Fusionhub : Route PepVPN traffic to LAN

Hi,

I use fusionhub in lan/wan mode, with a fortigate to route all traffic from balance 310X of each site to internet.

All is ok, each balance on remote site can access to internet through the fortinet by the pepvpn.

But lan site can ping each other through pepvpn when “Route pepvpn traffic to LAN” is tick on fusionhub (need it to forward pepvpn traffic to the forti and then to internet)

If I untick it (no more internet -> normal), and then each site can ping each other.

Any idea ? Missing route somewhere ? Bad ospf configuration ?

BR’s.

For information, If I disable “Route pepvpn traffic to LAN” and put a static route (for example) to 8.8.8.8 via 192.168.99.1 (forti) on FH, it’s ok i can ping each remote site between them, and 8.8.8.8 via forti.

Check your firewall logs on the Fortigate. When route all traffic via LAN is enabled all traffic - even peer to peer traffic, is sent via the LAN gateway.

If it doesn’t work when you have it turned on, the Fortigate is where the traffic is getting stopped. I often forget to add the peer to peer IP ranges as allowed in the 3rd party firewall (the fortigate in this case) when I’m setting this kind of config up.

1 Like

@MartinLangmaid Thanks for your reply.
There’s no way to keep peer to peer traffic routing in fusionhub and route all other to the fortigate gateway (internet) ?
I don’t want to overload the fortigate with peer to peer traffic.

No there is. Uncheck route pepvpn traffic to LAN.

Stick a static route in for 0.0.0.0/0 on the FusionHub with the fortigate LAN as the next hop. That should keep Remote peer traffic on the fusionhub and send general internet traffic via the Fortigate.

2 Likes

Unfortunately it’s not working if a put a static route for 0.0.0.0/0 to 192.168.99.1, but if i put for example 8.8.8.8/32 to 192.168.99.1 it works… Strange ?

@Andrey_Stryukov / @Lai Any idea to solve it ?

That’s a shame. I need to lab this up to investigate. Normally I use send traffic to LAN option.

When “Route PepVPN traffic to LAN” is enabled, all traffic from PepVPN (including inter-site) will route to LAN gateway. To enable inter-site routing, please add static route “PepVPN_remote_network via FusionHub” in the LAN gateway.

In your case, you need to add following static routes in LAN gateway:
10.0.1.1/24 via 192.168.99.201
10.0.2.1/24 via 192.168.99.201

This design is to provide a flexibility to pass all traffic (including inter-site) to a LAN firewall/packet sniffer, etc. and let the appliance to determine what to do next.

Hi Kenny,

Thanks for your reply, then there’s no way to let inter-site traffic in the fusionhub, and pass other to the appliance ?

This is not supported currenlty, we will add this to feature request.

Ok, Thanks.

After reviewing this feature, we tend to not pass inter-site traffic to LAN if “Route PepVPN traffic to LAN” is enabled. This is same as Peplink Balance firmware’s behavior.

Can we have an option to ‘include inter-site traffic’ if this feature is changed as you describe?

Otherwise I will have a bunch of installs that will need a complete rebuild since I rely on all traffic coming from remote peers to pass through a firewall appliance on the LAN of the fusionhub for security and filtering purposes…

Hi Martin, sure, that will be an option instead of behavior change.

1 Like