Get a Demo
Contact Us

SD-WAN Network Architecture

A full-stack view of Nepean Networks’ SD-WAN architecture — from customer CPE through cloud firewalls to the global management plane.
Click any node to explore its capabilities.

Antares Management Plane SD-WAN Edge Routers SecureConnect Firewall CPE / SD-WAN Nodes Customer Sites
Partner Space — Multi-Tenant SD-WAN
Routing Group A — e.g. Australia · Singapore · Japan
⬆ internet gateway
Routing Group B — e.g. US East · US West · Europe
⬆ internet gateway
⬡ full mesh
🌐
Internet
🔥
Cloud Firewall A
OPNsense · Clavister · FGT
// internet gateway · APAC
🔥
Cloud Firewall B
OPNsense · Clavister · FGT
// internet gateway · US/EU
SD-WAN Edge Router A1
Sydney PoP
// agg-a1.au
SD-WAN Edge Router A2
Singapore PoP
// agg-a2.sg
SD-WAN Edge Router B1
Dallas / NYC PoP
// agg-b1.us
SD-WAN Edge Router B2
EU / Amsterdam PoP
// agg-b2.eu
🖥️
Antares Management
Server
ZTP · NOC · Alerting · SSO
// management plane
Last-Mile ISP Links — NBN · 4G/5G · Fibre · DSL · Satellite
📦
Nepean SD-WAN Node
Site A
Juggler · Illuminate · ZTP
🛡️ Firewall VM (optional)Clavister · pfSense · OPNsense · MikroTik · OpenWrt
// Head Office  ·  ▶ click
📦
Nepean SD-WAN Node
Site B
QoS · Per-pkt · Compression
🛡️ Firewall VM (optional)Clavister · pfSense · OPNsense · MikroTik · OpenWrt
// Branch Office  ·  ▶ click
📦
Nepean SD-WAN Node
Site C
SD-WAN · /32 IP · Bi-dir QoS
// Intl Branch  ·  ▶ click
📦
Nepean SD-WAN Node
Site D
GDPR · SD-WAN · Failover
// EU Branch  ·  ▶ click
🖥️💻📱
LAN Devices
// LAN — Site A
🖥️💻📱
LAN Devices
// LAN — Site B
🖥️💻📱
LAN Devices
// LAN — Site C
🖥️💻📱
LAN Devices
// LAN — Site D
Traffic Flow
Internet egress
FW gateway
Management / control
Full mesh (Agg ↔ Agg)
Bonded SD-WAN tunnel
Customer / LAN edge
Node Types
Cloud Firewall (GW)
Aggregation Server
Nepean SD-WAN Node
Firewall VM (inside node)
Customer LAN
📦
Nepean SD-WAN Node
// Debian · OpenSUSE · x86 · ARM
🔐Secure Connect
  • Remote access to upstream devices (modems, routers, ONTs)
  • Access downstream LAN devices — printers, VoIP phones, cameras
  • RDP / VNC to workstations & servers without VPN client
  • Browser-based terminal, no agent required on target device
  • Session logging & audit trail per user
💻SSH Terminal Access
  • Full in-browser SSH to the SD-WAN node via Antares
  • No inbound firewall rules or public IP required
  • Role-based access — MSP vs customer permissions
  • Restricted shell mode for read-only diagnostics
  • Run diagnostic commands: ping, traceroute, iftop, tcpdump
Sub-Second Failover
  • Bonds 2–4 ISP legs simultaneously (active-active)
  • <300ms detection & re-routing on link failure
  • Per-packet load balancing across all live legs
  • Automatic leg weighting by latency & loss
  • Red-Blue tree packet reordering for smooth failover
🔀Advanced Routing
  • SD-WAN private mesh — direct site-to-site without internet
  • Policy-based routing by application, DSCP, or source IP
  • QoS — bi-directional traffic shaping & prioritisation
  • VLAN support — multiple LAN segments per node
  • Static, OSPF & BGP peering support
  • Elastic /32 public IP per site via SD-WAN Edge Router NAT
🛡️Optional Firewall VM — Deployed & Managed via Antares
Clavister pfSense OPNsense MikroTik OpenWrt + more
  • Runs inside the node via QEMU/KVM — no extra hardware
  • Zero-touch deploy from Antares — no truck roll
  • NAT, VLAN segmentation, stateful inspection
  • IDS/IPS, captive portal, DNS filtering
  • Full remote lifecycle: deploy, configure, upgrade
  • Physical firewall also supported downstream of node
🔍Illuminate — Deep Packet Inspection
  • Real-time application & protocol classification
  • Per-application bandwidth usage breakdown
  • Top talkers — by host, IP, application
  • Historical DPI data retention & trend graphs
  • Exportable reports for customer visibility
🔔Alerts — DPI & Connection
  • DPI-based alerts — unusual application behaviour
  • Bandwidth threshold alerts per application or total
  • Link down / leg failure alerts (email, webhook)
  • High latency & packet loss threshold alerts
  • Customisable per-tenant alert rules in Antares
📡Broadband Circuit Telemetry
  • Per-leg latency, jitter & packet loss — live & historical
  • Real-time throughput per ISP circuit
  • MOS score tracking for VoIP quality monitoring
  • Leg state: active, degraded, failed, standby
  • ISP-level outage detection & duration logging
  • 95th percentile bandwidth reporting for billing

Register to Read