Hi if my network is on L2 and I use hd2 on the endpoint and hd4 in the center and my DG of the L2 is not the peplink but a privet switch. If I want to access only the swith and what is behind it on the other side from the speedfusion from my hd2 and I don’t want to give free internet access to the hd2 (only incontrol we need access) and all other traffic should go through the tunnel to the switch.
Can someone help me with a guide to closing the communication/internet access. I tried by myself to limit access through firewall rules and I also tried outband police but it didn’t help or it stayed the same or i lost all access.
2 Likes
Can do do a quick Draw.io sketch of that topology please to make it easier to understand?
Do you want the HD4 to be the router for internet traffic from the HD2? Is this all wired WAN connectivity?
hi i do not want that hd2\hd4 will go to the internet only to the incontrol managmant and to the speedfusion over the internet .
my goal is to have connection from the camera 192.168.21.151 and pc 192.168.21.201 that connected to hd2 192.168.21.11 that connected to hd4 main 192.168.21.8 and backup hd4 192.168.21.9 using speedfusion to go to the nvr and other servers that behind the switch 192.168.21.1 .
and i dont need or want that the pc and camera will have any other roud to get out of the network and go to the internet (only to incontrol)
Limit HD2 internet access with Speedfusion:
- Policy Routing: Configure Speedfusion on HD4 to route inControl traffic directly to the private switch and send all other traffic through the tunnel.
- Firewall Rules:
- On HD2, create firewall rules to:
- Allow inControl traffic to the switch’s IP address.
- Block all other outgoing traffic (except to HD4 for tunnel communication).
1 Like
Warner’s idea seems sound to me.
Why have you gone L2 for something like this? Is it some weird camera / NVR management requirement?
As you’re L2 you’ve lost all routing / flow control at the remote vehicles which is a real shame. And when a vehicle gets messed with, reconfigured, misconfigured, because its on the same encapsulated L2 SpeedFusion segment it can be a real pain to fault find.
Much better to use L3 if you can.
Hi thank you for the quick response, i will check maybe the client will agree to change it to l3
What they might want or need is for IP addressing in each vehicle to be the same as it makes configs at scale easier. If every car has the camera and NVR each on an expected IP it makes application config and support easier too.
There are ways to support that using a L3 topology as well though… let us know what they say.
Hello, the manager agreed to change the configuration to layer 3 and there won’t be a large number of vehicles so he has no problem making different networks for each vehicle.
I leave the center/backup HD4 with the same network as the central switch and the servers connected to my LAN port .
Then i can make a star SPEEDFUSION and select the main hd4 and backup in the disaster zero day spot and then put all vehicles in this profile
and mark the send all traffic to hub with dns of DG of the switch 192.168.21.1 or do I put the addresses of main and backup HD4 192.168.21.8-9?
and in the end I just need to make rules in the firewall of the two HD4s that will allow outbound traffic to 192.168.21.0 with the source of the vehicles’ networks and at the bottom of the rules change the default of rules to deny?
Or will I lose management of the units from INCONTROL?