DRAFT: Ability to nominatePepVPN/SpeedFusion for Incoming Port Forwarding

Hello Peplink & Community,
Have you ever had a situation where your customer wants to “cooky-cut” all their sites to be the same? That means they require every router to have an identical configuration, and all the devices on that router will have the same setup.

Many Peplink partners and MSPs will have had this; it is a common request from businesses and organisations that have to move systems around and interchange devices a lot, though they do not have the resources to keep reconfiguring the IPs.

Peplink is very close to a solution for this. We propose a new feature within Peplink routers (physical and virtual) that, with incoming port forwarding rules, you can nominate the PepVPN/SpeedFusion tunnel to get used, much like you can do with outgoing policies.

For example, an organisation has several systems that get moved between vehicles (trucks, vans, warehouses, helicopters, boats); all equipment runs the same predetermined configuration in each device and router. As all the equipment gets used for real-time communications, faulty equipment needs to be a straight plug and go when swapped out, with no reprogramming.

Each has the same configuration using the MAX HD4 MBX as the routers; all connections are behind a CGNAT (Carrier Grade NAT).
For security reasons, the organisation only has a single approved Public IP hosted in a virtual data centre (such as CGE, AWS, or AZURE), so the solution will need to use FusionHub.

All of the MBX connections to the FusionHub will need to be NATed because they all have the same IP setup; this works well with SpeedFusion for combining the multiple WANs into a fault-resilient transport stream outbound from the MBX unit.

The challenge comes when needing to access devices on each MBX unit from the WAN side of the FusionHub.
:8111 → x.x.1.230:8100 (helicopter#1)

The above works fine when the subnets are not duplicated or NATed, though it does not work when they get duplicated on multiple devices.

What we are looking for is a way to also in the port transation add in which PepVPN that inbount port forwarding rule relates to:
:8111 via PepVPN<name#1> → x.x.1.230:8100 (helicopter#1)
:8112 via PepVPN<name#2> → x.x.1.230:8100 (helicopter#2)
:8113 via PepVPN<name#3> → x.x.1.230:8100 (helicopter#3)

Looking forward the seeing the communities thoughts on this feature request.

Note that Peplink’s new InTouch technology will not work as it is not web pages getting accessed.

Happy to Help,
Marcus :slight_smile:

Now if there was such a thing as a fully featured virtual Balance appliance would this not be solvable by using the virtual network feature? :slight_smile:

1 Like

Same thought as @WillJones this is what Virtual Network Mapping was designed for, and it works on Fusionhub since its configured on the MBX.

Of course the issue is that Marcus wants all remote devices to have exactly the same config so they can’t have unique VNM settings.

1 Like

Intouch is an option potentially?

Otherwise we’re left with a port forwarding config on the MBX from its NAT mode profile to the LAN side server.

Then you could connect to the FusionHub with a client VPN and access the server using the NAT mode IP the Fusionhub allocates to each profile.

Trouble is that NAT mode IP is dynamic and you can’t do DHCP reservations per profile…

1 Like

Hi Marcus,

that can be done via NAT-Mode-VPN.
All Routers can be cloned from a Golden-Master, with PAT predifined tables to access your end devices on the remote networks.

In the example above you can access each of the cameras via the management ip and the cam port.
You can deploy all settings via bulk configuration.
As all cameras and routers have the same config, it needs no skill to get a router and camera out of stock to deploy a new surveillance site.


1 Like

Hi Martin,

DHCP reservation is possible.
Te yellow marked part of the serial number is used for the reservation. All NAT mode MACs are created with 52:00:00 and the serial number part.
Set your reservations:


1 Like

Not on FusionHub though right? Your screenshot is from a Balance?

1 Like

I know some guys opened a thread in this forum where they asked for exactly this feature on fusionhub.

Yes you’re right:
Here Fusionhub NAT-Mode DHCP Reservation - #8



1 Like