Configure Magic WAN Connector
Prerequisites
You need to purchase Magic WAN before you can purchase and use the Magic WAN Connector. The Magic WAN Connector can function as your primary edge device for your network, or be deployed in-line with existing network gear.
You also need to purchase a Magic WAN Connector before you can start configuring your settings in the Cloudflare dashboard. Contact your account representative to learn more about purchasing options for the Magic WAN Connector device. After buying a Magic WAN Connector, the device will be registered with your Cloudflare account and show up in your Cloudflare dashboard.
High availability configurations
You can install up to two Magic WAN Connectors for redundancy at each of your sites. If one of your Connectors fails, traffic will fail over to the other Connector ensuring that you never lose connectivity to that site.
In this type of high availability (HA) configuration, you will choose a reliable LAN interface as the HA link which will be used to monitor the health of the peer connector. HA links can be dedicated links or can be shared with other LAN traffic.
If you need a high availability configuration for your premises, refer to About high availability configurations for more information.
If you do not need a high availability configuration for you premises, proceed to Configure Cloudflare dashboard settings.
Configure Cloudflare dashboard settings
1. Create a site
Sites represent the local network where you have installed your Magic WAN Connector — for example, a branch office location.
You need to create a site and set up all the settings associated with it before you can connect your Magic WAN Connector to the Internet.
To add a site:
- Log in to the Cloudflare dashboard and select your account.
- Go to Magic WAN > Sites.
- Select Create to create a new site and start the configuration wizard.
- Add a name and description for your new site.
- (Optional) In Site location, you can add the geographical coordinates for your site. If you add geographical coordinates, your site will show up in the Site Analytics overview map.
- Under Connector, select Add Connector. This will show you a list of Magic WAN Connector devices associated with your account. You need to have bought a Connector already for it to show up here. Refer to Prerequisites if no Connector shows in this list.
- If you have more than one Connector, choose the one that corresponds to the site you are creating. Connectors are identified by a serial number, also known as a service tag. Use this information to choose the right Connector. Select Add Connector when you are ready to proceed.
- The Connector will be added to your site with an Interrupt window defined. The interrupt window is the time period when the Magic WAN Connector software can update, which may result in interruption to existing connections. You can change this later. Refer to Interrupt window for more details on how to define when the Connector can update its systems.
- Select Next to proceed to creating your WAN and LAN networks.
Create a POST
request using the API to create a site.
Example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{ "site": { "description": "<SITE_DESCRIPTION>", "name": "<SITE_NAME>" }}'
If you created your site successfully, you should receive a message similar to the following:
{ "result": { "site": { "id": "<SITE_ID>", "name": "<SITE_NAME>", "description": "<SITE_DESCRIPTION>", "connector_id": null, "secondary_connector_id": null, "ha_mode": false } }, "success": true, "errors": [], "messages": []
}
Take note of the site id
parameter, as you will need it to create WANs and LANs.
2. Create a WAN
- In WAN configuration, select Create. You can create one or more wide area networks (WANs). Configuring multiple WANs will create multiple IPsec tunnels. This allows the Connector to failover between circuits according to their health.
- In Interface name, enter a descriptive name for your WAN.
- Physical interface refers to the physical Magic WAN Connector Ethernet port that you are using for your WAN. The ports are labeled
GE1
,GE2
,GE3
,GE4
,GE5
, andGE6
. Choose the number corresponding to the port that you are using in Connector. - In VLAN ID, enter a number between
0
and4094
to specify a VLAN ID. - In Priority, choose the priority for your WAN. Lower numbers have higher priority. Refer to Traffic steering to learn more about how Cloudflare calculates priorities.
- Addressing: Specify whether the WAN IP is fetched from a DHCP server or if it is a static IP. If you choose a static IP, you also need to specify the static IP and gateway addresses.
- Select Save when you are finished.
Create a POST
request using the API to create a WAN.
The static_addressing
object is optional. Omit it if you are using DHCP. If you are using static addressing, add the secondary_address
parameter when your site is in high availability (HA) mode.
Example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/wans \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{ "wan": { "description": "<YOUR_WAN_NAME>", "physport": 1, "priority": 0, "vlan_tag": 0 }}'
3. Create a LAN
In LAN configuration, select Create.
Enter a descriptive name for your LAN in Interface name.
Physical interface refers to the physical Magic WAN Connector Ethernet port that you are using for your LAN. The ports are labeled
GE1
,GE2
,GE3
,GE4
,GE5
, andGE6
. Choose a number corresponding to the port that you are using in Connector.In VLAN ID, specify a VLAN ID to create virtual LANs.
In Static addressing > Static address give your Connector’s LAN interface its IP address. You can also enable the following options if they suit your use case:
- This is a DHCP server: If your Connector is a DHCP server.
- This is a DHCP relay: If your Connector is a DHCP relay.
(Optional) In Directly attached subnet > Static NAT prefix, enter a CIDR prefix to enable NAT (network address translation). The prefix you enter here should be the same size as the prefix entered in Static addressing. For example, both networks have a subnet mask of
/24
:192.168.100.0/24
and10.10.100.0/24
.(Optional) If your LAN contains additional subnets behind a layer 3 router, select Add routed subnet under Routed subnets to add them:
Prefix: The CIDR prefix for the subnet behind the L3 router.
Next hop: The address of the L3 router to which the Connector should forward packets for this subnet.
Static NAT prefix: Optional setting. If you want to enable NAT for a routed subnet, supply an “external” prefix for the overlay-facing side of the NAT to use. It must be the same size as Prefix.
Refer to Routed subnets for more information.
Select Save.
Select Save and exit to finish your configuration. Tunnels and static routes will be automatically created and associated with your site once the Magic WAN Connector boots up (refer to the next step).
Create a POST
request using the API to create a LAN.
Example:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/sites/{site_id}/lans \
--header 'Content-Type: application/json' \
--header 'X-Auth-Email: <EMAIL>' \
--header 'X-Auth-Key: <API_KEY>' \
--data '{ "lan": { "description": "<YOUR_LAN_NAME>", "physport": 2, "static_addressing": { "address": "172.16.14.0/24" }, "vlan_tag": 0}}'
Network segmentation
After setting up your LANs, you can configure your Connector to enable communication between them without traffic leaving your premises. Refer to Network segmentation for more information.
DHCP options
Magic WAN Connector supports different types of DHCP configurations. Connector can:
- Connect to a DHCP server or use a static IP address instead of connecting to a DHCP server.
- Act as a DHCP server.
- Use DHCP relay to connect to a DHCP server outside the location your Magic WAN Connector is in.
- Reserve IP addresses for specific devices on your network.
Refer to DHCP options to learn more.
Set up your Magic WAN Connector
Device installation
There are several deployment options for Magic WAN Connector. Connector can act like a DHCP server for your local network, or integrate with your local setup and have static IP addresses assigned to it.
Firewall settings required
If there is a firewall deployed upstream of the Magic WAN Connector, configure the firewall to allow the following traffic:
Protocol/port | Destination IP/URL | Purpose |
---|---|---|
UDP/53 | DNS destination IP 1.1.1.1 | Needed to allow DNS traffic to Cloudflare DNS servers. Cloudflare uses this port for DNS lookups of control plane API endpoints. |
TCP/443 | - | The Connector will open outbound HTTPS connections over this port for control plane operations. |
UDP/4500 | Destination IP 162.159.64.1 | Needed for Connector’s initialization and discovery traffic through outbound connections. |
UDP/4500 | Destination IP - Cloudflare Anycast IPs | Needed for the Cloudflare Anycast IPs assigned to your account for tunnel outbound connections. This traffic is tunnel traffic. |
TCP/7844 , UDP/7844 | Outbound connections | This is for debugging facilities in the Connector. |
UDP/123 | http://time.cloudflare.com/ | Needed for Magic WAN Connector to periodically contact Cloudflare’s Time Services. |
Activate connector
The Magic WAN Connector is shipped to you deactivated, and will only establish a connection to the Cloudflare network when it is activated. Cloudflare recommends leaving it deactivated until you finish setting it up in the dashboard.
When the Connector is first activated, one of the ports must be connected to the Internet through a device that supports DHCP. This is required so that the Connector can reach the Cloudflare global network and download the required configurations that you set up in the site configuration step.
When you are ready to connect your Magic WAN Connector to the Cloudflare network:
- Log in to the Cloudflare dashboard and select your account.
- Go to Magic WAN > Configuration > Connectors.
- Find the Connector you want to activate, select the three dots next to it > Edit. Make sure you verify the serial number to choose the right connector you want to activate.
- In the new window, the Status dropdown will show as Deactivated. Select it to change the status to Activated.
- The Interrupt window is the time period when the Magic WAN Connector software can update, which may result in interruption to existing connections. Choose a time period to minimize disruption to your sites. Refer to Interrupt window for more details on how to define when the Connector can update its systems.
- Select Update.
WAN with a static IP address
After activating your Connector, you can use it in a network configuration based on a static IP address — that is, a network configuration without a route to the Internet that has DHCP enabled.
To use your Connector on a network configuration with a static IP:
- Wait 60 seconds after activating your Connector.
- Unplug the physical connection to the Internet-connected device which provides DHCP.
- Adjust your physical connections as required to match the configuration specified in the site configuration step (for example, static IP WAN plugged into a physical port with no DHCP connection).
- Power cycle the Connector.
About high availability configurations
When you set up a site in high availability, the WANs and LANs in your Connectors have the same configuration but are replicated on two nodes. In case of failure of a Connector, the other Connector becomes the active node, taking over configuration of the LAN gateway IP and allowing traffic to continue without disruption.
Because Connectors in high availability configurations share a single site, you need to set up:
- Static address: The IP for the primary node in your site.
- Secondary static address: The IP for the secondary node in your site.
- Virtual static address: The IP that the LAN south of the Connector will forward traffic to, which is the LAN’s gateway IP.
Make sure all IPs are part of the same subnet.
Create a high availability configuration
You cannot enable high availability for an existing site. To add high availability to an existing site in the Cloudflare dashboard, you need to delete the site and start again.
To set up a high availability configuration:
- Follow the steps in Create a site up until step 4.
- After naming your site, select Enable high availability.
- Under Connector, select Add Connector.
- From the list, choose your first Connector > Add Connector.
- Back on the previous screen, select Add secondary Connector.
- From the list, choose your second Connector > Add Connector.
- Select Next to Create a WAN. If you are configuring a static IP, configure the IP for the primary node as the static address, and the IP for the secondary node as the secondary static address.
- To create a LAN, follow the steps mentioned above in Create a LAN up until step 4.
- In Static address, enter the IP for the primary node in your site. For example,
192.168.10.1/24
. - In Secondary static address, enter the IP for the secondary node in your site. For example,
192.168.10.2/24
. - In Virtual static address, enter the IP that the LAN south of the Connector will forward traffic to. For example,
192.168.10.3/24
. - Select Save.
- From the High availability probing link drop-down menu, select the port that should be used to monitor the node’s health. Cloudflare recommends you choose a reliable interface as the HA probing link. The primary and secondary node’s probing link should be connected over a switch, and cannot be a direct connection.
- Follow the instructions in Set up your Magic WAN Connector and Activate connector to finish setting up your Connectors.
IP sec tunnels and static routes
Magic WAN Connector automatically creates IPsec tunnels and static routes for you. You cannot configure these manually.
To check the IPsec tunnels and static routes created by your Magic WAN Connector:
- Log in to the Cloudflare dashboard and select your account.
- Go to Magic WAN > Sites.
- Select the name of the site for which you want to check the Connector’s IPsec tunnels and static routes, and select Edit.
- Select Tunnels to check IPsec tunnels, and Routes for the static routes.