Hi everybody, looking to pick someone’s brain here cause I’m missing something small I think. I had this working at one point on some other demo gear I no longer have, and can no longer seem to set it up on my new permanent stuff I bought. I have two SDXs in geodiverse sites, and am looking to set up speedfusion between them using dark fiber between the two sites as the primary WAN. A basic topology is shown below. I have the speedfusion VPN config set up via IC2, but the VPN shows “Starting…” “Updating Routes…” but never established. I am doing L2 VPN transport across speedfusion, and am using it for a bit of resiliency. I made sure that the Hub device IPs were the public IP of the router and the /30 that goes between the two devices over dark fiber (192.168.10.1).
Location 1:
SDX Pro
WAN 1 Cable Modem
WAN 2 Fiber ISP
LAN 1 192.168.10.1/30 (private fiber across town to location 2)
Location 2:
SDX
WAN 1 192.168.10.2/30 (private fiber across town to location 1)
Do you really have a L2 tunnel configured? Sounds like a L3 route conflict to me.
Personally, my preference is to have different subnets set for the default LAN on each device, then I create a VLAN on each that will be bridged by the L2 VPN and then I present that VLAN to the right LAN ports either side.
You know what, I thought that might have been the case. Both untagged VLAN networks on each router were set to the factory default 192.168.1.1/24. I made the second site 192.168.2.1/24. I thought that was going to be my issue, but I still have the problem mentioned above. I’m going to continue to poke at this, I know I’m missing something small.
Share screengrabs of your network and VPN config and I can check that for you if you like. (or PM them to me if you prefer).
the dark fibre link needs to be connected to a wan port on both devices
Okay, thanks, I’ll try that a little later. I feel like I remember that part from my testing. So:
Site 1: 192.168.10.2/29 (with gateway .1?)
Site 2: 192.168.10.3/29
for the WAN IPs on each machine?
I’ll try and get something together for you, thank you!
Alright, so I’ve got them configured like this now:
Site 1 (Hub): 192.168.10.1/30 gw 192.168.10.2
Site 2: 192.168.10.2/30 gw 192.168.10.1
I’ve got SF connectivity WAN port to WAN port between the two sites it seems, but Site 2 drops off IC2 and cannot access the internet now. Also, DNS health checks fail on both of these WANs. Wonder if there is a route that needs added on Site 2?
Basically, if this is the only WAN connection available to Site 2, it seems to not be reachable remotely. If I plug another WAN into Site 2, it obviously comes up and is happy, however Site 1 & 2 can ping between each other on the private fiber connection appropriately.
I assume both WANs are still set to NAT mode? Change to IP forwarding if you want to route back through them to get to the internet.
If you have other WAN links at either location for internet access, change your outbound policy so the dark fiber WANs are not used for internet traffic.
Martin - thanks for the tip here. I changed both WAN settings on both the hub SDX pro and the Site 2 SDX to IP Forwarding rather than nat. I then disconnected the alternate WAN on the site 2 router, and it still loses connection to IC2. The L2VPN over speedfusion still seems to be up though.
Can you elaborate on what needs to be changed on outbound policy? The dark fiber WANs would ideally serve as a source of internet for the router’s core functions like IC2 connectivity in absence of Cable and 5G connections, as well as being the primary WAN used to connect the sites L2 via SpeedFusion. It’s not the end of the world if it doesn’t work, but I am curious why it isn’t.