Configure ip public to firewall behind maxbr1 for site to site vpn


#1

I need to configure firewall that get public ip static throw maxbr1 with dual sim active /backup
To make sure to site vpn via internet between the firewalles
What the best practice to configure the site to site that maxbr1 will be bridge throw only cellular sim drop in mode or port forwarding
If I configure passthrow the firewall cannnt be dhcp behaind the max br1 I need to configure ip public or do port forwarding
What you need to configure ?
And please attach screen shot
Thanks


#2

Not sure you can do what you want since most operator SIMs are assigned private dynamic IPs as they sit behind carrier grade NAT, an if you go for fixed Public IPs on your SIMs then yes you can use pass through so that your FW gets assigned the public IP of the currently active SIM card, but when the SIM changes you canโ€™t always guarantee that the FW will cope with the public IP change very elegantly.

When I do this, I host a Fusionhub in the cloud with a fixed static IP and port forward from there over PepVPN to the FW on the LAN of the BR1 (which has a private IP).

By using PepVPN in this way, the public IP never changes even when the active SIM changes on the remote BR1, and the private IP of the FW on the BR1 never changes so you get more stability. Plus you can use Dynamic IP SIMs which are cheaper.


#3

I have static ip from the isp over nat in the sim I need to pass the public nat ip to firewall to configure site to site

ื ืฉืœื— ืžื”-iPhone ืฉืœื™


#4

Yes, but you will have two different static IPs across the two SIM cards surely?


#5

I have dinamic ip to the sim but static public nat both isp

ื ืฉืœื— ืžื”-iPhone ืฉืœื™


#6

Yes I need it to make IPSec vpn two tunnel one main and another backup

ื ืฉืœื— ืžื”-iPhone ืฉืœื™


#7

OK. So if you turn on cellular passthrough - when the Firewall connects to the LAN of the BR1 it will be allocated whatever IP is currently available on the active SIM. You should then be able to build an IPSEC to that public IP the ISP has allocated to that SIM.

However, I donโ€™t expect the failover will work as well as you want, as when the SIM changes, so the IP will change on the cellular WAN - this IP will be passed through to the Firewall, but Iโ€™m not sure if the firewall itself will detect that the IP has changed. I think the underlying process is DHCP - so the BR1 offers the active SIM IP to the firewall over DHCP. If so, you might need to set a really low DHCP lease time on BR1 so that when the IP changes the firewall refreshes the IP quickly.

Let us know how you get on.


#8

What about two Vlan to two tunnel IPSec

Active passive ?

ื ืฉืœื— ืžื”-iPhone ืฉืœื™