Peplink AP One Firmware 3.6.3 User Manual#
Peplink AP One Series:
AP One AC Mini (HW1) / AP One Enterprise (HW 1-2) / AP One Flex (HW2-3) /
AP One Rugged (HW1) / AP Pro AC (HW1)
Peplink AP Firmware 3.6.3
January 2023
Ch4. Hardware Overview#
AP One Enterprise#
| LED Indicators | |
| Status | RED – Access point initializing
GREEN – Access point ready |
| LAN | OFF – No device connected to Ethernet port
BLINKING – Ethernet port sending/receiving data ON – Powered-on device connected to Ethernet port Note that LAN 5 displays the status of the uplink connection |
AP One AC Mini#
| LED Indicators | |
| Status | RED – Access point initializing
GREEN – Access point ready |
| Wi-Fi | OFF – 2.4/5GHz Wi-Fi radio off
BLINKING – AP sending/receiving data GREEN – 2.4/5GHz Wi-Fi radio on Note that this model includes a 2.4GHz Wi-Fi radio and a 5GHz Wi-Fi radio that can operate simultaneously to increase speed and reduce interference. |
AP One Rugged#
| LED Indicators | |
| Power | On – Power On
OFF – Power Off |
| Status | RED – Access point initializing
GREEN – Access point ready |
| Wi-Fi | OFF – 2.4/5GHz Wi-Fi radio off
BLINKING – AP sending/receiving data GREEN – 2.4/5GHz Wi-Fi radio on Note that this model includes a 2.4GHz Wi-Fi radio and a 5GHz Wi-Fi radio that can operate simultaneously to increase speed and reduce interference. |
AP One Flex#
| LED Indicators | ||
|
Status |
RED | Access point initializing |
| Blinking Red | Boot up or error | |
| GREEN | Access point ready | |
|
LAN |
Green LED | ON – Powered-on device connected to Ethernet port or 1000Mbps
OFF – 10Mbps / 100Mbps or No device connected to Ethernet port |
| Orange LED | ON – Port is connected without traffic
BLINKING – Ethernet port sending/receiving data OFF – No data is being transferred or No device connected to Ethernet port |
|
| Port Type | Auto MDI/MDI-X ports | |
|
WAN |
Green LED | ON – Powered-on device connected to Ethernet port or 1000Mbps
OFF – 10Mbps / 100Mbps or No device connected to Ethernet port |
| Orange LED | ON – Port is connected without traffic
BLINKING – Ethernet port sending/receiving data OFF – No data is being transferred or No device connected to Ethernet port |
|
| Port Type | Auto MDI/MDI-X ports | |
 |
Green LED | ON – Powered-on device connected to Ethernet port
OFF – No device connected to Ethernet port |
 |
Number of connected clients – SignalBar1: WiFi AP client count > 0
SignalBar2: WiFi AP client count > 10 SignalBar3: WiFi AP client count > 20 |
|
AP Pro AC#
Ch5. Installation#
Your access point acts as a bridge between wireless and wired Ethernet interfaces.
A typical setup follows:
Installation Procedures
- Connect the Ethernet port on the unit to the backbone network using an Ethernet cable. The port should auto sense whether the cable is straight-through or crossover.
- There are two methods to power on the device as below:
- For those Pepwave AP devices having built-in PoE ports only, using an Ethernet cable to connect to the Power over Ethernet (PoE) switch or PoE injector.
- For those Pepwave AP devices that have a DC power source, plug the AC adapter to the DC connector of the unit.
- Wait for the status LED to turn green.
- Connect a PC to the backbone network. Configure the IP address of the PC to be any IP address between 192.168.0.4 and 192.168.0.254, with a subnet mask of 255.255.255.0.
- Using your favourite browser, connect to https://192.168.0.3.
- Enter the default admin login ID and password, admin and public respectively.
- After logging in, the Dashboard appears. Click the System tab to begin setting up your access point.
Ch6. Dashboard#
The Dashboard section contains a number of displays to keep you up-to-date on your access point’s status and operation. Remote assistance can also be turned off here, if it has been enabled.
General#
This section contains WAN status and general device information.
| WAN | |
| IP Address | When your access point is connected to a WAN, this field displays the WAN IP address. For more information, click the Details link which shows connection type details |
| Status | This field displays the current WAN connection status. |
| Device Information | |
| Model | This field displays your access point’s model number. |
| Firmware | The firmware version currently running on your access point appears here. |
| Uptime | This field displays your access point’s uptime since the last reboot or shutdown. |
AP#
This section displays a variety of information about your wireless network.
| AP Status | |
| Wireless Network SSID | This field displays your access point’s SSID. |
| Radio | The radio frequency currently used by your access point appears here. If you’re using the AP One AC mini or the AP One In-Wall and have configured both radios, this displays both radios in use. |
| Security Policy | This field displays the security policy your access point is currently using. If you’re using the AP One AC mini and have configured both radios, this displays channels in use for the 2.4GHz and 5GHz bands. |
| Channel | The channel currently used by your access point is displayed in this field. |
| TX Power | This field displays the current transmission power of your access point. |
| VLAN | If your access point is using a VLAN ID for management traffic, it will appear here. A value of 0 indicates that a VLAN ID is not being used. |
| MAC Address (BSSID) | Your access point’s MAC address appears here. If you’re using the AP One AC mini and have configured both radios, this displays a MAC address for both the 2.4GHz and 5GHz radio. |
Info  |
Click this link to display the following information panel:
|
Stat  |
Click this link to display the following statistics panel:
|
| Usage Data Type | Select Per SSID or AP Send / Recv to determine the data displayed in the graphs below. |
| Hourly | Check this box to graph wireless network usage on an hourly basis. |
| Radio | Select the radio 2.4GHz or 5GHz and check the box to graph wireless network usage. |
| Wireless Network Usage/Number of Wireless Clients | These graphs detail recent wireless network usage. |
Ch7. Network#
The settings on the Network tab control WAN and LAN settings, as well as allow you to set up PepVPN profiles.
WAN#
This section provides basic and advanced WAN settings.
| Basic | |
| Keep Default IP | When enabled, this option maintains 192.168.0.3 as your access point’s IP address. |
| IP Address Mode | IP Address Mode options are Automatic and Manual. In Automatic mode, the IP address of your access point is acquired from a DHCP server on the Ethernet segment. In Manual mode, a user-specified IP address is used for your access point, as described below. |
| Static IP Address / Subnet Mask | You can use these fields to specify a unique IP address that your access point will use to communicate on the Ethernet segment. This IP address is distinct from the admin IP address (192.168.0.3) on the Ethernet segment. |
| Default Gateway | Enter the IP address of the default gateway to the internet. |
| DNS Server | Enter the DNS server address that your access point will use to resolve host names. |
| Advanced | |
| Management VLAN ID | This field specifies the VLAN ID to tag to management traffic, such as AP-to-AP controller communication traffic. The value is 0 by default, meaning that no VLAN tagging will be applied. NOTE: change this value with caution as alterations may result in loss of connection to the AP controller. |
| Spanning Tree Protocol | Checking this box enables spanning tree protocol, used to prevent loops in bridged Ethernet LANs |
| Scheduled Reboot | When this box is checked, your access point can be scheduled to reboot automatically on a recurring basis, as indicated by the values under the Schedule, Day, and Time headings. |
| Ethernet Speed/Duplex | This is the port speed of the WAN connection. It should be set to the same speed as the connected device in case of any port negotiation problems.
When a static speed is set, you may choose whether to advertise its speed to the peer device or not. Advertise Speed is selected by default. You can choose not to advertise the port speed if the port has difficulty in negotiating with the peer device. Default: Auto |
| AP Mode | Your access point can act as a bridge or as a router, depending on your selection here. When Router is selected, you can additionally select whether the access point will function in NAT or IP Forwarding mode. |
LAN#
This section offers a variety of settings that affect your access point’s operation on the LAN, such as settings for DHCP, DMZ, and port forwarding.
*Note that the following settings will be available only when your access point is operating in router mode.
| IP Settings | |
| IP Address | Enter the LAN IP address and subnet mask to assign to your access point on the LAN. |
| DHCP Server Settings | |
| DHCP Server | Check to enable the DHCP server feature of your access point. Enabling DHCP is the best option for most users. The following options will be enabled once you have checked and enabled the DHCP server. |
| IP Range | Enter the first and last IP addresses of the range of addresses that your access point will make available to DHCP clients. The default range is from 192.168.1.100 to 192.168.1.200, with 24-bit subnet mask. |
| Broadcast Address | Enter the broadcast address that DHCP clients will use when communicating with the entire LAN segment. The default value is 192.168.1.255. |
| Gateway | Enter the default gateway address that DHCP clients will use to access the internet. By default, this address will be the same as your access point’s IP address on the LAN. |
| DNS 1/2/3 | In DNS 1, enter the IP address of the primary DNS server offered to DNS clients or accept the default of 192.168.1.1, which is your access point’s address on the LAN. You can also specify up to two additional DNS servers to use when the primary server is busy or down. |
| Lease Time | Specify the length of time that an IP address of a DHCP client remains valid. When an address lease time has expired, the assigned IP address is no longer valid, and renewal of the IP address assignment is required. By default, this value is set to one day. |
| DHCP Reservation | To reserve certain addresses for specific clients, such as network printers, enter the device’s MAC Address and a static IP to be assigned to the device. Click  to add the DHCP reservation. To delete a DHCP reservation, click  . |
| DMZ | |
| DMZ | Check this box to forward traffic sent to the WAN IP address to the DMZ IP address. |
| DMZ IP | Enter an IP address clients will use to connect to the DMZ. |
To create a port forwarding rule, first click the Add Service button, located in the Port Forwarding section..
| Port Forwarding | |
| Service Name | Enter a name for the new port forwarding rule. Valid values for this setting consist of alphanumeric and underscore “_” characters only. |
| IP Protocol | The IP Protocol setting, along with the Port setting, specifies the protocol of the service as TCP, UDP, ICMP, or IP. Traffic that is received by your access point via the specified protocol at the specified port(s) is forwarded to the LAN hosts specified by the Servers setting. Please see below for details on the Port and Servers settings.
Alternatively, the Protocol Selection Tool drop-down menu can be used to automatically fill in the protocol and a single port number of common Internet services (e.g., HTTP, HTTPS, etc.). After selecting an item from the Protocol Selection Tool drop-down menu, the protocol and port number remain manually modifiable. |
| Port | The Port setting specifies the port(s) that correspond to the service, and can be configured to behave in one of the following manners:
Single Port, Port Range, Port Mapping
Single Port: Traffic that is received by your access point via the specified protocol at the specified port is forwarded via the same port to the servers specified by the Server IP Address setting. For example, with IP Protocol set to TCP, and Port set to Single Port and Service Port 80, TCP traffic received on port 80 is forwarded to the configured servers via port 80.
Port Range: Traffic that is received by your access point via the specified protocol at the specified port range is forwarded via the same respective ports to the LAN hosts specified by the Server IP Address setting. For example, with IP Protocol set to TCP, and Port set to Port Range and Service Ports 80-88, TCP traffic received on ports 80 through 88 is forwarded to the configured servers via the respective ports.
Port Mapping: Traffic that is received by your access point via the specified protocol at the specified port is forwarded via a different port to the servers specified by the Server IP Address setting. For example, with IP Protocol set to TCP, and Port set to Port Mapping, Service Port 80, and Map to Port 88, TCP traffic on Port 80 is forwarded to the configured server via Port 88. |
| Server IP Address | Enter the LAN IP address of the server that handles requests for the forwarded service. |
Interfaces#
Ethernet Port
Assign one (or more) specific VLAN(s) to one of the LAN ports.
Configure the port as Access- or Trunk-port .
For Trunk port, enter multiple VLAN IDs for VLAN filtering (e.g. 1,5-8,10) or keep the field empty for accepting all VLANs.
For Access port, only a single VLAN ID is supported.
PepVPN#
PepVPN securely connects one or more remote sites to the site running your access point.
To set up PepVPN, first give your site a local PepVPN ID. To modify an existing local ID,
click 
Once you’ve specified a local ID, click the New Profile button to configure PepVPN.
| PepVPN Profile Settings | |
| Enable | Check this box to enable PepVPN. |
| Name | Enter a name to represent this profile. The name can be any combination of alphanumeric characters (0-9, A-Z, a-z), underscores (_), dashes (-), and/or non-leading/trailing spaces ( ). |
| Encryption | By default, VPN traffic is encrypted with 256-bit AES. If Off is selected on both sides of a VPN connection, no encryption will be applied. |
| Remote ID | To allow your access point to establish a VPN connection with a specific remote peer using a unique identifying number, enter the peer’s ID or serial number here. |
| Authentication | Select By Remote ID Only or Preshared Key to specify the method your access point will use to authenticate peers. When selecting By Remote ID Only, be sure to enter a unique peer ID number in the Remote ID field. |
| Pre-shared Key | This optional field becomes available when Pre-shared Key is selected as the VPN Authentication method, as explained above. Pre-shared Key defines the pre-shared key used for this particular VPN connection. The VPN connection’s session key will be further protected by the pre-shared key. The connection will be up only if the pre-shared keys on each side match. Click Hide / Show Passphrase to toggle passphrase visibility. |
| Remote IP Address / Host Names (Optional) | Optionally, you can enter a remote peer’s WAN IP address or hostname(s) here. If the remote client uses more than one address, enter only one of them here. Multiple hostnames are allowed and can be separated by a space character or carriage return. Dynamic-DNS host names are also accepted.
With this field filled, your access point will initiate connection to each of the remote IP addresses until it succeeds in making a connection. If the field is empty, your access point will wait for connection from the remote peer. Therefore, at least one of the two VPN peers must specify this value. Otherwise, VPN connections cannot be established. |
| Layer 2 Bridging | When this check box is unchecked, traffic between local and remote networks will be IP forwarded. To bridge the Ethernet network of an Ethernet port on a local and remote network, select Layer 2 Bridging. When this check box is selected, the two networks will become a single LAN, and any broadcast (e.g., ARP requests) or multicast traffic (e.g., Bonjour) will be sent over the VPN. |
| Management VLAN ID | This field specifies the VLAN ID that will be tagged to management traffic, such as AP-to-AP controller communication traffic. A value of 0 indicates that no VLAN tagging will be applied. |
| IP Address Mode | Choose Automatic or Manual. In automatic mode, your access point acquires an IP from a DHCP server on the Ethernet segment. In manual mode, your access point uses a user-specified IP address. |
| IP Address/Subnet Mask | When using manual IP addressing (above), enter an IP address and subnet mask in these fields. |
| Data Port | This field specifies the outgoing UDP port number for transporting VPN data. If Default is selected, port 4500 will be used by default. Port 32015 will be used if port 4500 is unavailable. If Custom is selected, you can input a custom outgoing port number between 1 and 65535. |
Ch8. AP#
Use the controls on the AP tab to set the wireless SSID, AP settings and Mesh, as well as wireless distribution system (WDS) settings.
Wireless SSID#
Wireless network settings, including the name of the network (SSID) and security policy, can be defined and managed in this section.
Click New SSID to create a new network profile, or click the existing network profile to modify its settings.
| SSID Settings | |
| Enable | Check this box to enable wireless SSID. |
| Radio Selection | Available only on the AP One AC mini, this setting, shown below, allows you to enable or disable either of the two on-board radios.
|
| Band Steering | This setting, shown below, allows you to reduce 2.4 GHz band overcrowding, AP with band steering steers clients capable of 5 GHz operation to 5 GHz frequency.
Force – Clients capable of 5 GHz operation are only offered with 5 GHz frequency.
|
| SSID | This setting specifies the AP SSID that Wi-Fi clients will see when scanning. |
| Broadcast SSID | This setting specifies whether or not Wi-Fi clients can scan the SSID of this wireless network. Broadcast SSID is enabled by default. |
| Data Rate | Select Auto to allow your access point to set the data rate automatically, or select Fixed and choose a rate from the drop-down menu. Click the MCS Index link to display a reference table containing MCS and matching HT20 and HT40 values. |
| Multicast Filter | This setting enables the filtering of multicast network traffic to the wireless SSID. |
| Multicast Rate | This setting specifies the transmit rate to be used for sending multicast network traffic. |
| IGMP Snooping | To allow your access point to convert multicast traffic to unicast traffic for associated clients, select this option. |
| DHCP Setting | To set your access point as a DHCP server or relay, select Server or Relay. Otherwise, select None. |
| DHCP Option 82 | If you use a distributed DHCP server/relay environment, you can enable this option to provide additional information on the manner in which clients are physically connected to the network. |
| Default VLAN ID | This setting specifies the VLAN ID to be tagged on all outgoing packets generated from this wireless network (i.e., packets that travel from the Wi-Fi segment through your access point to the Ethernet segment via the LAN port). If 802.1x is enabled and a per-user VLAN ID is specified in authentication reply from the Radius server, then the value specified by Default VLAN ID will be overridden. The default value of this setting is 0, which means VLAN tagging is disabled (instead of tagged with zero). |
| VLAN Pooling | Check this box to enable VLAN pooling using the values specified in VLAN Pool. |
| VLAN Pool | If VLAN pooling is enabled, enter VLAN pool values separated by commas. |
| Network Priority (QoS) | Select from Gold, Silver, and Bronze to control the QoS priority of this wireless network traffic. |
| Layer 2 Isolation | Layer 2 Refers to the second layer in the ISO Open System Interconnect model.
When thWhen this option is enabled, clients on the same VLAN, SSID, or subnet are isolated to that VLAN, SSID, or subnet, which can enhance security. Traffic is passed to the upper communication layer(s). By default, the setting is disabled. |
| Maximum Number of Clients | Enter t The maximum number of clients that can simultaneously connect to your access point, or enter 0 to allow unlimited Wi-Fi clients. |
| Security Settings | |
| Security Policy | This setting configures the wireless authentication and encryption methods.
Available options are Open (No Encryption), WPA2 – Personal, WPA2 – Enterprise, WPA3 – Personal, WPA/WPA2 – Personal, WPA/WPA2 – Enterprise, and WPA2/WPA3 – Personal. To allow any Wi-Fi client to access your AP without authentication, select Open (No Encryption). Details on each of the available authentication methods follow. |
| WPA2 – Personal | |
| Passphrase | Enter a passphrase of between 8 and 63 alphanumeric characters to create a passphrase used for data encryption and authentication. Click Hide / Show Passphrase to toggle visibility. |
| Fast Transition | Fast Transition [802.11r] The transition process of a mobile client as it moves between access points is improved when this option is ticked. |
| Management Frame Protection | This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action |
| WPA2 – Enterprise | |
| 802.1X Version | Choose v1 or v2 of the 802.1x EAPOL. When v1 is selected, both v1 and v2 clients can associate with the access point. When v2 is selected, only v2 clients can associate with the access point. Most modern wireless clients support v2. For stations that do not support v2, select v1. The default is v2. |
| Management Frame Protection | This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action |
| WPA3 – Personal | |
| Passphrase | Enter a passphrase of between 8 and 63 alphanumeric characters to create a passphrase used for data encryption and authentication. Click Hide / Show Passphrase to toggle visibility. |
| Fast Transition | [802.11r] The transition process of a mobile client as it moves between access points is improved when this option is ticked. |
| WPA/WPA2 – Personal | |
| Passphrase | Enter a passphrase of between 8 and 63 alphanumeric characters to create a passphrase used for data encryption and authentication. Click Hide / Show Passphrase to toggle visibility. |
| Management Frame Protection | This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action |
| WPA/WPA2 – Enterprise | |
| 802.1X Version | Choose v1 or v2 of the 802.1x EAPOL. When v1 is selected, both v1 and v2 clients can associate with the access point. When v2 is selected, only v2 clients can associate with the access point. Most modern wireless clients support v2. For stations that do not support v2, select v1. The default is v2. |
| Management Frame Protection | This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action |
| WPA2/WPA3 – Personal | |
| Passphrase | Enter a passphrase of between 8 and 63 alphanumeric characters to create a passphrase used for data encryption and authentication. Click Hide / Show Passphrase to toggle visibility. |
| Fast Transition | [802.11r] The transition process of a mobile client as it moves between access points is improved when this option is ticked. |
| Management Frame Protection | This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action |
| Captive Portal Login | |
| Captive Portal | Select Enable to turn on your access point’s built-in captive portal functionality. |
| Authentication Method | Choose Open Access to allow users to connect without authentication or RADIUS to require authentication. If RADIUS is selected, you’ll be given the opportunity to select a RADIUS security method in the next field. |
| RADIUS Security | Select PAP, EAP-TTLS PAP, EAP-TTLS MSCHAPv2, or PEAPv0 EAP-MSCHAPv2. |
| Splash Page | If your web portal will use a splash page, choose HTTP or HTTPS and enter the splash page’s URL. |
| Landing Page | If your web portal will use a landing page, check this box. |
| Landing Page URL | If you have checked Landing Page, enter your landing page URL here. |
| Profile MAC address | Value used on Called-Station-ID. By default the BSSID of the VAP is used.
When LAN MAC Address is used teh AN MAC Address of the VAP is used instead of the BSSID.
|
| Concurrent Login | Check this box to allow users to have more than one logged in session active at a time. |
| Access Quota | Enter a value in minutes to limit access time on a given login or enter 0 to allow unlimited use time on a single login. Likewise, enter a value in MB for the total bandwidth allowed or enter 0 to allow unlimited bandwidth on a single login. |
| Inactive Timeout | Enter a value in minutes to logout following the specified period of inactivity or enter 0 to disable inactivity logouts. |
| Quota Reset Time | This menu determines how your usage quota resets. Setting it to Daily will reset it at a specified time every day. Setting a number of minutes after quota reached establishes a timer for each user that begins after the quota has been reached. |
| Allowed Domains / IPs | To whitelist a domain or IP address, enter the domain name / IP address here and click . To delete an existing entry, click the button next to it. |
| Allowed Client IPs | To whitelist a client IP address, enter the IP address here and click . To delete an existing entry, click the button next to it. |
| Access Control | |
| Restricted Mode | The settings allow the administrator to control access using Mac address filtering. Available options are None, Deny all except listed, Accept all except listed, and RADIUS MAC Authentication. |
| MAC Address List | Connections coming from the MAC addresses in this list will be either denied or accepted based on the option selected in the previous field. |
| RADIUS Server Settings | |
| Host | Enter the IP address of the primary RADIUS server and, if applicable, the secondary RADIUS server. |
| Secret | Enter the RADIUS shared secret for the primary server and, if applicable, the secondary RADIUS server. |
| Authentication Port | Enter the UDP authentication port(s) used by your RADIUS server(s) or click the Default button to enter 1812. |
| Accounting Port | Enter the UDP accounting port(s) used by your RADIUS server(s) or click the Default button to enter 1813. |
| Maximum Retransmission | Enter the maximum number of allowed retransmissions. |
| RADIUS Request Interval | Enter a value in seconds to limit RADIUS request frequency. Note the initial value will double on each retransmission. |
| NAS-Identifier | Information added to access requests to identify the NAS. Select Device Name, LAN MAC Address, Device Serial Number or enter a Custom Value When the NAS ID is not defined, the Device Name will be used as the NAS ID in RADIUS requests. |
| Guest Protect | |
| Block LAN Access | Check this box to block access from the LAN. |
| Custom Subnet | To specify a subnet to block, enter the IP address and choose a subnet mask from the drop-down menu. To add the blocked subnet, click . To delete a blocked subnet, click . |
| Block Exception | To create an exception to a blocked subnet (above), enter the IP address and choose a subnet mask from the drop-down menu. To add the exception, click . To delete an exception, click . |
| Block PepVPN | To block PepVPN access, check this box. |
| Bandwidth Management | |
| Bandwidth Management | Check this box to enable bandwidth management. |
| Upstream Limit | Enter a value in kbps to limit the wireless network’s upstream bandwidth.
Enter 0 to allow unlimited upstream bandwidth. |
| Downstream Limit | Enter a value in kbps to limit the wireless network’s downstream bandwidth.
Enter 0 to allow unlimited downstream bandwidth. |
| Client Upstream Limit | Enter a value in kbps to limit connected clients’ upstream bandwidth.
Enter 0 to allow unlimited upstream bandwidth. |
| Client Downstream Limit | Enter a value in kbps to limit connected clients’ downstream bandwidth. Enter 0 to allow unlimited downstream bandwidth. |
| Firewall Settings | |
| Firewall Mode | Choose Flexible – Allow all except… or Lockdown – Block all except… to turn on the firewall, then create rules for the firewall exceptions by clicking  . See the discussion below for details on creating a firewall rule. To delete a rule, click the associated button. To turn off the firewall, select Disable. |
| Firewall Rule | |
| Name | Enter a descriptive name for the firewall rule in this field. |
| Type | Choose Port, Domain, IP Address, MAC Address or Application/Service to allow or deny traffic from any of those identifiers. Depending on the option chosen, the following fields will vary. |
| Protocol / Port | Choose TCP or UDP from the Protocol drop-down menu to allow or deny traffic using either of those protocols. From the Port drop-down menu, choose Any Port to allow or deny TCP or UDP traffic on any port. Choose Single Port and then enter a port number in the provided field to allow or block TCP or UDP traffic from that port only. You can also choose Port Range and enter a range of ports in the provided fields to allow or deny TCP or UDP traffic from the specified port range. |
| IP Address / Subnet Mask | If you have chosen IP Address as your firewall rule type, enter the IP address and subnet mask identifying the subnet to allow or deny. |
| MAC Address | If you have chosen MAC Address as your firewall rule type, enter the MAC address identifying the machine to allow or deny. |
| Application/
Service |
If you have chosen Application/Service as your firewall rule type, choose TCP or UDP from the Protocol drop-down menu to allow or deny traffic using either of those protocols. Select a service from the Selection Tool drop down list. From the Port drop-down menu, choose Any Port to allow or deny TCP or UDP traffic on any port. Choose Single Port and then enter a port number in the provided field to allow or block TCP or UDP traffic from that port only. You can also choose Port Range and enter a range of ports in the provided fields to allow or deny TCP or UDP traffic from the specified port range. |
| Schedule | |
| Option to schedule SSID availability | |
| Always on | The SSID is always on |
| Custom/Schedule | Define a custom schedule by selecting the desired time slots when the SSID should be enabled |
| ARP Request Control | |
ARP request control is a Broadcast filter feature which:
|
|
| Default handling | Choose between Bypass or Drop (default Bypass) |
| Custom Action | Add IP/ MAC address pairs to this field to either: REPLY : The AP replies to the MAC address itself according to the configDNAT : The AP can translate the destination MAC address from a broadcast to a particular MAC address |
Settings#
Basic access point operation settings, such as the protocol and channels used, as well as scanning interval and other advanced settings, can be defined and managed in this section.
| AP Settings | |
| Protocol | Choose 802.11ng or 802.11n/ac as your access point’s Wi-Fi protocol.
The AP One AC mini provides the 802.11ng protocol for the 2.4 GHz band and the 802.11n/ac protocol for the 5GHz band, as shown below.
|
| Operating Country | This drop-down menu specifies the national / regional regulations the AP should follow. If a North American region is selected, RF channels 1 to 11 will be available and the maximum transmission power will be 26 dBm (400 mW). If European region is selected, RF channels 1 to 13 will be available. The maximum transmission power will be 20 dBm (100 mW). NOTE: Users are required to choose an option suitable to local laws and regulations. Per FCC regulation, the country selection is not available on all models marketed in the US. All US models are fixed to US channels only. |
| Channel Width | This option defines which channel width the radio will use: 20MHz – Supports clients with 20MHz capability. This is the default value for 802.11ng. 40MHz – Supports clients with 20/40MHz capability. 20/40MHz – Supports clients with 20/40 MHz capability. The radio will fall back to 20MHz if it detects APs that only support 20MHz. This is the default value for 802.11na. 80MHz – Supports clients with 20/40/80MHz capability. This is the default value for 802.11n/ac  |
| Channel | This drop-down menu selects the 2.4 Ghz and 5GHz 802.11 channels to be used.
When Auto is selected, the system will perform channel scanning based on the scheduled time set and choose the most suitable channel automatically.
|
| Output Power | This option enables the configuration of transmission power. Choose between :Max / High / Medium / Low Max is the Maximum power supported for that country or Maximum power supported for the device (whichever is the smaller value) High is 3dBm below the max value Medium is 3dBm below high value Low is 3 dBm below Medium value  |
| Antenna Gain | This advanced feature becomes available when selecting this option in the Help section( select the question mark) of the Output Power.
|
| Beacon Rate | This drop-down menu provides the option to send beacons in different transmit bit rates. The bit rates are 1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, and 11 Mbps. |
| Beacon Interval | Set the time between each beacon send. Available options are 100 ms, 250 ms, and 500 ms. |
| DTIM | Set the frequency for the beacon to include delivery traffic indication messages (DTIM). The interval unit is measured in milliseconds. |
| RTS Threshold | Set the minimum packet size for your access point to send an RTS using the RTS/CTS handshake. Setting 0 disables this feature. |
| Fragmentation Threshold | Enter a value to limit the maximum frame size, which can improve performance. |
| Distance / Time Convertor | This slider and text entry field can be used to interactively set slot time. |
| Slot Time | This field provides the option to modify the unit wait time before your access point transmits. The default value is 9μs. |
| ACK Timeout | Set the wait time to receive an acknowledgement packet before retransmitting. The default value is 48μs. |
| Frame Aggregation | With this feature enabled, throughput will be increased by sending two or more data frames in a single transmission. |
| Aggregation Length | This field is only available when Frame Aggregation is enabled. It specifies the frame length for frame aggregation. By default, it is set to 50000. |
| Max number of Clients | Enter the maximum clients that can simultaneously connect to your access point or set the value to 0 to allow unlimited clients. |
| Client Signal Strength Threshold | This field determines the minimum acceptable client signal strength, specified in megawatts. If client signal strength does not meet this minimum, the client will not be allowed to connect. |
| Advanced Features | |
| Discover Nearby Networks | Check this box to enable network discovery. Note that setting Channel to Auto will activate this feature automatically. |
| Scanning Interval | This setting controls the interval, in seconds, that your access point scans for nearby networks. |
| Scanning Time | This setting specifies the time, in milliseconds, that your access point scans any particular channel while searching for nearby networks. |
| Scheduled Radio Availability | Click Custom Schedule to specify radio availability schedule options or select Always On to make the radio continuously available. |
| WMM | This checkbox enables Wi-Fi Multimedia (WMM), also known as Wireless Multimedia Extensions (WME), on your access point. The default is enabled. |
Mesh#
Mesh support enables an access point (AP) to connect wirelessly to other wired mesh APs, providing redundancy in the event of AP failure. Mesh support is available for Wi-Fi networks 802.11ac (Wi-Fi 5) and above.
Please note that the AP’s Mesh settings need to match the Mesh ID and Shared Key of the selected frequency band in order for the AP to join the network.
To create a new Wireless Mesh profile, go to AP > Mesh, and click Add.
| Mesh Settings | |
| Mesh ID | Enter a name to represent the Mesh profile. |
| Enable | Check the box to enable the Mesh Profile. |
| Frequency | Select the 2.4GHz or 5GHz frequency to be used. |
| Shared Key | Enter the shared key in the text field. Please note that it needs to match the shared keys of the other APs in the Mesh.
Click Hide / Show Passphrase to toggle visibility. |
WDS#
A wireless distribution system (WDS) provides a way to link access points together when wired or cabled connections are not feasible or desirable. A WDS can also extend wireless network coverage for wireless clients. Please note that your access point’s channel setting should not be set to Auto when using WDS.
To create a new WDS, go to AP > WDS, and click Add.
| WDS Settings | |
| Enable | Check this box to enable WDS. |
| MAC Address | Enter the MAC address of the access point with which to form a WDS link. |
| Radio Selection | Select the radio frequency (2.4GHz or 5GHz) for the WDS peer connection. |
| Encryption | Select AES to enable encryption for WDS peer connections. Selecting None disables encryption. |
Ch9. System Tab#
Admin Security#
| Admin Settings | |
| Devicer Name | This field allows you to define a name for this Peplink Balance unit. By default, Device Name is set as Model_XXXX, where XXXX refers to the last 4 digits of the serial number of that unit. |
| Location | This field allows you to add Location name |
| Admin User Name | Admin User Name is set as admin by default, but can be changed. |
| Admin Password | This field allows you to specify a new administrator password. |
| Confirm Admin Password | This field allows you to verify and confirm the new administrator password. |
| Web Session Timeout | A web login session will be logged out automatically when it has been idle longer than the Web Session Timeout
Unlimited session timeout: 0 hours 0 minutes |
| Security | This option is for specifying the protocol(s) through which the web admin interface can be accessed:
HTTP to HTTPS redirection is enabled by default to force HTTPS access to the web admin interface. |
| Web Admin Port | This field is for specifying the port number on which the web admin interface can be accessed. |
| Allowed Source IP Subnets | This option is for specifying the IP subnets through which the web admin interface can be accessed. |
| Language | Set language of the Web Interface |
Firmware#
There are two ways to upgrade the unit. The first method is through an online download. The second method is to upload a firmware file manually.
To perform an online download, click on the Check for Firmware button. The Access Point will check online for new firmware. If new firmware is available, the Access Point automatically downloads the firmware. The rest of the upgrade process will be automatically initiated.
You may also download a firmware image from the Peplink website and update the unit manually. To update using a firmware image, click Choose File to select the firmware file from the local computer, and then click Manual Upgrade to send the firmware to the Access Point. It will then automatically initiate the firmware upgrade process.
Please note that all devices can store two different firmware versions in two different partitions. A firmware upgrade will always replace the inactive partition. If you want to keep the inactive firmware, you can simply reboot your device with the inactive firmware and then perform the firmware upgrade.
| Firmware Upgrade Status |
Status LED Information during firmware upgrade:
|
| Important Note |
| The firmware upgrade process may not necessarily preserve the previous configuration, and the behavior varies on a case-by-case basis. Consult the release notes for the particular firmware version before installing. Do not disconnect the power during the firmware upgrade process. Do not attempt to upload a non-firmware file or a firmware file that is not supported by Peplink. Upgrading the Peplink Balance with an invalid firmware file will damage the unit and may void the warranty. |
Time#
The time server functionality enables the system clock of the Access Point to be synchronized with a specified time server. The settings for time server configuration are located at System > Time.
Event Log#
Event log functionality enables event logging at a specified remote syslog server. The settings for configuring the remote system log can be found at System > Event Log.
| Remote Syslog Settings | |
| Remote Syslog | This setting specifies whether or not to log events at the specified remote syslog server. |
| Remote Syslog Host | This setting specifies the IP address or hostname of the remote syslog server. Port: Default 514 |
SNMP#
SNMP or simple network management protocol is an open standard that can be used to collect information about the Peplink Balance unit. SNMP configuration is located at System > SNMP.
| SNMP Settings | |
| SNMP Device Name | This field shows the router name defined at System > Admin Security. |
| SNMP Port | This option specifies the port which SNMP will use. The default port is 161. |
| SNMPv1 | This option allows you to enable SNMP version 1. |
| SNMPv2 | This option allows you to enable SNMP version 2. |
| SNMPv3 | This option allows you to enable SNMP version 3. |
To add a community for either SNMPv1 or SNMPv2, click the Add SNMP Community button in the Community Name table, upon which the following screen is displayed:
| SNMP Community Settings | |
| Enable | Enable the SNMP community |
| Community Name | This setting specifies the SNMP community name. |
| IP Address &
IP mask |
This setting specifies a subnet from which access to the SNMP server is allowed. Enter subnet address here (e.g., 192.168.1.0) and select the appropriate subnet mask. |
| Access Mode | Choose between Read Only and Read and Write |
To define a user name for SNMPv3, click Add SNMP User in the SNMPv3 User Name table, upon which the following screen is displayed:
| SNMPv3 User Settings | |
| Enable | Enable the SNMPv3 user. |
| SNMPv3 User Name | This setting specifies a user name to be used in SNMPv3. |
| Authentication Protocol | This setting specifies via a drop-down menu one of the following valid authentication protocols:
|
| Authentication Password | Password for SNMPv3 authentication. |
| Confirm Authentication Password | Confirm password for SNMPv3 authentication. |
| Privacy Protocol | This setting specifies via a drop-down menu one of the following valid privacy protocols:
When CBC-DES or CFB-AES is selected, an entry field will appear for the password. |
| Access Mode | Choose between Read Only and Read and Write. |
Controller#
Option to choose the controller for the Access Point. The available options are:
| Controller Management Settings | |
| Controller Management | Controller management is enabled when ticked, when untickerd the Access Point is configured through the Web Admin GUI |
| Controller Type | This setting specifies via a drop-down menu one of the following valid authentication protocols:
|
| Privately Host InControl | Privately host InControl Appliance. Check the box beside the “Privately Host InControl” and enter the IP Address or hostname of your InControl Appliance.. |
| Unreachable Action | Switch the AP “Radio off” or take no action when the AP is unreachable. |
*InControl is a cloud-based service which allows you to manage all of your Peplink and Pepwave devices with one unified system. With it, you can generate reports, gather statistics, and configure your devices automatically.
You can sign up for an InControl account at https://incontrol2.peplink.com. You can register your devices under the account, monitor their status, see their usage reports, and receive offline notifications.
Configuration#
Backing up your Pepwave Access Point settings immediately after successful completion of the initial setup is strongly recommended. The functionality to download and upload Pepwave Access Point settings is found at System > Configuration.
| Configuration | |
| Restore Configuration to Factory Settings | The Restore Factory Settings button is to reset the configuration to factory default settings. After clicking the button, you will need to click the Apply Changes button on the top right corner to make the settings effective. Tick the Network Settings option to include the I P Address, Subnet Mask, Default Gateway, DNS Server and Management VLAN ID |
| Download Active Configurations | Click Download to backup the current active settings. |
| Upload Configurations | To restore or change settings based on a configuration file, click Choose File to locate the configuration file on the local computer, and then click Upload. The new settings can then be applied by clicking the Apply Changes button on the page header, or you can cancel the procedure by pressing discard on the main page of the web admin interface. |
Feature Add-Ons#
Some Pepwave Access Points models have features that can be activated upon purchase. Once the purchase is complete, you will receive an activation key. Enter the key in the Activation Key field, click Activate, and then click Apply Changes.
Operating Mode#
Operating Mode allows you to select your desired mode of operation between either AP mode or Air Monitor. The settings for Operation Mode are located at System > Operation Mode.
- AP mode: The AP device works as an AP and will broadcast an SSID.
- Air Monitor: The AP device works in Air Monitor mode without SSID broadcasting. Air Monitor reports can only be viewed in InControl2.
Reboot#
Restart the access point with the Reboot button. For maximum reliability, the Pepwave Access Point can contain two copies of firmware; each copy can be a different version. You can select the firmware version you would like to reboot the device with. The firmware marked with (Running) is the current system boot up firmware.
Please note that a firmware upgrade will always replace the inactive firmware partition.
Tools#
PING#
The ping test tool tests connectivity pinging the specified destination IP address. The ping utility is located at System > Tools > Ping.
Traceroute#
The traceroute test tool traces the routing path to the specified IP address. The traceroute test utility is located at System > Tools > Traceroute.
Nslookup#
The nslookup tool is used to test DNS name servers. The nslookup utility can be found at System > Tools > Nslookup.
Ch10. Status Tab#
The displays available on the Status tab help you monitor device data, client activity, rogue device access, and more.
Device#
| System Information | |
| Device Name | This is the name specified in the Device Name field located at System > Admin Security. |
| Model | This shows the model name and number of this device. |
| Product Code | This shows the product name of this device. |
| Hardware Revision | This shows the hardware version of this device. |
| Location | This is the location name specified in the Location field located at System > Admin Security. |
| Serial Number | This shows the serial number of this device. |
| Firmware | This shows the firmware version this device is currently running. |
| Host name | This shows the hostname of the device. |
| Uptime | This shows the length of time since the device has been rebooted. |
| System Time | This shows the current system time. |
| Diagnostic Report | The Download link is for exporting a diagnostic report file required for system investigation. |
| Remote Assistance | Click Turn on to enable remote assistance. |
The second table shows the MAC address of each LAN/WAN interface connected.
| Important Note |
| If you encounter issues and would like to contact the Peplink Support Team (https://contact.peplink.com/secure/create-support-ticket.html), please download the diagnostic report file and attach it along with a description of your issue. |
Client List#
The Client List displays all currently connected clients. Use the Expand and Collapse buttons to control the amount of data displayed.
Mesh / WDS Info#
Here you can monitor the status of your Mesh or wireless distribution system (WDS) and track activity by MAC address. This will display information for both the 2.4GHz and 5GHz radios.
Portal#
If you’ve turned on your access point’s captive portal, client connection data will appear here. Use the Expand and Collapse buttons to control the amount of data displayed.
Rogue AP#
This section displays a list of nearby suspected rogue access points.
Event Log#
The Event Log displays a list of all events associated with your access point. Check Auto Refresh to refresh log entries automatically. Click the Clear Log button to clear the log.
Ch12. Appendix#
Federal Communication Commission Interference Statement ( AP One Rugged )
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
-Reorient or relocate the receiving antenna.
-Increase the separation between the equipment and receiver.
-Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
-Consult the dealer or an experienced radio/TV technician for help.
Any changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate this equipment.
Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20cm between the radiator & your body.
Industry Canada Statement ( AP One Rugged )
This product meets the applicable Innovation, Science and Economic Development Canada technical specifications.
Le présent produit est conforme aux spécifications techniques applicables d’Innovation, Sciences et Développement économique Canada.
This device contains licence-exempt transmitter(s)/receiver(s) that comply with Innovation, Science and Economic Development Canada’s licence-exempt RSS(s). Operation is subject to the following two conditions:
(1) This device may not cause interference.
(2) This device must accept any interference, including interference that may cause undesired operation of the device.
Le present appareil est conforme aux CNR d’Industrie Canada applicables aux appareils radio exempts de licence. L’exploitation est autorisee aux deux conditions suivantes:
(1) l’appareil ne doit pas produire de brouillage, et
(2) l’utilisateur de l’appareil doit accepter tout brouillage radioelectrique subi, meme si le brouillage est susceptible d’en
(i) The device for operation in the band 5150–5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
(ii) For devices with detachable antenna(s), the maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and
The high-power radars are allocated as primary users (i.e. priority users) of the band 5725-5850 MHz and that these radars could cause interference and/or damage to LE- LAN devices.
(i) Le dispositif fonctionnant dans la bande 5150-5250 MHz est réservé uniquement pour une utilisation à l’intérieur afin de réduire les risques de brouillage préjudiciable aux systèmes de satellites mobiles utilisant les mêmes canaux;
(ii) Le gain maximal d’antenne permis pour les dispositifs avec antenne(s) amovible(s) utilisant la bande 5725-5850 MHz doit se conformer à la limitation P.I.R.E spécifiée pour l’exploitation point à point et non point à point, selon le cas.
En outre, les utilisateurs devraient aussi etre avises que les utilisateurs de radars de haute puissance sont designes utilisateurs principaux (c.-a-d., qu’ils ont la priorite) pour les bande 5725-5850 MHz et que ces radars pourraient causer du brouillage et/ ou des dommages aux dispositifs LAN-EL.
Radiation Exposure Statement
This device complies with the ISED radiation exposure limit set forth for an uncontrolled environment. This device should be installed and operated with minimum distance 20cm between the radiator & your body.
Get equipement est conforme avec l’exposition aux radiations ISED definies pour un environnement non controle. Get equipement doit etre installe et utilise a une distance minimum de 20 cm entre le radiateur et votre corps.
CE Statement for Pepwave Routers ( AP One Rugged )
2.4GHz ( 2412 – 2472 MHz ) : 16.20 dBm
5GHz ( 5150 – 5250 MHz ) : 19.18 dBm
5GHz ( 5725 – 5850 MHz ) : 13.84 dBm
This equipment complies with CE radiation exposure limits set forth for an uncontrolled envi- ronment. This equipment should be installed and operated with a minimum distance of 20cm between the radiator & your body.
This equipment is restricted to indoor use only when operating in the 5150 to 5250 MHz frequency range in above countries.
contact as: https://www.peplink.com/