Creating a Config Template
Navigate to Equipment > Config Templates and click Create Template (or click Edit on an existing custom template). The template editor is organized into sections described below.
Basic Information
| Field | Required | Description |
|---|---|---|
| Template Name | Yes | A descriptive name (e.g., "Branch Office - DPDK") |
| Edge Model | — | Read-only. Currently only "VSR1000" is supported |
| Description | No | Optional notes about the template's purpose |
| Set as Default | No | Check to make this the default template for the edge model |
Physical Interfaces
Configure the hardware ports available on the edge device. For a VSR1000, ports G0 through G6 are available.
| Column | Description |
|---|---|
| Port | Hardware port name (G0, G1, etc.) — read-only |
| Type | Ethernet (default), WiFi, or LTE |
| Enabled | Toggle the port on or off |
| MTU | Maximum Transmission Unit (default: 1500) |
| Description | Optional label (e.g., "WAN Uplink", "LAN Segment A") |
By default, G0 (WAN) and G1 (LAN) are enabled. Additional ports are disabled until you need them.
Logical Interfaces
Logical interfaces map to physical ports and define IP addressing and roles. Click Add Interface to create entries.
| Field | Required | Options / Notes |
|---|---|---|
| Name | Yes | Descriptive name (e.g., "WAN-Ethernet", "LAN-Subnet") |
| Type | Yes | Routed, Bridged, or Internal |
| Role | Yes | WAN, LAN, Loopback, or MGMT |
| Physical Port | No | Which hardware port this maps to (not needed for Loopback) |
| VLAN ID | No | 1–4094 for VLAN sub-interfaces |
| IPv4 / CIDR | No | Static IP (e.g., 192.168.1.1/24). Leave empty for DHCP |
| Gateway | No | Default gateway IP |
| MTU | No | Override the physical port MTU |
| MSS | No | TCP MSS clamping value (e.g., 1046 for tunneled traffic) |
| DHCP Client | No | Enable to auto-assign IP via DHCP instead of static |
| Description | No | Optional notes |
Most edges need at least two logical interfaces: one WAN (with DHCP or static IP + gateway) and one LAN (with a static IP for the local subnet).
Static Routes
Define routing table entries. Click Add Route to create entries.
| Field | Required | Notes |
|---|---|---|
| Destination IP | Yes | Network address (e.g., 10.0.0.0) |
| Mask (CIDR) | Yes | Prefix length (e.g., 24) |
| Next Hop IP | No | Gateway for this route |
| Interface | No | Outbound logical interface (dropdown) |
| Metric | No | Route preference (lower = preferred) |
| Enabled | — | Toggle on/off |
SNAT Rules
Source NAT translates outbound traffic from internal addresses to the WAN IP. Click Add SNAT Rule.
| Field | Required | Notes |
|---|---|---|
| Name | Yes | Rule identifier (e.g., snat-lan) |
| Type | Yes | Currently "Masquerading" only |
| Source Network | No | CIDR of traffic to translate (e.g., 192.168.1.0/24) |
| Translated IP | No | Leave empty for masquerading (uses outgoing interface IP) |
| Outgoing Interface | Yes | WAN logical interface (dropdown) |
| Description | No | Optional notes |
DNAT Rules (Port Forwarding)
Destination NAT forwards incoming traffic on a public IP:port to an internal server. Click Add DNAT Rule.
| Field | Required | Notes |
|---|---|---|
| Name | No | Rule identifier |
| Protocol | Yes | TCP or UDP |
| Public IP | Yes | External-facing IP address |
| Public Port | Yes | External-facing port number |
| Private IP | Yes | Internal server IP |
| Private Port | Yes | Internal server port |
| Interface | No | Incoming logical interface (dropdown) |
DNAT works best when the internal server is behind the LAN interface (different L2 subnet from the WAN). Same-subnet DNAT has limitations due to asymmetric routing.
IoT Gateway (wg0)
The WireGuard IoT gateway provides encrypted tunnels for IoT devices. Toggle Enable to configure.
| Field | Default | Notes |
|---|---|---|
| Listen Port | 51820 | UDP port for WireGuard |
| Server Address (CIDR) | 10.200.0.1/24 | IP pool for IoT clients |
| MTU | 1420 | Tunnel MTU |
Peers are managed per-edge after provisioning — the template sets the server-side tunnel parameters.
App VPN (wg1)
The App VPN provides remote access for users and devices. Toggle Enable to configure.
| Field | Default | Notes |
|---|---|---|
| Tunnel Protocol | WireGuard | Choose WireGuard or IKEv2 |
| Listen Port | 51821 | UDP port (disabled for IKEv2 — uses standard ports) |
| Server Address (CIDR) | 10.10.0.254/16 (WG) / 10.11.0.0/16 (IKEv2) | Auto-adjusts based on protocol |
| DNS Server | 8.8.8.8 | DNS pushed to VPN clients |
| MTU | 1420 | Tunnel MTU |
- WireGuard: Lightweight, high performance. Clients use WireGuard protocol.
- IKEv2: Standards-based IPSec. Native support on macOS, iOS, Windows without third-party apps. Certificates are generated automatically when enabling IKEv2.
SSH Remote Access
Toggle Enable to provision a reverse SSH tunnel for remote management. A unique port is allocated per-edge automatically.
No additional configuration is needed — the tunnel connects through the SSH bastion host and allows authenticated access to the edge for diagnostics and troubleshooting.
IPFIX / Flowprobe
Flow export sends network flow data to a collector for traffic analysis. Toggle Enable to configure.
| Field | Default | Notes |
|---|---|---|
| Collector Address | 169.254.1.2 | IPFIX collector IP (typically the edge's local collector) |
| Collector Port | 4739 | IPFIX standard port |
| Template Interval | 20 sec | How often to re-send flow templates |
| Active Timer | 60 sec | Timeout for active flows |
| Passive Timer | 120 sec | Timeout for idle flows |
| Record L2 | Off | Include Layer 2 (MAC) information |
| Record L3 | On | Include Layer 3 (IP) information |
| Record L4 | On | Include Layer 4 (TCP/UDP port) information |
Monitored interfaces are configured per-edge after provisioning.
BGP Configuration
Toggle Enable BGP to set up Border Gateway Protocol for dynamic routing.
| Field | Required | Notes |
|---|---|---|
| AS Number | Yes | Autonomous System number (e.g., 65000) |
| Router ID | No | Typically the edge's loopback or WAN IP |
BGP neighbors are configured automatically via E2E Peering, not in the template. The template only sets the AS number and router ID.
DHCP Pools
Define DHCP address pools for LAN clients. Click Add DHCP Pool.
| Field | Required | Notes |
|---|---|---|
| Pool Name | Yes | Identifier (e.g., dhcp-pool-lan) |
| Interface | Yes | LAN logical interface (dropdown) |
| Enabled | — | Toggle on/off |
| Start IP | Yes | First IP in the pool (e.g., 192.168.1.100) |
| End IP | Yes | Last IP in the pool (e.g., 192.168.1.200) |
| Gateway | No | Default gateway pushed to clients |
| DNS Servers | No | Comma-separated (e.g., 8.8.8.8, 8.8.4.4) |
| Lease Time | No | Seconds (default: 86400 = 24 hours) |
Saving
Click Save Template to save your changes. The template is immediately available for provisioning new edges.
To use an existing template as a starting point, go back to the template list and click Duplicate on any template (including system templates).