I just purchased a pair of Balance 710’s and unboxed them last night. The purpose of the Balance devices is to link our primary office location with a smaller secondary office location nearby. All computing services will remain at the main site with only a very basic network at the secondary site. Included in those services are SIP telephony, Windows AD services, and database applications provided by a few 3rd party vendors.
At the primary site I have two consumer class Internet connections (Comcast and Verizon Fios).
At the secondary site I have only one consumer class Internet connection (Verizon Fios).
In addition to the two ISP’s I have a site-to-site (line of sight) WiFi connection using Ubiquiti equipment.
I would like to build a PepVPN between the sites and utilize SpeedFusion with smoothing to assure that I get a reliable, predictable link that is suitable for sensitive traffic like VoIP/SIP and video conferencing.
To start I walked through the Setup Wizard and configured my ISP WAN links and tested that they are working as expected. Now I need to configure the interface/link that will connect to the remote site via the point-to-point WiFi. My question is, what is the appropriate way to define the connection, the link subnet, and the remote network(s) present on the other side of that link? I may not even be asking the question very well so please, cut me some slack as this is my first time working with a Balance device. Put a different way, how do I configure the site-to-site link so that it can be included in the PepVPN as a preferred path to our secondary site but not be seen by the Balance as an Internet connection (zero route).
Any help and guidance provided is greatly appreciated.
If you post a network diagram with IP addressing I can be more specific but in general you would:
Set up the internet WAN interfaces on WAN1 (and WAN2 in the case of the main site which has two)
Setup a weighted balance outbound policy (any to any) on the main site, include WAN1 and WAN2 but turn off all other WANS.
Set up an outbound policy of enforced (any to any) on the remote site balance that uses WAN1 for internet access
Setup WAN3 on the main site and WAN2 on the remote site for the P2P bridge. You don’t say if the P2P link is a bridged Layer2 link or a Layer3 routed link - either is fine but in either case you should set static IPs on the WAN ports and you’ll need to set a gateway IP address (as the UI requires it) that can either be the IP of the radio at the other side if its a Layer3 link or the remote WAN IP if in Layer2/Bridge mode.
You also need to set a health check mechanism on WAN3/WAN2 too, I would suggest that could be a ping test and you could use the IP of the remote balance
Then you would configure the SpeedFusion VPN profiles on both Balance routers, on the main sites Balance 710 you would create a profile and enter the PepVPN ID of the remote balance. then in the WAN connection priority you want to unhide the WAN connection mapping feature and force Speedfusion to only try and connect the WANs with the wifi link on to connect to each other (this speeds up VPN tunnel creation).
Repeat this process on the remote site Balance but in this case fill in the public IPs of the WAN connections at the main site and the PepVPN ID of the main site. This then means that the remote site will dial in to the main site.
Once the SpeedFusion VPN is up you will be able to route traffic securely over VPN between the two locations, but internet access will go out directly via each locations local internet connection.
Martin,
Thank you so much for the detailed reply, I do appreciate your help.
Regarding your feedback, some questions have come up as I work through the steps.
When I created the Weighted Balanced policy I noted that there’s a default policy pertaining to SSL (tcp443) traffic. Should I also limit that policy to the two ISP WAN links (WAN1 and WAN2) by selecting a zero weight for the remaining WAN links?
Regarding the wireless link WAN configuration, the link is a L2 bridge. It’s not clear to me what I should select for items ROUTING TYPE, CONNECTION METHOD, and INDEPENDENT FROM BACKUP. What do you suggest?
When I save settings I’m presented with a dialog informing me that DNS must be set in order for the link to operate properly. However, as you can guess, there will be no DNS on the WAN like connected to the WiFi bridge. Will this be a problem?
WARNING: No DNS Servers defined in this WAN connection! The device will not function if none of the working connections have DNS servers defined. Are you sure you want to save anyway?
Re: PepVPN profile I entered the IP of the remote WiFi WAN interface. In the event that WiFi is down, how will the PepVPN know of the other public IP addresses of the remote unit? Will they be ‘learned’ the first time the VPN connects?
For both of these, since the UI isn’t geared up for private P2P links (it expects internet links) you just need to enter whatever you need to so that the settings will save. You say its a L2 WIFI bridge - so its the same from a config perspective as plugging the two WANs together with a cable.
Set a static IP on both WANS in the same range.
Set the ‘gateway IP’ on each device to be the remote Peplink static IP you just set.
Set the DNS to googles servers (8.8.8.8,8.8.4.4)
Set health check to Ping and the target as the remote device IP.
Yes they get learnt as part of the initial handshake. At which point each device will try and make an outbound connection to the others learnt ‘public IPs’ to create a tunnel for each WAN which then gets bondied. That’s why I said to set WAN Mapping above so that neither devices wastes time trying to route from a public internet connection to the private WiFi link.
Thanks again Martin, all seems to be working as expected. The VPN is up, speeds are good and we will hopefully be able to test VoIP services sometime towards the end of this week. I appreciate your help.
My next question is regarding networks and routing. On the PRIMARY site Balance LAN there are 10+ VLANs. On the SECONDARY site Balance LAN there are 5 VLANs. How do I inform the two devices of the networks available on either side of the tunnel? We are not using OSPF or RIP widely so I think it’ll be best for me to approach this using static routes if that’s possible.
And follow-up to that question, the SECONDARY site Balance will need to handle multiple subnets / VLANs on the LAN port; a trunk.
Example VLANs at the SECONDARY site -
IP SECURITY VIDEO - VLAN ID 7 - SUBNET 10.3.7.0/24
IP SIP VOICE - VLAN ID 50 - SUBNET 10.3.50.0/24
So the LAN port on the Balance needs to have multiple IP interfaces (one for each VLAN) and needs to tag traffic appropriately so that I can run a trunk to the switch stack.
Is setting this up simply a matter of going to LAN configuration and enabling VLANs under the question mark and then defining each IP interface?
We just started testing voice across the VPN and find that the phones are able to reach the server and initiate a call (SIP signaling) but, no VoIP audio is heard on either end. We have not done any troubleshooting yet. I’m just curious if anything comes to your mind that I should look at first…
