Hello;
we have headquarter with below configuration :
-LAN subnet : 192.168.1.0/24
-we have a fortigate firewall : LAN 192.168.1.1; WAN 10.10.1.5
-we have 2 ISP routers with inside IP addresses : R1 10.10.1.1 in production, R2 10.10.2.1 standby. each router has a fixed IP address.
-we bought a Peplink Balance 580 to ensure Load Balancing of WAN links and connect 3 remote Branch offices with SpeedFusion VPN (site-to-site).
N.B: for the branches we bought 3 Peplink B210, all branches have 2 WAN links and fixed IP addresses whitout firewall.
LAN subnet in remote site:
B1: 192.168.2.x/24 B2: 192.168.3.x/24 B3: 192.168.4.x/24
how can i configure links Load Balancing and SpeedFusion VPN site-to-site between HQ and remote offices if we have routers with public fixed IP addresses ?
Here is my schema of my network:
You can setup your HQ with Peplink in drop-in mode, between your FortiGate and 2 routers. Use the link below for illustration. Your Peplink should be using R1 link for drop-in, IP address should be in the same range as 10.10.1.x.
http://www.peplink.com/knowledgebase/can-i-have-multiple-wan-connections-in-drop-in-mode/
As for Speedfusion, you can refer to the following link for more information. Also, from the look of it both your router is doing NAT, so you’ll need to port-forward Speedfusion ports (TCP32015 UDP4500) from router to Peplink for it to work.
http://www.peplink.com/knowledgebase/design-and-implement-peplink-speedfusion-site-to-site-vpn-with-drop-in-mode/
Feel free to share if you have further enquiries on this.
hello Kv-Chen,
thank you for your answers.
I have another question : in branches we don’t have firewalls. how can we Transmit all internet traffic to Firewall of HQ ?
I don’t get what you meant by transmit all traffic to firewall.
Are you trying to force all branches traffic to go through HQ’s firewall before going out to the internet?
Kevin
Hello
yes exactly . we want all branches traffic go through HQ’s firewall before going out to the internet
Not feasible unless you deploy Peplink behind your firewall. However, if you set it up that way, you’ll not be able to make full use of your standby link.
Kevin
hello,
I want to route all traffic internet to HQ’s fortigate for do traffic filtrage because in branches offices we don’t have firewall.
Hi elalaoui,
You could potentially utilize the Peplink Balance for your firewall to block/filter the traffic at the remote sites. The Balance does have the ability to perform content filtering based on categories. To view the categories available to select, and enable this functionality, browse to the “Network” tab on top > “Content Blocking” section on the left.
Additionally, you will want to ensure that the default inbound firewall rule is set to “deny.” You can access this in the “Network” tab > “Access Rules” on the left. Select the link for the default rule in the “Inbound Firewall Rules” window and then select “deny” to set the default inbound rule to deny. Finally, save and apply changes. Please reference the screen capture below.
Thank you elalaoui, I hope this helps.
hello;
thank you very much Jeffrey_Riley.
my problem now is :
i create speedFusion VPN between HQ and Branche office :
HQ
Branche Office
but when SAT (wan satellite internet) disconnected from speedFusion VPN in branche office :
i have the following status in HQ:
and latency is very high. what do you suggest to me for solve this problem ? taking into consideration we have the following WAN connections:
Questions:
-
May I know what type of WAN link for Inwi Inter at HQ? Look like latency is high.
-
May I know what type of WAN link for Inwi VPN at HQ and branch?
-
ISP 1,3 and 5 at HQ are same ISP?
Below is the recommendation for SpeedFusion Bonding:
Latency
- Latency should not more than 1000ms for each WAN link.
- The differences of latency between each WAN link should not more than 150ms.
Bandwidth
- Bandwidth of the slowest WAN link is at least 15% of the bandwidth of the fastest WAN link.
Hi;
1-the type of WAN link for Inwi Inter at HQ is : ADSL
2-the type of WAN link for Inwi VPN at HQ is : ADSL, at branch is the same ADSL
3-yes. the ISP 1,3 and 5 at HQ are same ISP.
Please help to open ticket. We need to check the latency and packet drop on each WAN link. Then only can advise which WAN link is suitable for Bonding.
Thank you.