Edge Configuration
The Configuration page (/edges/:id/config) is where you manage all aspects of an edge's network configuration. Navigate here by clicking Configure on the Edge Detail page.
Changes are not applied immediately. When you modify any configuration section, the changes are staged and the edge is marked as "dirty". You must click Sync Config to push the configuration to the edge. See Syncing Configuration for details.
Configuration Tabs
The configuration page is organized into the following tabs:
Physical Interfaces
View and configure the hardware network ports on the edge:
- Port type — WAN or LAN role assignment
- MTU — Maximum transmission unit size
- Enabled/Disabled — Toggle individual ports
- Link state — Current up/down status
Physical interface configuration is typically set during provisioning via Config Templates and should only be modified with care.
Logical Interfaces
Manage the logical network interfaces built on top of physical ports:
| Field | Description |
|---|---|
| Role | WAN (uplink) or LAN (local network) |
| IP Address | Assigned IP address |
| Subnet | Network prefix length |
| VLAN | VLAN tag (if applicable) |
| DHCP Client | Enable DHCP for automatic IP assignment |
| MSS Clamping | TCP MSS clamping value for tunnel optimization |
Subscriptions
Manage service subscriptions assigned to the edge's logical interfaces. Subscriptions link features (NAT, port forwarding, DHCP, etc.) to specific interfaces.
Static Routes
The routing table for the edge. Each route entry contains:
| Field | Description |
|---|---|
| Destination Network | The target network in CIDR notation (e.g., 10.0.0.0/8) |
| Gateway | The next-hop IP address |
| Interface | The outgoing interface for this route |
| Metric | Route priority (lower values are preferred) |
Click Add Route to create a new static route. Existing routes can be edited or deleted.
ACL
Access Control Lists define traffic filtering rules for the edge. Rules are evaluated in priority order (lowest number first).
Each ACL rule contains:
| Field | Description |
|---|---|
| Priority | Numeric priority determining evaluation order (lower = first) |
| Action | Permit (allow) or Deny (block) |
| Source IP | Source IP address or CIDR range |
| Destination IP | Destination IP address or CIDR range |
| Protocol | IP protocol (TCP, UDP, ICMP, or Any) |
| Source Port | Source port or port range (TCP/UDP only) |
| Destination Port | Destination port or port range (TCP/UDP only) |
Routing Policies
Configure routing policies and traffic classification rules. These work together with service chains to direct traffic through inspection engines.
Gateways
Configure the edge's VPN gateway instances:
wg0 — IoT Gateway
The IoT Gateway provides a hub-spoke VPN topology for connecting IoT devices, connectors, and remote sites:
- Server Address — The WireGuard endpoint address (typically the edge's WAN IP)
- Listen Port — The UDP port WireGuard listens on
- MTU — Tunnel MTU setting
- Peers — List of authorized peers with their public keys and allowed IP ranges
wg1 — App VPN
The App VPN provides client-server remote access VPN for end users. Two protocols are supported:
| Protocol | Description |
|---|---|
| WireGuard | High-performance tunneling with Curve25519 key exchange. IP pool: 10.10.0.0/16 |
| IKEv2 | Standards-based IPSec with certificate authentication via StrongSwan. IP pool: 10.11.0.0/16 |
The protocol is configured on the App VPN server settings. When switching protocols, existing VPN client registrations must be re-provisioned.
- Listen Port — UDP port for VPN connections
- DNS — DNS servers pushed to connecting clients
- Allowed IPs — Network ranges accessible through the tunnel
VPN user peers are managed through the VPN Clients section and are automatically added to the wg1 configuration.
Flow Export (IPFIX)
IPFIX (IP Flow Information Export) enables the edge to collect and export network flow data:
- Enable/Disable — Toggle flow data collection
- Collector Address — The IP address and port of the flow collector
- Active Timer — How often active flows are exported
- Inactive Timer — Timeout for idle flow expiration
- Record Layers — L2, L3, and/or L4 data collection
Suricata IDS/IPS
Configure the Suricata intrusion detection and prevention system:
- Enable/Disable — Toggle Suricata on this edge
- Mode — IDS (detect only) or IPS (detect and block)
- Rule sets — Active detection rule categories
Suricata requires a service chain configuration to steer traffic through the inspection engine. See Service Chain below.
Service Chain
Service chains steer traffic through service functions based on DSCP (Differentiated Services Code Point) markings or ACL rules:
- Define DSCP values or ACL matches that trigger service chain processing
- Route matched traffic through Suricata IDS/IPS for inspection
- Traffic not matching any rule passes through normally
SSH Access
Configure the reverse SSH tunnel for remote management:
- Tunnel status — Active or inactive
- Tunnel port — Allocated port on the bastion server
- Host key — Ed25519 host key fingerprint
Key Rotation
Manage WireGuard key rotation for the edge's tunnel instances:
- View current key age and rotation schedule
- Trigger manual key rotation
- View rotation history
Configuration History
Click Config History in the page header to view previous configuration snapshots. Each entry shows the timestamp, user who made the change, and a summary of what was modified.