to see that you have a good physical connection to the router. Double-check that the IP address, subnet mask, and gateway are entered correctly. If the router is plugged directly into the FatPipe, make sure you are using a working cross-over cable.
- Will Citrix® Thin Client server (MetaFrame™) work with IPVPN? How do I configure IPVPN for this?
Yes, Citrix Thin Client servers work with IPVPN. FatPipe products have been thoroughly tested by with Citrix’ MetaFrame. The Citrix server will need to have an IP address that is accessible to the client PCs. If the Citrix server needs to be accessible from the Internet, you need to setup an Inbound Policy on the IPVPN to allow inbound traffic to the Citrix server.
- My Citrix Server is at my ISP. How do I configure my local printer?
If the printer is on the local LAN and the Citrix server will be doing the actual printing to the printer, then the printer will need to be accessible to the Citrix server. You would need to setup an Inbound Policy on the IPVPN to allow inbound traffic to the printer.
- How does IPVPN work with DHCP enabled on the routers?
IPVPN gives you the option of setting a static IP address or obtaining an IP address automatically using DHCP for any WAN port. Simply open the IPVPN Remote Configuration page, go to the WAN's Port Page, and select "Obtain IP Address automatically from DHCP" on the WAN's Port Page of the IPVPN Configuration Page.
- Can the LAN IP address be on the same subnet as the WAN?
No, the LAN and WAN IP addresses must be on different networks (subnets) for routing of packets to take place. (Refer to the question about Proxy ARP). However, with a ProxyARP setup, you will have a subnet on the LAN interface that overlaps the subnet on a WAN interface.
- How do I configure IPVPN to work with internal routers?
The router's gateway address must be the IP address of IPVPN's LAN interface. You would also need to setup an Inbound Policy (and possibly Static Routes) for those routers to be accessible from the outside.
- Does IPVPN work with SMDS T1 service?
Yes, IPVPN works perfectly with Switched Multimegabit Data Service (SMDS). The data encryption and compression of its IP traffic occurs outside of the IPVPN unit.
- What is SNMP and will IPVPN work with it?
SNMP (Simple Network Management Protocol) is used for monitoring network devices. IPVPN can be configured to send SNMP traps to a computer on the LAN that is running SNMP management software.
- Why is SNMP not working?
Check that the community name and trap destination IP are correct on the SNMP page of IPVPN's Remote Configuration interface. Also make sure the SNMP management software is configured correctly on your PC.
- Can I use IPVPN with any VPN product?
Yes. IPVPN is IPSec compatible. You can use it with any IPSec compatible VPN.
- Do I have to let each box know the IP addresses of the other VPN boxes?
Yes. Go to the console, and click on VPN to set up the VPN configuration where you can enter the IP addresses of other VPN boxes.
- Do I need an IPVPN box at every location?
Yes, if you want MPSEC to work, it is only executable with a unit at each location.
- How does IPVPN improve data security?
IPVPN can send data over multiple ISPs and multiple backbones using FatPipe’s MPSEC technology. Each data transmission contains only part of the data packets. The packets are sent randomly. Therefore, it is nearly impossible to obtain all of the information, adding another layer of security. If there are three Internet connections at each end, then it is possible to have nine combinations of data connections resulting in nine possible ways to send data. The improvement in data security is significantly improved.
- Where would IPVPN go on my network if I have an existing firewall(s)?
The Fatpipe IPVPN would be placed behind your firewalls/VPN concentrators.
- I have an IPVPN in one location. Can I configure two-way redundant connectivity to a site not utilizing IPVPN?
You will need IPVPNs at both locations if you desire load balancing, and redundancy between the two sites.
