There are unique internet connectivity challenges on a yacht:
- You're moving....on water!
- Necessity varies by role.
- Speed and capacity vary.
On a yacht, no physical wiring provides a consistent connection. You are
entirely reliant on wireless technologies. Furthermore, internet resources can be scare as your location becomes more remote. In terms of speed and connectivity type, you might be in port with WiFi access, along the coast with 3G/4G/LTE signals, or out on open sea with nothing but VSAT available to you. As you move, these connections may come and go arbitrarily - causing disruption in service. Looking at this another way: not only to connections coma and go; but, when they do, the speed and bandwidth go with them!
The slower the connection, the more contention there typically is. That is often unacceptable to certain audiences. You typically have a varied audience onboard the ship at any given time. The more important the person or persons, the greater the need for availability and speed. Groups may include emergency equipment onboard, the owner(s), VIPs, officers, crew, guests, etc.
Kerio Control is the perfect solution for this industry.
- Firewall, Router, IPS/IDS
- Anti-Virus
- Web & Content Filtering
- QoS
- Usage Reporting
- Secure VPN
- Flexible Deployment
- Simple to use.
Kerio Control excels in:
- User and Device Groupings
- Load Balancing and Traffic Rules
- Three Use-Case Scenarios (VIP on board)
- Drawbacks
- Alternatives
- Rapid Configuration Changes (3rd-Party)
- Bandwidth and Time Management
- Reporting
User and Device Groupings
Using a group approach, everyone needs to identify themselves with a userid and password. An IP Address approach allows you to set up a VLAN, for example, that owners my use at all times. That way, there is easy identification.
 |
| CLICK FOR LARGER IMAGE |
Load Balancing and Traffic Rules
"Per Host" is preferable to "Per Connection" when you have multiple internet links. Otherwise, it can look like you are executing a DoS attack. Destination websites and applications prefer to have client/visitor requests come from the same IP address. If they see multiples (from all three interfaces), they may falsely assume there is an attack underway. Maintain communication through a single link throughout the session using "Per Host" balancing.
 |
| CLICK FOR LARGER IMAGE |
Scenario 1: In port with a VIP present.
With the initial load balancing scheme in Interfaces, the entire audience has five chances to end up on WiFi while at Port - one chance for 3G and one chance for V-SAT. Ideally, you provide VIP’s with WiFi any time it’s present (and reliable) and then balance the load of remaining groups using the weighting scheme within Interfaces.
 |
| CLICK FOR LARGER IMAGE |
Scenario 2: Coastal with VIP Present
When WiFi drops, the previous traffic rule still tries to push VIP traffic through the enabled WiFi VIP Traffic Rule. The Weight of one for both 3G and V-SAT then results in a 50/50 distribution of VIP traffic (WiFi is down). This is because the Traffic Rules are evaluated from top-down and our WiFi rule is a match, so no other rules are evaluated. To force VIP’s through 3G, you have to disable the VIP WiFi rule in Traffic Rules.
 |
| CLICK FOR LARGER IMAGE |
Scenario 3: Open Sea with VIP Present
When both the WiFi and 3G become unavailable, our 3G Traffic Rule is still enabled and tries to force VIP’s through 3G. Interfaces determines that 3G is down and will automatically push VIP traffic to V-SAT (the only available link). In other words, it makes no difference if the VIP WiFi or 3G Traffic Rules are enabled as only one Interface (V-SAT) is active.
 |
| CLICK FOR LARGER IMAGE |
Drawbacks to Scenarios 1 through 3
Because the weighting scheme is still in play for all other traffic (other than VIP’s), you end up with a somewhat undesirable situation where large amounts of Officer & Crew traffic is routed through the most desirable links/interfaces. It may be desirable to fully reserve the desirable link/interface for the highest priority group (VIP’s for example).
 |
| CLICK FOR LARGER IMAGE |
Alternative Solution: Tie Groups to Interfaces
This will push ALL traffic through V-SAT…unless there is a Traffic Rule that specifies otherwise.
 |
| CLICK FOR LARGER IMAGE |
Here, we’ve used Policy-Based-Routing to override the Interface load balancing scheme that routes all traffic through V-SAT and instructed Kerio Control to push VIP Traffic through WiFi (if available) or 3G (if available). Officers, Crew, etc. will NEVER go through WiFi or 3G in this case. Only through V-SAT. VIP’s will ONLY go through V-SAT if the other links are down.
 |
| CLICK FOR LARGER IMAGE |
Example: Rapid Configuration Changes (3rd Party)
I mentioned that it is desirable to disable some traffic rules occasionally when they are forcing specific traffic through an interface which no longer has a reliable Internet connection.
KNAVAL is an iPad app that was developed by a 3rd party (Freelands in Italy). It allows you to rapidly turn interfaces and traffic rules on or off by swiping between up to 4 different modes. Port, Coastline, Open Sea, and Custom. You can see the app in action in the bottom right and the results on the Kerio Control server within the browser window on the left. All configuration changes are initiated from the iPad.
Bandwidth and Time Management
Kerio Control offers other ways to limit or reserve bandwidth on multiple interfaces. Here’s an example of some QoS rules. Rules are evaluated top-down and applied if there’s a match. If no match, the next rule is considered, and so on until the list is exhausted.
To configure this, define the speed of your interfaces, define the type/source of traffic that your rule will apply to, whether you are setting a minimum amount of bandwidth (reserve) or setting a maximum amount of bandwidth (limit) rule, what interfaces does it apply to (all, Wifi, 3G, VSAT, etc.), and during what time (if applicable).
Let’s look at the 2nd rule in detail.
 |
| CLICK FOR LARGER IMAGE |
If there is no traffic from Owners/VIP’s or Officers AND no VPN or Email traffic from any group – even during the Monday & Friday meeting times. The Crew would *could* consume the full bandwidth just watching YouTube videos.
The reservation rules are only enforced if there is actually a contention/demand situation.
 |
| CLICK FOR LARGER IMAGE |
Reporting
This is USER-based reporting rather than device-based. It doesn’t matter if I use one device or 10 devices. All of my traffic will be aggregated into my user profile statistics.
 |
| CLICK FOR LARGER IMAGE |
The Most Innovative Schools ranking identifies “schools that the public should be watching because of the cutting-edge changes being made on their campuses.” It is based on a peer assessment survey in which college presidents, provosts and admissions deans nominate up to 15 colleges or universities “that are making the most innovative improvements in terms of curriculum, faculty, students, campus life, technology or facilities.”
