I use fusionhub in lan/wan mode, with a fortigate to route all traffic from balance 310X of each site to internet.
All is ok, each balance on remote site can access to internet through the fortinet by the pepvpn.
But lan site can ping each other through pepvpn when “Route pepvpn traffic to LAN” is tick on fusionhub (need it to forward pepvpn traffic to the forti and then to internet)
If I untick it (no more internet → normal), and then each site can ping each other.
Any idea ? Missing route somewhere ? Bad ospf configuration ?
For information, If I disable “Route pepvpn traffic to LAN” and put a static route (for example) to 8.8.8.8 via 192.168.99.1 (forti) on FH, it’s ok i can ping each remote site between them, and 8.8.8.8 via forti.
Check your firewall logs on the Fortigate. When route all traffic via LAN is enabled all traffic - even peer to peer traffic, is sent via the LAN gateway.
If it doesn’t work when you have it turned on, the Fortigate is where the traffic is getting stopped. I often forget to add the peer to peer IP ranges as allowed in the 3rd party firewall (the fortigate in this case) when I’m setting this kind of config up.
@MartinLangmaid Thanks for your reply.
There’s no way to keep peer to peer traffic routing in fusionhub and route all other to the fortigate gateway (internet) ?
I don’t want to overload the fortigate with peer to peer traffic.
Stick a static route in for 0.0.0.0/0 on the FusionHub with the fortigate LAN as the next hop. That should keep Remote peer traffic on the fusionhub and send general internet traffic via the Fortigate.
Unfortunately it’s not working if a put a static route for 0.0.0.0/0 to 192.168.99.1, but if i put for example 8.8.8.8/32 to 192.168.99.1 it works… Strange ?
When “Route PepVPN traffic to LAN” is enabled, all traffic from PepVPN (including inter-site) will route to LAN gateway. To enable inter-site routing, please add static route “PepVPN_remote_network via FusionHub” in the LAN gateway.
In your case, you need to add following static routes in LAN gateway:
10.0.1.1/24 via 192.168.99.201
10.0.2.1/24 via 192.168.99.201
This design is to provide a flexibility to pass all traffic (including inter-site) to a LAN firewall/packet sniffer, etc. and let the appliance to determine what to do next.
After reviewing this feature, we tend to not pass inter-site traffic to LAN if “Route PepVPN traffic to LAN” is enabled. This is same as Peplink Balance firmware’s behavior.
Can we have an option to ‘include inter-site traffic’ if this feature is changed as you describe?
Otherwise I will have a bunch of installs that will need a complete rebuild since I rely on all traffic coming from remote peers to pass through a firewall appliance on the LAN of the fusionhub for security and filtering purposes…
we also stuck with this problem. FH with 8.1.3 stucks at updating Routes when Route all traffic to LAN is enabled.
Looks like the same issue.
Do you have a timeline?
With an FW newer than 8.1.0 the option to route a /0 network is also missing. Is there a trick to get a /0 network routed to a firewall?
Lending some support to this request. We have a customer running into this exact issue and having all remote site to remote site route back through the firewall is not ideal and going to require additional management on the firewall as well as require the firewall to process more traffic than is needed or desired. This would be a great feature to add to the FusionHub platform!
This can be done without enabling “Route PepVPN traffic to LAN”. If internet traffic needs to go through the firewall, you may configure 0.0.0.0/1 and 128.0.0.0/1 in Static Route.
