Balance 20X, SpeedFusion Cloud, and DDNS

Product Discussion Peplink Balance
1

All the DDNS posts seem to be a bit old, and I have to believe my understanding of SFC is a bit off. So here are my assumptions, and my situation.

I assumed SFC provides Hot Failover for two internet connections (Satellite and cellular for me) and maintains session stability, meaning instead of switching IP addresses in failover my connection to remote things (servers) remains up and functioning. After reading for the DDNS piece, I’m beginning to question this assumption.

I have a server that has access control for inbound connections. So I need to be able to list my IP/dns name for that access control. Originally I assumed the SFC connection would give me that address, but it does not.

Then I found “Find My Peplink” and thought THIS would do it for sure. I turned on Find My Peplink for my device. I see (device).mypep.link in nslookups now.

I also see in the InControl Wan panels dns names for my links, wan.(device).mypep.link and cellular.(device).mypep.link. These do not resolve in nslookup, however.

I also see ic2-detected.(device).mypep.link, that is the same as (device).mypep.link. This one does resolve in nslookup.

However, to solve my server access control problem, none of these addresses are what is shown by myip.com or what my server sees attempting to access it. My server and myip.com agree on what my IP address is to the outside world.

So, my questions are:

  1. Does SFC maintain sessions during failover?

  2. If it does, how does it do that since the SFC IP address seems to matter not at all?

  3. If it doesn’t, how is it better than failover on the router itself?

  4. Why does InControl show me DNS names for things that don’t resolve?

  5. Why are none of these IP addresses the IP address that is actually presented to the Internet?

Thanks for helping me understand!

-Michele

2

Yes - so long as you are using it of course. Traffic from LAN side devices has to be told to go via the SFC connection - otherwise it will just be load balanced over your available WAN links.

The SFC hosted IP address doesn’t change. If you send LAN device traffic via SFC over multiple connections when one or the other fails your traffic continues to flow over the available link and the public IP address (in the SFC server) does not change even when your WAN links do.

The ones that don’t resolve for you have private IP addresses that do not accept inbound traffic and you have Resolve Private IP Address turned off.

image
image723×106 5.51 KB

I explain this a bit in this video at the beginning: Setting Up FusionHub on Vultr – Martin Langmaid – SDWAN Architect

The reason is that the public IP(s) that you are actually using does not belong to any device you have with you - it is instead a NAT router owned by your ISP. When you use SFC it becomes the IP of the SFC service - which is also a shared IP.

SFC does not allow inbound traffic to its public IP. if you want to have that you need to host your own FusionHub (free license, $5/month for 1TB of traffic on Vultr - hence the video above).

I would suggest you confirm that your are using the SFC connection, access https://www.whatismyip.com/ when you are sure and confirm that you are using an IP that doesn’t belong to your current ISPs. You can then use the SFC IP for the IP authentication requirement on the server with access control.

2 Likes
3

Thank you so much for the answers. I appreciate the time you took to respond, and watched the beginning of your video. I don’t need inbound traffic, just that I can tell the server what IP to expect me from, either as a true IP address or a DNS name.

We have two SFC connections, one for our work computers with no bonding, smoothing, or FEC checked (we just want our sessions not to die during the failover and back), and a second that is WAN smoothing specifically for Zoom and Microsoft 365 applications.

On the Status → SpeedFusion screen, I can see the SpeedFusion Cloud connections for both profiles, Work Computers and WAN Smoothing.

I am confused that when I go into the SpeedFusion Cloud → SFC Profile the Enable box is NOT checked. But I see that they’re up, and no amount of checking, saving, applying makes the Enable box checked when I go back in. shrug I am assuming because I see SF in the Status screen, and in the InControl screen, that it is working.

I can see from my work computer using https://whatismyipaddress.com that the IP address is not from the satellite provider or the cellular provider, but a Digital Ocean IP. I’m assuming DO is a provider Peplink uses for SFC, and that’s why DO addresses are seen as my IP address.

I see the in the Event Log the connections being initiated to the DO address I see in whatismyip, so I feel good that my traffic is flowing through the SFC, and that I know what my public IP is at the moment.

That IP has changed each day, as has the location in which it originates. This makes it difficult to use the public facing IP in my access control, as it keeps changing.

  1. Is this changing IP address because we’re still configuring the router, and the SFC gets a different IP at each startup?
  2. In my SFC setup, should I choose specific cloud locations instead of Automatic? Will this keep my IP stable?
  3. What is the 206.214.xx.xx address I see in InControl, that is provided in DNS for (device).mypep.link? This DNS isn’t useful for access control because it’s not the IP address my server sees.
  4. If the SFC public facing IP address can’t be counted on to remain the same, is there some other way to get the public IP address into a DDNS config to allow access control to the server? I would have thought the InControl mypep.link DNS might do this for me, but I can’t find it if it does.

I really appreciate the help.

-Michele

4

yes that’s right.

One way round this is to host your own using vultr as per my video.

I suspect that every time your device creates a SFC connection it gets load balanced across the available SFC connections and so changes.

Automatic should use geoip to pick the closest region to you, but each region has multiple SFC servers so it will unlikely improve your situation much.

(device).mypeplink.com returns the IP addresses of your healthy WAN links. By default it ignores private addresses. 206.214 is a WAN IP of yours most likely.

The ic2-detected.mydevice.mypep.link ddns entry shows the public IP detected on traffic sent to IC2. I just tried forcing mine via a SFC connection but it didn’t update the DDNS entry to show the SFC public IP, I’ll try again later.
I would use a 3rd party DDNS service I think - one like https://www.noip.com/ which has a software client you can run on your laptop which is routed via the SFC connection that does the IP update on your behalf.

I can’t find a way to get dynamic DNS for the SFC connections at this time.

5

Yes, you’re right, I set the SFC to a specific location and still get different addresses from that one location. In fact, from one location I might get Digital Ocean addresses or vultr addresses, so I can’t even use the network range for access control without allowing several very big chunks, and monitoring to see if I’m from a new chunk I haven’t seen before.

Yes, this is an IP address from Starlink’s range, as I discovered this morning. ic2-detected.(device).mypep.link is the same IP address, so there is no place that the SFC public IP address is available in dynamic DNS from IC2. My next step will be finding the place to make a feature request.

I don’t need any inbound traffic, but I do need to be able to identify where I’m coming from for access control on the server.

I’ll need to choose between:

  • Some sort of Dynamic DNS with client on my computer, like noip.com
  • a FusionHub in vultr per your video,
  • using the company VPN to make that particular connection. (Just a note that I can’t do all my work from the company VPN, so I would need to consciously change to the VPN when I need to work on the server, and then back again when I need to do something else.)

Choices, choices…

Thank you so much Martin for all your help and talking me through this!

-Michele

1 Like
6

If it was me, I would investigate the noip option with the software update client on your laptop first - its seems the most elegant.

Best of luck!.

2 Likes
7

My feature request garnered this reply from the peplink team

And, it works! Both the (device).mypep.link and ic2-detected.(device).mypep.link now show the SFC IP address.

-Michele

2 Likes