I am running into an annoying conflict between how google VMs function and FH. I suspect that this would also be a common issue at other cloud VM providers.
I prefer to have remote phones register to the public IP of the asterisk VMs, routing over the pepvpn. That way if there is a problem with the VPN the phones re-register over public internet and keep working.
At my physical data centers, with large balance routers as hub for vpns, this is no issue. The balance. I add static routes to the balance for the local subnets if needed, (or it is sitting on that subnet already) and it advertises them.
At google, all VMs have private IPs, to which you can map public IPs.
And the VMs see their interface as being a /32, with a gateway of 0.0.0.0
Then in the google firewall/routing rules you set rules for what can talk to what.
Example:
FH has 10.142.5.4 with a public IP mapped
asterisk vm has 10.142.5.5 with public IP 35.10.20.30 mapped
Problem is that the FH VM is advertising only 10.142.5.4/32 on the OSPF.
Note that the FH itself does have the ability to reach all the 10.142.0.0 subnet and all the public IPs. So technically it does not NEED a static route added.
If I add a static route in the FH for 10.142.0.0/24 GW 0.0.0.0 that gets advertised and does work
If I add a static route in the FH for 35.10.20.30 GW 0.0.0.0 that gets advertised and does NOT work. I am working with google on this, but so far their answer is “Why the hell are you adding a static route? remove that and it will work”. But if I remove that, then the route is not advertised. I have confirmed that on a regular linux VM, if I manually add a static route inside the VM (instead of in the google GUI), it is unable to reach that route. It is just not how google functions.
So - request is to be able to add “manual subnets” to advertise to vpn peers.
very similar screen as static routes, but without gateways. Just a list of subnet/masks to add (and maybe subtract?) to the automatically generated list. Seems like this could be useful for other things, and should be an easy add.
I want to mention this again. This request is not about “fixing” something in FH, but enhancing it to deal with an annoying issue with google VMs.
Issue is in three parts:
FH only advertises it’s local network and any static routes
Due to how GCE works, the FH does not have a "subnet - just a single IP/32 with no gateway
If you add any static route, that DOES get advertised, but GCE refuses to pass the data, because you are not supposed to add routes with gateways.
so, request is simple: Add ability to specify additional subnets to advertise over prpvpn without adding a static route
This has been added to feature request.
As work around, how about adding an outbound policy rule in Balance router:
Destination IP Address: 35.10.20.20
Algorithm: Priority, SpeedFusion has highest priority
Yes, that does work and is what I am doing at this time. The problem is that we have hundreds of devices, and multiple outbound policies will need to be added in each, causing a real maintenance issue over time.
I am raising this request again. This seems like such a simple request, and I am sure MANY fusionhub users would make good use of this feature.
In a nutshell - When hosted in some environments such as google cloud, the FH VM has a single IP/32 “network” on it’s LAN. So that is all it advertises to speedfusion peers.
This means that we have to go into EVERY peer and add outbound policies to have the traffic flow over the correct speedfusion links. We have to add one outbound policy PER LINK PER DESTINATION IP!
If we add a VM or private subnet at the google cloud we have to go back into every peer and add policies.
Our request is very, very simple: Add the ability to add manual advertisement entries in the fusionhub. i.e. like adding a static route (which does NOT work in google cloud), but you are only adding the advertisement.
i.e. we are saying “Advertise 10.142.0.0/24, 33.34.35.36/32, 35.35.35.35/32 over OSPF just like they were static routes”