========================
Configuring private WAN
========================

Perform these steps to configure PWAN in your environment.

#. Verify that external firewalls are configured to allow traffic
   between aggregators and PWAN routers—see `Network
   integration. <../../administration/network-integration.html>`__
#. `Provision aggregators <../../aggregators/provisioning-aggregators.html>`__
   if new aggregators are to be used.
#. `Provision one or two PWAN
   routers <provisioning-routers.html>`__ at each routing group.
   A single PWAN router will provide full functionality, but two PWAN routers
   will provide high availability for spaces with bonds running at that routing
   group.

After following these steps, you can proceed to the testing steps below.

Testing private WAN
--------------------

The following test can be performed to verify that private WAN is
functional in a new environment.

#. Set up a test space with two bonds, configured as follows:

   a. Bond A with connected IP 192.168.1.1/24, one DHCP leg (or whatever
      other legs you want; this doesn't really matter)
   #. Bond B with connected IP 192.168.2.1/24, one DHCP leg (or
      whatever), on the same aggregator as Bond A

#. Enable private WAN and configure an gateway on the space. The most
   simple gateway configuration is to specify a single public IP address
   (it must be available to route to the PWAN router, and needs to be
   part of an allocation and be delegated to the space) and enable SNAT.
   This will NAT outbound traffic to the specified IP address.
#. Provision the bonds on bonders—either real hardware bonders, or
   virtualized bonders—even just two
   `VirtualBox <https://www.virtualbox.org/>`__ or similar guests on
   your workstation.
#. Verify that the two bonders can ping each other when they are on the
   same aggregator:

   a. Test that Bond A can ping Bond B, with this command on Bonder A's
      command line:
      ``ping 192.168.2.1 -I 192.168.1.1``
   #. Test that Bond B can ping Bond A, with this command on Bonder B's
      command line:
      ``ping 192.168.1.1 -I 192.168.2.1``

#. Move Bond B to a different aggregator than Bond A, but in the same
   routing group, and repeat the tests in 4a and 4b above. This shows
   that bonders can ping each other when on different aggregators as
   traffic is being routed through the PWAN router.
#. Verify that Bond A gets Internet access via the PWAN router and the
   default gateway configured for the space:
   ``wget icanhazip.com -O - -q --bind-address 192.168.1.1``
   This prints the IP address that Internet hosts see traffic from the
   PWAN hosts coming from—for example, the NAT IP address configured
   for the gateway.
#. Move Bond B to an aggregator in a different routing group and repeat
   the tests in 4a and 4b above. This shows that bonders can ping each
   other when on different aggregators in different routing groups.

If the above tests are successful, the PWAN environment is working
properly.
