fusionhub advertised route

Omar_Dehneh · October 18, 2022, 7:31am

I’m using fusionub inside a corporate network not a cloud
fusionhub is advertising its IP/32 back to pepvpn peers (its IP network is /24). Is this normal? Static routes are advertised as they are

Paul_Mossip · October 18, 2022, 3:09pm

Yes, if you are not advertising the entire subnet for the FusionHub’s WAN interface then the /32 will be shared via the PepVPN OSPF routing table, so you can manage the IP via the PepVPN.

If you want the entire WAN subnet to be advertised, you must add it via Network->OSPF & RIPv2

Click on the 0.0.0.0 area and select Interfaces “WAN”

wkearney99 · June 23, 2023, 5:55pm

Could you clarifiy/explain this a bit more?

If the fusionhub VM is inside a corporate network, does it need just 1 network interface? Or does it need 2 nics?

The goal here is to route bi-directionally between the corporate network (192.168.12.0/24) and an BR1 Pro (192.168.8.0/24). The FusionHub VM is on 192.168.12.40, the MBR LAN IP is 192.168.8.1.

Paul_Mossip · June 26, 2023, 10:19pm

Your design isn’t quite clear, or it assumes some parts that weren’t included, the internet connection types, are they NAT?. CGNAT? etc. We will assume static NAT at the corporate end, and CGNAT at the BR1 Pro.

A VM only requires one interface (WAN) to work. You only require a second interface on the VM if you are using the FH as a firewall/router, or need VPN remote access via the FH

Now, there are two items,:
First, how does the BR1 pro contact the FH?.. you need an internet routable IP addresses, so you NAT the FH in your corporate network, or expose its IP directly to the internet.

Second, as I have written elsewhere, desktops and servers do not expect more than one router on a network, so you should not put the FH (a second router) on the corporate network (192.168.12.0). You should provision another /24 perhaps 192.168.13.0, which will only have the FH (192.168.13.40) and the corporate router (192.168.13.1) You then add a static route to 192.168.12.0 via 192.168.13.1 and redistrubte that via the PepVPN… Then on the corporate router you add a static route to 192.168.8.0/24 via 192.168.13.40 (FH) . You can of course use BGP, or OSPF to share routes dynamicly, but to prove that the system works, you just use static routes.

Routers expect to be able to talk to multiple routers, and direct traffic via routing tables. Servers and Desktops expect a single default route, and the few IPv4 protocols that would allow them to work are usually disabled in the name of security (or they don’t really work well).

wkearney99 · June 27, 2023, 11:23am

First assumption is correct, NAT at corp, carrier connection at the MBR. Corp firewall is configured to pass traffic to the FusionHub VM’s internal LAN IP.

Your next point… will the FusionHub VM act as an inbound VPN server? And requires a second virtual NIC to do so? Is there documentation/examples of that setup?

Fair point regarding desktops and multiple gateways. Some do handle it better than others. I’ll look into that.

Paul_Mossip · June 27, 2023, 9:33pm

a FH can run “remote user access” which allows L2TP PPTP or Openvpn.

you can look for examples of remote user access configurations, but the end user is assigned an IP address from the LAN DHCP pool, and that does not exist unless there is a LAN configured, or it didn’t work for me until I added the LAN. It has certain limitations, like it NATs all of the inbound VPN traffic to its LAN IP.

As for the routing, you can look up ICMP redirects, but by default Linux and Windows systems do not accept ICMP redirects, and even the FusionHUB doesn’t handle packets redirected from the router correctly, so all of your packets will go up to the default router, be sent back out the same interface over to the FH (double the traffic load at the router)… and then both the router and FH generated ICMP redirects for every packet.