Product Review: 4ipnet Product for Wireless Network

Original article: http://www.itparadigma.ru/blog/oborudovanie-dlya-besprovodnyh-setej-4ipnet/

4ipnet, founded in Taiwan in 2002, is little known in Russia. The company develops its product lines for building enterprise-grade wireless networks, and Wi-Fi networks for public use. The company's portfolio includes functional controllers, a wide range of access points, wireless network gateways, POS terminals and ticket printers, as well as a line of PoE+ switches.

The most outstanding advantages of 4ipnet products that worth mentioning is that all hardware functions are accessible by default, and don’t require any additional licenses. Additionally, there’s an optimal and attractive price/quality ratio.

The company's solutions are successfully implemented for educational and medical institutions, corporate sectors and telecom operators.

Supporting advanced technologies such as Seamless Roaming (moving within the territory without connection failure), Airtime Fairness, Load Balancing, and many others, allows one to maintain high data transfer rate, and prevents network overloading, even in locations with high-density users. In addition, the administrator can divide users into groups: employees, guests, etc., and assign different network access policies, which helps to manage users, perform detailed recording of network activity and provide reports, track suspicious activity, thus making Wi-Fi network more secure and reliable.

We will share some information about two access points (EAP767, EAP727) and the WHG201 controller.

We’ve used a 4ipnet unmanaged gigabit switch SW1108 to connect to the access points network.

EAP767 (Enterprise Access Point) is an enterprise-grade 802.11ac standard dual-band indoor access point. It has dual radio transmitters with a 3x3 MIMO function (Multiple Input Multiple Output - a method of spatial coding of a signal that helps increasing the channel bandwidth in which data transmission and data reception are carried out by systems of several antennas). Thus, the EAP767 has 6 built-in antennas (3x2.4 GHz, 3x5 GHz), which according to the manufacturer, allow to support the data transfer rate up to 450 Mbit/s and 1300 Mbit/s, in 2.4GHz and 5GHz bands. Also, it can distribute clients to separate channels, thereby reducing overloads.

The access point has its own Layer 2 Firewall, to block unwanted traffic and provide an additional level of security.

Several SSIDs can be configured on the access point, each of which can use different security standards (for example, WPA2-Enterprise) and VLAN virtual network tags that provide network segmentation.

The number of concurrent users can reach up to 384 (256 in the 2.4GHz band, 128 in the 5GHz band).

Main features:

•   Concurrent dual-band 2.4 & 5 GHz
•  802.11ac 3x3 MIMO supporting up to 1300 Mbps data rate

•  Ceiling mountable UL94-5VB fire-retardant plastic housing

•  802.3at Power over Ethernet (PoE) compatible

•  Up to 16 ESSIDs per radio with 802.1Q VLAN

•  Captive portal and Guest provisioning*

•  Rogue AP detection & Load balancing *

•    Fast Layer 2/Layer 3 roaming*

* When used in conjunction with 4ipnet WHG Controller

4ipnet EAP767

EAP727 (Enterprise Access Points) is also an 802.11ac dual-band indoor access point. Its main difference from EAP767 is dual radio transmitters with 2x2 MIMO function: 4 built-in antennas (2x2.4GHz, 2x5GHz) that offer data transfer rate up to 300 Mbps and 867 Mbps in the 2.4GHz and 5GHz respectively.

Access points are similar in the functionalities, and there is also no differences in the management interface, although they have different mounting, appearance and ports designs.

4ipnet EAP727

The user interface and funcionality of access points are the same. There’re five main tabs (System, Wireless, Firewall, Utilities, Status).

In the System tab, you can specify the AP and location, and set time settings, network settings, control parameters (VLAN, port, etc.), as well as the CAPWAP protocol settings for communication with the controller.

In the Wireless tab, accordingly, is all that concerns Wi-Fi, transmitter working mode settings (frequency, protocol, channel, etc.), security and virtual access points (VAP).

The Layer 2 Firewall is disabled by default. To enable it, configure its services and select the interfaces with which it will work (the entire access point, the specified radio or virtual access points (VAP)).

Utilities is a tab where you can change passwords, update software, reboot, back up and reset.

The Status tab provides a summary of the LAN interface, system, radio modules (RF Card A, RF Card B) data.

The WHG201 WLAN controller is the smallest device in the product line, but it is absolutely enough for organizations with a small number of rooms (shops, offices, small enterprises, etc.). WHG201 can manage 10 access points while implement all the main tasks in modern Wi-Fi networks.

WHG201 provides all of the necessary network services (DHCP, NAT, HTTP proxy, local DNS records, etc.).

WHG201 has two WAN ports (it is possible to configure load balancing on WAN ports), and one of the ports can be configured as a LAN.

There are 4 LAN ports (if one of the WAN ports is configured as a LAN) and a USB port, for software update/backup tasks and save/load configurations.

The controller supports both 802.1X and browser-based user authentication. On-demand accounts can be generated via SMS, E-mail, and the controller can be integrated with PayPal, hotel PMS system, and ticket printer. Besides, there is also a social media login option. Users can be limited by duration with a configurable time of reactivation. Authentication servers (local, on demand, guest, RADIUS, LDAP, NT Domain, SIP, POP3) are also available.

On top of that, the controller can create "service zones" that sort of divide WHG201 into several virtual controllers, and each can have their own settings (user policies, network services and authentication parameters, etc.). It also implies the ability to apply different traffic policies based on the user's location (Service Zone) and access time. For example, the policies used during working hours may differ from the policies applied at the end of the working day. From bandwidth limitation to specific routing rules, network administrators gain exhaustive control over users.

When the controller is first started, you’ll see the initialization panel (setting the time zone, configuring the WAN, changing the password, etc.).
There are lots of settings for the controller, so here we will only mention a few of them.


SYSTEM

Here we see the WAN interface settings. You can set the limits of uplink and downlink bandwidth, if desired.

Each LAN port can be assigned to its Service Zone; the Default zone is used by default. Next, we determine whether the second port as WAN2 or LAN1.

LAN Port Mode regulates how the port will correspond to the service zone. The port can either be port-based or tag-based to the service zone.

This is how the service zones settings table looks like (there are 9 of them, together with the Default one).

On the Service Zone Configuration page, administrators can rename the Service Zone for easier reference, and enable the service zones in their respective operation modes (Router, NAT). On top of that, the administrator can define subnet mask, VLAN, DHCP operation, IP addresses range and authentication method etc.

DEVICES

The controller can manage access points inside and outside the local network (Local Area AP Management (LAPM), Wide Area AP Management (WAPM)). Both modes are similar in the functionalities. In the Wide Area AP Management, the ability to create groups with location maps is added. There are only a few differences in the settings, according to the location of APs in the external network, and namely, the requirement to set parameters (network, certificate, etc.) for the CAPWAP protocol, and the lack of possibility to compare with service zones. For Wide Area AP, the administrators can open the AP user interface directly from the controller user interface.

Furthermore, the administrators can create templates to specify the basic working parameters of the access points.

APs software update and backup, rogue AP detection, and load balancing settings are also available in the cluster. We’ve tested the load balancing by setting the interval as 1 minute, and the number of client as “1”. The cluster consisted of three APs (2xEAP767, 1xEAP727), and since both EAP767 and EAP727 are dual-radio, each AP will be listed on the device list twice. It can be seen that the controller assigned all clients in accordance with the settings, but the distribution doesn’t take place immediately. Each group of clients was firstly connected to one of the AP, and then be distributed afterward.

NETWORK

In the controller network settings tab, we can configure NAT, and three types of network address translation are supported:

• DMZ (Demilitarized Zone) - NAT with DMZ is designed to prevent public servers (WWW, FTP, MAIL) to communicate with the internal network. In case these servers are threatened (hacked or infected by viruses), an external attacker will only have direct access to the equipment in DMZ.

• Public Accessible Servers - Public Accessible Server allows administrators to set virtual servers, so that client devices outside the managed network can access these servers within the managed network.

• Port & IP Forwarding - administrators can set specific sets of the IP addresses for redirection purposes. When a user attempts to connect to a destination IP address listed here, the connection packet will be converted and redirected to the corresponding destination.

Walled Garden - a feature that provides free web surfing areas for clients to access before they are authenticated by the system. Therefore, users without network access rights may still experience actual network service free of charge.

Two types of VPN are available in the system. One is Remote VPN that allows you to create a tunnel between the remote client and the system via PPTP. Another one is Site-to-Site VPN which use the IPSec tunnel to connect to other IPSec-compatible devices over the Internet.

Proxy Server - the system provides a Built-in Proxy Server and an External Proxy Server function.

Local DNS Record - administrators to statically assign Domain Name to IP mappings for all clients connected to the Controller's LAN network.

Dynamic Routing - The system supports three dynamic routing protocols: RIP, OSPF and IS-IS.

The UTILITIES tab contains backup and recovery tools, administrative account settings, certificate management, and the controller software update and reboot. In the Network Utilities, you can execute Ping, Trace Route, and other commands.

In STATUS, respectively, we can access the components and parameters status of controller, interface status, monitor of connected users, logs and reports, DHCP leases, and routing table.

The USERS tab has collected all the access and authentication tools. Users can be grouped together, and each group can have its own authentication type, policies, and service zones. Authentication servers (local, radius, NT domain, LDAP, POP3). Policies integrate firewall configurations, privilege profiles, routing profiles, and so on.

In-depth testing of this equipment wasn’t possible at the time, however, we have checked the commissioning speed and operability of the basic functions available with the WHG201 controller (seamless roaming, failover and load balancing, in the form of customer distribution by access points). Each account was assigned with different policies (access time, concurrent session); all restrictions worked without problems.

Access points’ IP addresses were changed, and CAPWAP protocol was included; everything else was default setting. The controller added all the APs successfully in the local and external forms. We configured the WAN interface on the controller, enabled local DHCP, created accounts, set a limit for their authorization, created a cluster and enabled load balancing.

Clients connected to the network without entering a password, as expected; login credentials were required when the browser was opened.

As we’ve mentioned before, the Load Balancing feature distributed the connected clients according to the specified parameters (one per AP; when the number of clients exceeded the number of APs, the distribution went in a circle).

If the only controller is disabled (for example, its failure), access to the Internet and a set of options dependent on it will be lost, but there will remain a local network and the functionality of the access points.

When simulating an accident failure of one of the APs to which the laptop was connected, the network didn't disappear, yet there was no Wi-Fi reconnection on the laptop, the controller also promptly transferred the client to another working AP. To check the connection lost, we started copying files from the network, downloading a file, watching a video, and pinging the corresponding resource, in parallel. No copying/downloading failure happened, the video didn’t stop, as well. Clearly, the data buffering plays a significant role here, since the ping task still record the loss of one package.

And this is how the monitoring of the two access points activity looked like during testing.

before disconnecting one of the access points

after disconnecting

Alas, the declared transmission speed wasn’ realized, due to the lack of a suitable Wi-Fi adapter on client devices.

Based on our small experiment, we can conclude that the functions we tested are well executed, it seems that the rest works just as well.

4ipnet has created a solid and competitive product, which is quite simple in operation, and has a very wide range of functions, excellent characteristics and indicators.