Accessing device behind BR1 using FusionHub

I have a device behind a Peplink Max BR1 cellular router which I’d like to remotely access from anywhere using my laptop. The WAN side of the BR1 is getting a private IP address from Verizon Wireless (VZW). We’d prefer to not pay the money to get a static/public IP address from VZW. I’ve read a number of topics in this forum regarding my requirements (i.e., accessing a device behind a BR1 when the BR1 does not have a static/pubic IP). One option many forum members have suggested is to run a FusionHub instance on a cloud service (e.g., AWS). The FusionHub instance would have a public IP and my BR1 can create a PepVPN connection to the FusionHub instance.

The question I have is can my laptop connect to the FusionHub instance and then via port forwarding get to the device behind the BR1?

Hi Peter - Welcome to the forum!
When you have a Fusionhub hosted in the cloud (try vultr its $5/month for hosting) and the BR1 connected to it using PepVPN you will have a static cloud hosted public IP on the WAN of the Fusionhub that you can use in one of two ways for remote access.

  1. Port forwarding from the WAN IP to a LAN IP.
  2. As a VPN server, so you would connect to the Fusionhub using L2TP over IPSEC or OpenVPN from your laptop / PC /Phone then be able to connect to any LAN side device as required.

Hope that helps, if you do a search for installing Fusionhub on here you’ll find some links to videos I’ve made showing how its done.
Kindest,

Martin

2 Likes

Martin,

I followed the steps detailed your “Setting Up FusionHub on Vultr” video and now have my BR1 talking to my vultr instance of FusionHub using PepVPN. That’s great!

In terms of remote access to the laptop behind the BR1, I’m trying option #2 you provided in your response. Since I’m able to access the FusionHub instance via IC2 Remote Web Admin, I’m doing everything within IC2. Here’s what I’ve done so far on the FusionHub page:

  1. Choose Network → Remote User Access
  2. Check the Enable box and select L2TP w/ IPSEC
  3. Enter a pre-shared key, username and password
  4. Click Save and Apply Changes

On my MacBook Pro (which is connected to the internet via my ISP) I enter the above information along with the IP address of my vultr instance and then click Connect. The VPN connection seems to be created. But to be honest I’m not sure how to test things. When I enter the LAN IP address of the BR1 (192.168.50.1) the browser says connecting but nothing happens.

Any suggestions what I’m doing wrong?

Thank you.

Peter

Hmm. When you connect sucessfully over VPN to the fusionhub you should get assigned an IP address by the DHCP server.
eg

If you go to status > speedfusion on the fusionhub does it show your BR1 is connected? Can you see the IP address listed?

Can you ping from the Fusionhub to the LAN IP of the BR1? (using System > Tools | Ping)

2 Likes

Hi Martin,

Here are a few screenshots which I hope will answer your questions.

The first screenshot is taken from FusionHub → Network → DHCP Server.

The second screenshot is taken from Status → Speedfusion I see the following:

Here’s the result of running the Ping tool.

On my MacBook while the VPN connection to the FusionHub is active I ran the command “ifconfig | grep 169”. Below is the result. The IP address 149.28.195.158 is the public IP address of my vultr FusionHub service.

Lastly, here’s the results of running ping 192.168.50.1 on my MacBook.

Regards,

Peter

Martin,

I made some progress. On my MacBook Pro I needed to tell the OS which network interface to use for the 192.168.50.1 request. There were two ways of doing this. The first was to change the order of interfaces. The image below shows that the VPN interface takes precedence over the WiFi interface.

The second way is to modify the Advanced Settings of the VPN connection to send all traffic over the VPN connection.

Once I did either of the above steps, I was able to ping 192.168.50.1 and I could point my browser to https://192.168.50.1 and get the login screen for the BR1. Of course, I don’t know the password anymore since IC2 generates it randomly.

Regards,

Peter

1 Like

Well done! To see the password for the BR1 you click Show All link in the device view on IC2 then click the row of asterisks ***** to see what the password is:
image

1 Like

Martin,

There were two options you suggested for remotely accessing devices behind the BR1. The first was via VPN. The second was via “Port forwarding from the WAN IP to a LAN IP”. I have the first method working (thanks to your help). I’d like learn how to implement the second option. Can I do the configuration on the FusionHub web interface on the Network → WAN page (see first screenshot below) or the Newtork → Firewall page (see second screenshot below).

Regards,

Peter

Hi Peter,
in Fact Neither. :slight_smile:

Instead you need Port Forwarding under Network > Inbound Access

Good luck!

1 Like

Hi Martin,

I’m trying to setup exactly the same as Peter on a Windows PC but the WAN to LAN port forwarding doesn’t seem to be working.

I’m getting the below error when trying to connect and I’m seeing nothing on the logs of the BR1 I’m trying to connect to.

Thanks in advance,
Dan

Hello @djm.tech,
Welcome to the Peplink Forum.
Have you worked through this guide?

Make sure you have set the Security settings with Microsoft CHAP Version 2 (MS-CHAP v2) set correctly.
image
You find the full details within the guide.
Happy to Help,
Marcus :slight_smile:

Hi @mldowling

Thanks for this, I’ve just checked and all of my settings are already applied as per the guide you sent.

Including port forwarding setup on the Fusionhub for TCP 1701, UDP 500 and UDP 4500

Dan

Martin, I have created this setup thanks to the video you posted on Vimeo. PepVPN is working between my Fusionhub on Vultr and my BR1.

I am trying to take the next step which is to create an OpenVPN connection to the Fusionhub. This is not working. Is there anything unusual about Vultr with respect to firewalling inbound? I have not created any inbound rules on Vultr. It seems to allow all inbound connections.

thanks,
Dave

Hi Dave.
I expect you don’t have a LAN connection on the Fusionhub (you’ll need that so that DHCP can assign your OpenVPN client with an IP)? In Vultr add a private network to the VM and reboot the fusionhub.

If you do have a LAN / or if that doesn’t work let me know what error you’re seeing.

1 Like

Hi Martin,

Thanks for the reply. I do have a LAN setup on the VM, 10.2.96.0/20. I assigned 10.2.96.1 to the LAN interface. I also have the DHCP server enabled (check box) but did not adjust the IP range on that screen.

OpenVPN is just not answering on port 1194. I am looking at the client side logs (Tunnelblick on Macbook) and it just times out.

Why such a massive subnet?

I have openvpn working against a FusionHub on vultr with no additional settings other than LAN setup. This is currently running 8.0.1 build 1644. I’ll upgrade a test against 8.0.2

1 Like

Tested against FH running 8.0.2 build 1656 on vultr again - worked as expected.
You might need to log a ticket.

Assume your DHCP range is the same 10.2.96.0/20 subnet right?

2 Likes

I believe I accepted the default. I removed the private network and started over with a /24.

Does the attached screen look correct? Of course I have not filled in the user information.

I checked with Vultr and they are not blocking the OpenVPN port.

This is really weird. I can ping the server from outside. Vultr confirmed 1194 is not a port they would be blocking.

I must have something setup incorrectly that results in 1194 not answering. The OpenVPN server must not be running.

@vronp

Not sure you have opened a ticket for this. If you want to verify whether the OpenVPN traffics reaching to the FusionHub, you can actually perform packet capture at the FusionHub Web Admin support.cgi page and open the captured files using WiredShark application to verify any traffics for port 1194 reaching to the Fusionhub WAN. If you did not to see any traffics for the captured logs, that mean the traffics is being blocked at the network level.

1 Like