Get a Demo
Contact Us

SD-WAN Network Architecture

A full-stack view of Nepean Networks’ SD-WAN architecture β€” from customer CPE through cloud firewalls to the global management plane.
Click any node to explore its capabilities.

Antares Management Plane SD-WAN Edge Routers SecureConnect Firewall CPE / SD-WAN Nodes Customer Sites
Partner Space β€” Multi-Tenant SD-WAN
Routing Group A β€” e.g. Australia Β· Singapore Β· Japan
⬆ internet gateway
Routing Group B β€” e.g. US East Β· US West Β· Europe
⬆ internet gateway
⬑ full mesh
🌐
Internet
πŸ”₯
Cloud Firewall A
OPNsense Β· Clavister Β· FGT
// internet gateway Β· APAC
πŸ”₯
Cloud Firewall B
OPNsense Β· Clavister Β· FGT
// internet gateway Β· US/EU
⚑
SD-WAN Edge Router A1
Sydney PoP
// agg-a1.au
⚑
SD-WAN Edge Router A2
Singapore PoP
// agg-a2.sg
⚑
SD-WAN Edge Router B1
Dallas / NYC PoP
// agg-b1.us
⚑
SD-WAN Edge Router B2
EU / Amsterdam PoP
// agg-b2.eu
πŸ–₯️
Antares Management
Server
ZTP Β· NOC Β· Alerting Β· SSO
// management plane
Last-Mile ISP Links β€” NBN Β· 4G/5G Β· Fibre Β· DSL Β· Satellite
πŸ“¦
Nepean SD-WAN Node
Site A
Juggler Β· Illuminate Β· ZTP
πŸ›‘οΈ Firewall VM (optional)Clavister Β· pfSense Β· OPNsense Β· MikroTik Β· OpenWrt
// Head Office  Β·  β–Ά click
πŸ“¦
Nepean SD-WAN Node
Site B
QoS Β· Per-pkt Β· Compression
πŸ›‘οΈ Firewall VM (optional)Clavister Β· pfSense Β· OPNsense Β· MikroTik Β· OpenWrt
// Branch Office  Β·  β–Ά click
πŸ“¦
Nepean SD-WAN Node
Site C
SD-WAN Β· /32 IP Β· Bi-dir QoS
// Intl Branch  Β·  β–Ά click
πŸ“¦
Nepean SD-WAN Node
Site D
GDPR Β· SD-WAN Β· Failover
// EU Branch  Β·  β–Ά click
πŸ–₯οΈπŸ’»πŸ“±
LAN Devices
// LAN β€” Site A
πŸ–₯οΈπŸ’»πŸ“±
LAN Devices
// LAN β€” Site B
πŸ–₯οΈπŸ’»πŸ“±
LAN Devices
// LAN β€” Site C
πŸ–₯οΈπŸ’»πŸ“±
LAN Devices
// LAN β€” Site D
Traffic Flow
Internet egress
FW gateway
Management / control
Full mesh (Agg ↔ Agg)
Bonded SD-WAN tunnel
Customer / LAN edge
Node Types
Cloud Firewall (GW)
Aggregation Server
Nepean SD-WAN Node
Firewall VM (inside node)
Customer LAN
πŸ“¦
Nepean SD-WAN Node
// Debian Β· OpenSUSE Β· x86 Β· ARM
πŸ”Secure Connect
  • Remote access to upstream devices (modems, routers, ONTs)
  • Access downstream LAN devices β€” printers, VoIP phones, cameras
  • RDP / VNC to workstations & servers without VPN client
  • Browser-based terminal, no agent required on target device
  • Session logging & audit trail per user
πŸ’»SSH Terminal Access
  • Full in-browser SSH to the SD-WAN node via Antares
  • No inbound firewall rules or public IP required
  • Role-based access β€” MSP vs customer permissions
  • Restricted shell mode for read-only diagnostics
  • Run diagnostic commands: ping, traceroute, iftop, tcpdump
⚑Sub-Second Failover
  • Bonds 2–4 ISP legs simultaneously (active-active)
  • <300ms detection & re-routing on link failure
  • Per-packet load balancing across all live legs
  • Automatic leg weighting by latency & loss
  • Red-Blue tree packet reordering for smooth failover
πŸ”€Advanced Routing
  • SD-WAN private mesh β€” direct site-to-site without internet
  • Policy-based routing by application, DSCP, or source IP
  • QoS β€” bi-directional traffic shaping & prioritisation
  • VLAN support β€” multiple LAN segments per node
  • Static, OSPF & BGP peering support
  • Elastic /32 public IP per site via SD-WAN Edge Router NAT
πŸ›‘οΈOptional Firewall VM β€” Deployed & Managed via Antares
Clavister pfSense OPNsense MikroTik OpenWrt + more
  • Runs inside the node via QEMU/KVM β€” no extra hardware
  • Zero-touch deploy from Antares β€” no truck roll
  • NAT, VLAN segmentation, stateful inspection
  • IDS/IPS, captive portal, DNS filtering
  • Full remote lifecycle: deploy, configure, upgrade
  • Physical firewall also supported downstream of node
πŸ”Illuminate β€” Deep Packet Inspection
  • Real-time application & protocol classification
  • Per-application bandwidth usage breakdown
  • Top talkers β€” by host, IP, application
  • Historical DPI data retention & trend graphs
  • Exportable reports for customer visibility
πŸ””Alerts β€” DPI & Connection
  • DPI-based alerts β€” unusual application behaviour
  • Bandwidth threshold alerts per application or total
  • Link down / leg failure alerts (email, webhook)
  • High latency & packet loss threshold alerts
  • Customisable per-tenant alert rules in Antares
πŸ“‘Broadband Circuit Telemetry
  • Per-leg latency, jitter & packet loss β€” live & historical
  • Real-time throughput per ISP circuit
  • MOS score tracking for VoIP quality monitoring
  • Leg state: active, degraded, failed, standby
  • ISP-level outage detection & duration logging
  • 95th percentile bandwidth reporting for billing

Register to Read