FusionHub NAT and site-to-site VPN

#1

Hey all,
I going to implement the following diagram and I have some questions.
I’ll start with describing the scenario -
Site 1 -
Balance 30 Pro connected to various wan interfaces (4g, WaW, Direct Wan) and publish Wlan.
4 X Pepwave rugged will be used as bridge to extend the Balance’s wlan range to remote locations.
I need that the clients whose connected to the Pepwaves will continue to work seamlessly whenever a hot-failover happens, moreover it’s important for me to keep the tcp session active during failover - that’s why I decided to use Fusionhub (NAT MODE) on AWS so for each session the source IP address will be the EC2 instance IP address and not the balance 30 pro interfaces.

Now for the issue,
I need to find a way to directly connect to site 1 clients (192.168.0.x address) from site 2.

What router you suggest me to install on site 2 to solve it? I thought about buying max br1 and then connect it to the same Fusionhub but I couldn’t find if ill be able to do inter-peering routing (between site 1 and site 2) while maintaining the tcp-persistency (NAT mode) for site 1.

Other option that is on my mind is to buy max br1 and setup Pepvpn directly between the sites but again I’m not sure if this will work alongside with Fusionhub (specifically the NAT that I want in place for site 1)

any more suggestions and recommendations are welcome
Thanks

1 Like

#2

You can use any PepVPN enabled device (even an AP One Mini) in site 2. Whether it connects directly to the B30 Pro on Site 1 or to the Fusionhub will depend on whether Site 1 or site 2 has any public IP addressing you can build a PepVPN to/from, and how many Peer licenses you have on the Fusionhub.

If it was me, I’d likely use a free Fusionhub Solo license for Site 1, and a BR1 for Site 2 (because I like the BR1) or a Soho, then connect that directly the Balance 30 Pro at Site 1 (if Site 1 has public IP addressing) or get Site 1 B30 Pro to connect to Site 2 (if SIte 2 has public IP addressing).

Whatever way you end up connecting the sites, the route for traffic from Site 1 out via the FusionHub will continue to work fine.

1 Like

#3

Thank you @MartinLangmaid,
As stated, Site 1 has several public IPs.
Site 2 has public IP.

I see that comment from 2015, isn’t it contradict with what you said regarding connecting both sites to fusionhub?

Pepvpn/fusionhub will maintain the tunnels across all the wan interfaces of Site 1? I need it to keep the connection between sites up when a failover happen between WANs interfaces.

Also, the public IPs are not static so I need to make sure the tunnels stay up when the external ip of one of the interfaces change, is it possible? do I have to use ddns to achieve it? or fusionhub/pepvpn will maintain it for me automatically?

Thanks

0 Likes

#4

Nope. You were referring to NAT mode on the WAN interface of FusionHub (set on WAN settings). That link refers to NAT mode at a PepVPN level (set in the pepVPN profile).

InControl2 can provide Dynamic DNS (mypep.link), or use another DynDNS service.

1 Like

#5

Ah no actually you didn’t specifically.

You said Site 1 has multiple internet connections. I was trying to highlight that you need to be able to route traffic inbound via a Public IP. You can’t typically do this over LTE (which uses carrier grade NAT) and you’ll need to set up port forwarding over the ISP CPE / router.

1 Like

#6

Thanks for the quick reply @MartinLangmaid

Im a bit confuse now, please let me know if I get it right -

Nope. You were referring to NAT mode on the WAN interface of FusionHub (set on WAN settings). That link refers to NAT mode at a PepVPN level (set in the pepVPN profile).

Amazing so NAT on fusionhub will work for me

InControl2 can provide Dynamic DNS (mypep.link), or use another DynDNS service.

That’s cool, so the tunnels will stay up when I use dyndns, but will it create the tunnels across all interfaces? or I have to set up dyndns/mypep for every interface manually

You said Site 1 has multiple internet connections. I was trying to highlight that you need to be able to route traffic inbound via a Public IP. You can’t typically do this over LTE (which uses carrier grade NAT) and you’ll need to set up port forwarding over the ISP CPE / router.

I see, so you say the tunnels will stay up only between the none LTE interfaces?
for the LTE interfaces - do you know if carriers can provide external IP (not NATed) ?

Is there an option to decide what subnets are distributed over the PepVPN?

Thanks,
Franco

0 Likes

#7

Part of the handshake process when building a pepVPN connection is for both sides to advertise all available WAN links. When using SpeedFusion (you can add a license to the B30 Pro for that BPL-031-PRO-LC-SF) the device at Site 2 and the FusionHub would create tunnels between it and all the available WAN ports on the B30 Pro. Without SPeedfusion bonding license, the B30 Pro will do SpeedFusion Hot failover so traffic can fail seamlessly between it and the FusionHub/BR1.

Peplinks Dynamic DNS offers a single domain name for your device but you can prepend that with the WAN link name too to be more specific (so mybalance30pro.mypep.link and wan1.myBalance30pro.mypep.link would both work for example).

If you do outbound PepVPN from both the B30 Pro on site 1 and a BR1 (as an example) on Site 2 to a single Fusionhub, then a tunnel will get created between each remote site LTE and the Fusionhub public IP. Traffic between the two sites then can happily flow over LTE at either site.

If both sites have LTE and both are dynamic and the PepVPN is configured site to site (rather than using the Fusionhub as a hub) then tunnels will only get built outbound from each LTE connection to the other sites other WAN links (that have public IP addressing that is routeable). If all wired WAN links at both sites fail then so would the pepvpn.

You can get public IP SIMs but I strongly suggest you don’t. Instead use a FusionHub.

Yes. In Network -> Routing protocols ->OSPF & RIPv2 you can choose which subnets are advertised to remote peers.

2 Likes

#8

This is so informative!
I’ll get FusionHub license and BR1.
I’ll connect both sites to the FusionHub and will cross my fingers that all we talked here will work as expected.
Thanks a lot @MartinLangmaid

If I’ll have further questions I’ll post them here

1 Like

#9

Hey @MartinLangmaid
I just configured the tunnels to fusionhub, the NAT mode is working great and my traffic to wan got natted behind EC2 instance as expected.

Though after advertising the local network on each devices via Network -> Routing protocols ->OSPF & RIPv2 I still don’t see it on anyother side of the tunnel.

the only thing I see when checking status --> fusionhub is the IP address the 169.254.X.X addresses the fusionhub dhcp provided

any additional step should be taken?

0 Likes

#10

Sounds like you have NAT mode enabled on the SpeedFusion Profile on the Fusionhub
Turn that off.

1 Like

#11

@MartinLangmaid but then how would the clients access the internet with the EC2 source ip address?

0 Likes

#12

Speedfusion/PepVPN NAT (configured in the profile) is different and separate to WAN interface NAT (configured on the WAN interface settings).

You don’t want VPN profile NAT. WAN NAT is enabled by default and already configured to allow clients to access the internet using the EC2 source IP.

1 Like