802.1x provides an authentication mechanism for clients connecting to the WLAN. When a client enters his access credentials the wireless controller will consult the gateway, if valid the client will be allowed on the network and activated on the gateway at the same time.

• Add the IP of the wireless controller as well as the radius secret in the access point list
• Upload a valid SSL certificate
• Configure the access point to use the gateway as radius server (both parties need to share the same radius secret)

• Open port 1812/udp UDP in the firewall for Radius Authentication and port 1813/udp for Radius Accounting.
• Certain mobile platforms allow you to pre-seed devices with cryptomaterials (certificates, wireless network profile…).

The cluster module creates a high available redundant system from two standalone HSMX gateways.

During normal operation the two nodes in the cluster are available but only one of them operates the LAN networks and has the configured virtual IPs. The two nodes constantly communicate with each other and verify the cluster status. When the active node becomes unreachable or when a problem is detected (e.g. disconnected LAN cable) a smooth fail-over process will be initiated so the slave node starts operating the LAN network. If the primary node comes back online it will defer fail-back (until the secondary node is offline).

The cluster nodes communicate over one of the configured interfaces in the system. This can be the standard WAN interface or a dedicated interface solely used for the cluster communication (latter preferred).

In order to allow the clustered nodes to communicate and synchronize with each other, the firewall must contain additional rules:

• 80/tcp
• 873/tcp
• 5432/tcp
• 5555/udp

Read firewall to discover how to configure the firewall.

• Ping pongs: Number of pings before the system performs a health check of the other gateway.
• Max failed pings: Number of failed pings before the slave becomes primary.
• Max failed healths: Number of failed health checks before the slave becomes primary.
• Ping interval: The interval in which the ping commands are sent (in seconds).
• Sleep after health check: How long the scripts sleep after a health check (in seconds).
• Ping timeout: The timeout before a ping command is marked as failed (in seconds).
• Health timeout: The timeout before a health message command is marked as failed (in seconds).

• Default configuration is in seconds, use comma to specify up to microsecond precision.

The cluster settings are divided in two columns, one for the settings of the current gateway, another for the other gateway.

Up to two Virtual IPs can be configured, the virtual IP will always point to the active node so usually a virtual IP should be chosen on the network used to configure the gateway cluster. Specify the IP / subnet and network port where this needs to be applied to. Optionally a second virtual IP can be configured.

These IP addresses are being used by HSMX to communicate and synchronize the state between two gateways. You can use the WAN connection or more conventionally a dedicated network port is used. Optionally a secondary backup interface can be configured to avoid a single network failure causing communication loss between the cluster participants. Make sure to configure the network interfaces beforehand in Network / Network Settings.

Cluster status can be used to verify whether the two participating gateways can communicate properly using the configured communication IP addresses. Click on the test connection button to check whether the communication works; if a red cross appears communication is not working; verify if the network configuration and firewall is properly configured. Only after the connection is green it is possible to enable the cluster.

The entire network configuration is shared between the cluster participants. This is because they share the IP aliases / PPPoE connections. They are activated on the primary node only. This means there is one more step; you have to configure the IP's of the other gateway for interfaces that are already configured. ##There is a small icon that will try to get the information from the other gateway, this works if the interface names are identical.

All clients that are using a protocol configured in connection tracking will be destination natted to one of the available IP’s (to add an IP go to network settings). This can be used for services that require a unique public ip per accepted connection. (VPN / web apps / …)

Here you can configure the DHCP server; configuration is based on subnets so if no subnets are shown you can either create a guest network (network / network configuration) or add a subnet (network / subnets).

LAN IP: this is the IP the DHCP server will forward as default gateway, in most cases this will be the IP you assigned to the guest network (network → network configuration).Start - end IP: this it the pool the server will use to assign IPs, you can view the available/used leases in the graphical reports.

Lease time: will determine how long a lease (given IP) will be reserved for a specific client in seconds, if the client is no longer connected and the lease expires the IP will be available again. Default is one day.

With rules you can assign a specific MAC or VLAN to a subnet. You can use a wildcard (*) for MAC addresses, eg. 44:58:66:*:*:*. When the system detects a match it will assign an IP from that subnet to the client.

With static DHCP you can reserve an specific IPs for a specific device (MAC format: 00:00:00:00:00:00).

BOOTp/DHCP can be extended by vendors with custom options. Clients ask for the options they wish to receive from the DHCP server; traditionally the gateway, dns-server, … Typically the DHCP client from that vendor will ask for this custom DHCP option. Current use-cases for DHCP options include cloud access-points who will request for such custom option which will lead them to their wireless controller platform (eg. Ubiquiti Unifi can work this way).

Note: you cannot however overrule standard options we set such as gateway, dns-server, … If you do try to configure them you'll notice they'll be ignored.

You can configure up to three nameservers to resolve domains.

Offline mode When the system is no longer able to resolve domains you can let the gateway resolve all domains to one specific IP (resolve IP). Clients will no longer receive a timeout error but will be redirect to the gateway. Note: it's possible to trigger certain portal rules based on lack of DNS availability by creating a portal rule containing 'Offline mode (no DNS)'.

Resolve Attempts holds the times the system tries before switching to offline mode, a value higher than one is recommended.

You can block non standard DNS records, this can be used to block DNS tunneling.

Here you can add custom DNS entries, available types are:

• login domain: domain used to redirect to the portal page
• logout domain: domain used by clients to stop their current session
• upgrade domain: can be used to retrieve an upgrade page where they can buy a new plan (only for PMS users)
• status domain: to retrieve the status page, the page can contain information about their current session
• resolve: domain will be resolved to the configured IP
• block: this domain will not be resolved resulting in a browser error on the client
• forward: forward DNS records for this domain to another DNS server

This module can be used when you have a subscription with DYNDNS or NO-IP. Both service providers assure that your dynamic DNS entry will always point to your devices WAN IP. Even though your WAN connection uses DHCP.

Enter the username, password and provide the specific host to update (a single account can have multiple hosts).

Load balancing will automatically spread the load of all subscriber sessions over the different WAN interfaces configured here. By default only one WAN interface is added, press on the + sign to add another WAN interface. Make sure you already configured the WAN interface in network settings. The weight determines how much users the WAN connection will get compared to the other. The higher the weight the more users will be assigned to that WAN interface. The fail-over option allows an interface to be used when another WAN interface is down. You can configure a load balancing interface in a billing or guest network to “reserve” this interface for all clients having this billing or connecting through that guest network.

• Static: You need to enter an IP address, subnet, network port and optionally the default gateway.
• DHCP: You only need to choose the network port.
• PPPoE: You can choose this option if you want to connect to a DSL device. Just enter a username, password and network port.

You can see additional information (connectivity monitor, advanced port settings,…) by clicking the gear icon. See advanced-subscriber-network-settings for more information.

Use entire subnet can be used to add aliases for 1-to-1 NAT. All IP addresses within this subnet will be added to the selected port.

• Managed: These networks will handle client traffic between LAN and WAN, clients need to authenticate before they can access the WAN.
• Unmanaged: Traffic will be forwarded without inspection or limitations (no configuration to clients can be applied).
• NAT: Enables NAT for selected port and subnet.

Additional configuration can be found using the gear icon:

• wan-interface-monitor
• wan-connection-test

On this page you can configure the physical Ethernet ports and also create virtual interfaces.

You can create:

• VLAN interfaces: enter the port number and the VLAN id.
• Bridges: create a bridge interface that bridges two or more (virtual) interfaces.

This module displays the current routing table, it is also possible to see the other routing tables by selecting a different one from the dropdown. This is only used in case of WAN loadbalancing. On top of the page it is possible to add custom routes, custom routes can be added for WAN and management networks.

In case you want to change the default interface order or you bought a Ethernet port upgrade it could be needed to fix or change the interface order. This tool helps you with this process; you can see when a link is detected on a network port and you can use that to change the interface order. After a reboot the order will be saved.

Important Keep the first port where it is as it is part of the gateway's license process.

Check the configuration applied on the system.

Here you can enable the IP addresses that will be used when a client uses a billing plan with Upsell enabled. To add a new IP address or subnet go to network configuration and create an alias on the WAN port.

Port forwarding gives you the ability to connect to a specific device within the LAN network.

• The device needs to be active and authenticated in order for the port forwarding to work.
• Traffic over the port-forward needs to be allowed by the firewall on the WAN-interfaces.

• create-a-port-forward
• create-a-port-forward-from-a-non-primary-wan-interface

QoS or Quality of Service makes it possible to provide different priority (bandwidth) to different applications, rules and subscribers. With this functionality you can easily control the bandwidth of all subscribers in your network. QoS comes standard with every HSMX but with some limitations, to have full access you have to buy the QoS module.

Limitations in the standard version are:

Tree has only 1 level No priorities = no bandwidth allocation Only groups are available, network policies (including Layer 7), user profiles and group profiles are not available.

The QoS module is being displayed in a tree view, a rectangle is called a node, all nodes below 1node are children. The node above one is called a parent node. All nodes are being displayed with

their maximum bandwidth (download and upload) and its priority, these go from 1 (highest) to 7 (lowest) and from top to bottom.

Priorities are being used for bandwidth allocation, available bandwidth is first served to users with a higher priority, as soon as bandwidth is available other users with a lower priority will get their normal bandwidth again. The bandwidth of a child can never exceed the bandwidth of his parent. There are three different nodes, this is being displayed by an icon below the status line. To add a child, simply click the green add icon. In the next screen you can then choose which node type you want to add.

If a node shows a funnel icon then this node has a network policy, network policies can be used to divide the bandwidth of a node by using rules.

Group (folder icon)

This is a group node which is being used to divide a parent node into segments. Group nodes can contain other groups, user profiles or group profiles as children. Group nodes can be used in a billing plan or location but only if the node has no children. The bandwidth of the selected node will be divided over all subscribers in that node.

For instance:

Clients in node Internal will have higher priority as clients in node guests. This means that bandwidth will go from the guests node to internal node if needed. As soon as the internal node doesn't need the bandwidth anymore, the guest node will have his full capacity back. The total download bandwidth of the internal node is 100000 kbps and will be divided over all subscribers in this node.

• User profile (user icon)

A user profile is assigned per subscriber, so if the node has a download limitation of 5000kbps, each subscriber with this profile will have a maximum download limitation of 5000kbps (as long as the total bandwidth of his parent is not reached!).

User profiles can contain other nodes (children) to control their traffic, this can be done by creating child nodes, assign them some bandwidth. And finally create a network policy on the user profile node that links to the child node. Traffic that triggers a certain rule will then be handled by that specific node.

Example: In this example we see a user profile named “guests” and this user profile is divided in two nodes, default and torrents. De default traffic has a higher priority and will get all the bandwidth he needs if needed. Node “torrents” has only 1000kbps and cannot borrow from node “default” as he has a lower priority, this means if node defaults needs 4500kbps, node torrents will only get 500kbps.

A funnel is being displayed in the guests and torrents node. This is because the user profile contains network policies and 1 network policy is linked to the torrents node. If we press edit on the guests node we see the following:

This is where we link the application bittorrent to the torrents node. So all traffic from bittorrent will be handled by the torrents node, where all other traffic will be handled by the default node.

Other network policies can be made by pressing the green add icon. Network policies can be made by application, protocol (and port) or after sending/receiving X bytes (Herewith you canidentify large downloads / uploads and give this specific download a lower priority)

• Group profile (multiple users)

This is almost the same as a user profile, but here you define also the total bandwidth for all users in this group. This is designed for simultaneous user accounts.

For instance, you can define a total bandwidth of 5000kbps and an individual of 1000kbps, this means that users will get 1000kbps maximum but the total of all users in this profile will never go over 5000kbps. So as soon as this profile reaches 6 users, users will no longer have 1000kbps (5000kbps/6 users).

Once the network has been divided into smaller segments (Nodes) you need to tie the QoS profiles to subscribers. This can be done by configuring a QoS profile in a billing plan or a location. If in some situations a client has a QoS profile from a billing plan and one from a location, the QoS profile from the location will be ignored and the QoS profile configured in the billing plan will be used.

Subnets are needed when configuring the DHCP server. Subnet entries will automatically be created when a guest network is added so this module requires almost no configuration unless you want to loadbalance a subnet over multiple guest networks. A subnet can manually be added by:

• Subnet: configure the IP and subnet
• Hosts: configure the amount of subnets needed (mostly the same amount as guest networks), hosts (available IPs) per subnet and if the system should loadbalance between guest networks. You can press “preview” to preview the subnets before adding them.

Since version 5.0 it is possible to let multiple LAN ports (on one or multiple HSMX gateways) operate the same network. This allows for active / active load-balancing and to support more users and throughput in a high densities environments. Each LAN port has its own subnet but is part of a large subnet, clients will receive an IP address from the large subnet by the HSMX DHCP server and the DHCP server will assign different default gateways to the clients in order to load balance the clients across all LAN ports. To achieve such configuration: add subnets based 'by hosts' and enable the auto distribution mode. Once the subnet is added you have to choose the port per subnet.