wanctl Control Plane

This document describes the role of wanctl, an internal control plane used to adapt WAN routing and traffic steering behavior based on observed network conditions.

wanctl augments static routing and policy configuration; it does not replace them.

Design principles: see Lab Philosophy.

Purpose

The purpose of wanctl is to:

• Improve latency consistency under variable WAN conditions
• React to congestion and degradation faster than manual intervention
• Preserve deterministic behavior during normal operation

It exists to handle exceptional conditions, not to continuously optimize the network.

Control Plane Model

wanctl operates as a centralized, external control plane.

• It observes network conditions
• It makes bounded decisions
• It applies targeted configuration changes via RouterOS APIs

There is no distributed state, peer coordination, or autonomous routing logic.

Scope of Authority

wanctl is permitted to modify only the following:

Policy Routing

• Enabling or disabling predefined routing tables
• Adjusting route preferences and selection
• Steering selected traffic classes between WANs

All routing primitives are defined statically ahead of time.

Traffic Shaping Parameters

• Adjusting CAKE shaper rates per WAN
• Enabling or disabling shaping profiles
• Responding to congestion by reducing effective bandwidth

wanctl does not alter QoS classification rules.

Explicit Non-Authority

wanctl is explicitly not allowed to modify:

• Firewall filter rules
• NAT rules
• VLAN definitions
• IP addressing
• Inter-VLAN policy
• Wireless or switching configuration

Security boundaries remain static and operator-defined.

Decision Inputs

wanctl bases decisions on a limited set of signals:

• Latency and jitter measurements
• Packet loss indicators
• Queue depth and congestion signals
• Link availability

No single metric is treated as authoritative.

Safety Boundaries

Several safeguards are intentionally enforced:

• All changes are reversible
• Upper and lower bounds are enforced on shaper values
• Fail-safe behavior defaults to static configuration
• Manual override is always possible

In the absence of valid input, wanctl takes no action.

Relationship to Routing Strategy

The network remains fundamentally static-routed.

wanctl operates within this framework by selectively activating or deactivating predefined policy paths rather than computing routes dynamically.

This avoids introducing routing instability or control-plane feedback loops.

Relationship to Monitoring

Monitoring systems observe both:

• Network behavior
• wanctl actions and decisions

Monitoring does not feed back into wanctl automatically.

All closed-loop behavior is intentional and bounded.

Failure Characteristics

Failure of wanctl results in:

• Continued operation using last known good configuration
• No loss of basic connectivity
• No security boundary changes

The control plane is additive, not required, for baseline functionality.

Current Status

wanctl is actively used in production.

Its scope is intentionally limited while behavior and confidence mature.

Future enhancements will prioritize observability and safety over increased automation.

Design Notes

• wanctl adjusts behavior, not policy
• Static intent precedes dynamic response
• Control is centralized and auditable
• Automation is constrained by design

Related Documentation

• Edge & Traffic Policy — WAN connectivity and traffic management philosophy
• NetBox as Source of Truth — Network intent modeling

This document applies to all current and future WAN control mechanisms unless explicitly stated otherwise.