Before You Begin
- Ensure you have understood the concept of FEC on a CGF/CGW. For more information, see Forward Error Correction (FEC) in TINA Tunnels.
Basic Requirements for Using FEC on a CGF/CGW
- Both peers must operate firewall firmware version 8.2.0 or higher.
- FEC is only available for TINA/UDP tunnels.
- FEC can be configured on both peers of a TINA transport.
- Dynamic Bandwidth Detection must be enabled on the transport.
The FEC level stands for a certain number of repair packets that are added to the UDP data stream. The error correction level must be configured on both peers, but each peer can have a different level.
The maximum size of repair packets is limited and depends on the MTU of the VPN device.
How to Configure Forward Error Correction
The following example describes a scenario with the settings for 2 peers.
Replace these IP addresses so that they match your requirements.
- 1st peer: Public IP: 123.234.0.1
- LAN IP: 192.168.0.0/24
- Shared IP for LAN: 192.168.0.1
- 2nd peer: Public IP: 123.234.1.1
- LAN IP: 192.168.1.0/24
- Shared IP for LAN: 192.168.1.1
Step 1. Configure FEC on the Transport Level
- Configure Shared Networks and IPs.
- Go to CONFIGURATION -> Configuration Tree -> Box -> Network -> IP Configuration, section Shared Networks and IPs.
- Add the local network from the first peer to the list.
- Configure the TINA tunnel.
- Go to CONFIGURATION -> Configuration Tree -> Box -> Assigned Services -> VPN -> Site-to-Site.
- Right-click the main view area.
- Select New TINA tunnel... from the list.
- In the Basics tab, configure the TINA tunnel according to your requirements.
- In the SD-WAN - Bandwidth Protection tab, set Dynamic Bandwidth Detection to Active Probing and Passive Monitoring.
- For FEC level, the recommended standard setting is Medium. Adjust this value to your requirements.
- In the Local Networks tab:
- Set Call Direction. At least one of the firewalls must be active. In this example, select Active.
- Add the IP address of the local network interface: 192.168.0.1.
- In the Local tab, configure the public IP address: 123.234.0.1
- In the Remote Networks tab, add the network address of the remote LAN: 192.168.1.0/24
- In the Remote tab, enter
123.234.1.1
- In the Identity tab, ensure that there is a public key present.
- Export the public key to a file.
- Ensure that you have exported the public key from the complementary peer into a file.
- In the Peer Identification tab, import the public key from a file exported on the complementary peer.
Step 2a. (optional) Configure FEC on a Session Level for an Access Rule
On a session level for an access rule, you must either configure a Connection Object for FEC or create a new one. In both cases, the value for Error Correction must be configured with the same value.
This example assumes that an appropriate connection object is already present.
- Go to CONFIGURATION -> Configuration Tree -> Box -> Assigned Services -> Firewall -> Forwarding Rules -> Connections.
- Click Lock.
- In the main view area, double-click the corresponding connection object.
- The Edit / Create a Connection Object window is displayed.
- In the section SD-WAN VPN Settings, click Edit/Show... .
- In the section Simultaneous Transport Usage, select Forward Error Correction for Error Protection.
- Click OK.
- Click OK.
- Click Send Changes / Activate.
Step 2b. (optional) Configure FEC on a Session Level for an Application Rule
You can override the settings for an application rule by performing the following steps:
- Go to CONFIGURATION -> Configuration Tree -> Box -> Assigned Services -> Firewall -> Forwarding Rules -> Application Rules.
- In the main view area, double-click the application rule that you want to override.
- The window Edit Rule is displayed.
- Select the check box for Change SD-WAN Settings.
- Click the '...' button.
- The SD-WAN Settings window is displayed.
- In the section Simultaneous Transport Usage, select Forward Error Correction for Error Protection.
- Click OK.
- Click Send Changes / Activate.
Step 3. Check the Transport Details for Your Configuration.
- Go to VPN -> Site-to-Site.
- Double-click the transport for which you have configured FEC.
- The Transport Details window is displayed.
- In the list, locate the two entries with the name transport_FEClevelIn and transport_FEClevelOut for your peers.