Since some weeks I own a Balance One. It is connected with two fibre links to my two ISP’s, a local ISP (150 mbps up/down) and T-Mobile (100 mbps up/down). I would like to use FusionHub Solo since I am a home working IT freelancer who needs a reliable connection and good quality video conferencing, but also to mitigate the fact that the local ISP is somewhat less reliable than T-Mobile and drops VOIP connections every now and then, to my wife’s frustration.
When I configured FusionHub Solo through InControl2 all worked right away. But, since I own and manage only one Peplink device, I have no use case to pay for InControl2 after the first free year so I am now learning to understand FusionHub config and am trying to get FusionHub Solo up and running without using IC2’s magic. And that’s where the problem starts… I get FusionHub running and connecting (green lights on the WAN interface) but I have no internet connectivity. When I would configure through IC2 I do get internet connectivity on FusionHub. My FusionHub instance is running in DigitalOcean’s cloud.
Here’s some of my config:
Local
Outbound policies
Dashboard
System information
FusionHub DigitalOcean
Notes and questions on the outbound policies:
- The FusionHub rule is disabled now, as soon as I enable it (or choose “Send all traffic to” in VPN > PepVPN) then I loose internet connectivity.
- The VOIP rule seems to be mandatory. Because when I had FusionHub working through IC2, VOIP was not connecting without that rule.
- Is the HTTPS Persistance rule still needed once I get FusionHub working?
- There’s no firewall configured in DigitalOcean.
My question: Which step did I miss?
CC @MartinLangmaid
On the Balance, if you go to Status - > Speedfusion and look at the Fusionhub profile there do your WANs show as green?
If you run a VPN speedtest using the inbuilt tool (red arrow above) what throughput do you get down and up?
1 Like
Yes, one WAN shows green, the other yellow but will turn green if I unplug the first.
Test throughput is:
PepVPN Test Results
1.0s: 73.3984 Mbps 0 retrans / 280 KB cwnd
2.0s: 62.3892 Mbps 0 retrans / 298 KB cwnd
3.0s: 56.6242 Mbps 0 retrans / 302 KB cwnd
4.0s: 63.4384 Mbps 0 retrans / 312 KB cwnd
5.0s: 68.1578 Mbps 0 retrans / 325 KB cwnd
6.0s: 61.3423 Mbps 0 retrans / 342 KB cwnd
7.0s: 61.8651 Mbps 0 retrans / 354 KB cwnd
8.0s: 69.7313 Mbps 0 retrans / 366 KB cwnd
9.0s: 92.8002 Mbps 0 retrans / 374 KB cwnd
10.0s: 66.0550 Mbps 0 retrans / 378 KB cwnd
11.0s: 61.8679 Mbps 0 retrans / 378 KB cwnd
12.0s: 65.0108 Mbps 0 retrans / 378 KB cwnd
13.0s: 68.6843 Mbps 0 retrans / 384 KB cwnd
14.0s: 68.1574 Mbps 0 retrans / 390 KB cwnd
Very much appreciated @MartinLangmaid !
OK great so the tunnel is definitely up and traffic can pass.
To make the internet work you need to be able to send a receive data to it and you need to be able to resolve DNS. So I think we need to focus on DNS as the next thing.
Login to the Balance go to System > Ping choose the VPN connection from the drop down, then ping www.bbc.co.uk (or any website that answers to ping). Do you get a response?
Then on your PC check the DNS settings - what DNS servers are you using? Is it the Balance one or is your PC using 3rd party DNS like google (8.8.8.8,8.8.4.4)?
1 Like
I think we’re getting close. When pinging www.bbc.co.uk I got: www.bbc.co.uk cannot be reached using the selected connection.
I intend to use Quad9 DNS through my Balance One. So clients should get the Balance One IP for DNS, which then talks to Quad9. But on the DNS on my PC I noticed a strange local IP (10.12…) No idea where that came from, it may have come from AirVPN which I have now disconnected.
But you can ping 212.58.233.251 over the vpn assumedly? If you can then it is a DNS issue. I assume you have DNS proxy enabled? When you set up ‘send all traffic via’ in the InControl2 wizard it asks for DNS servers. Which ones did you put there?
1 Like
When I have AirVPN connected, and no FusionHub, I can ping 212.58.233.251.
When I am connected through FusionHub, I cannot ping 212.58.233.251…
I did have DNS proxy settings enabled. Disabling it did not change anything.
When I ticked “Send all traffic to” I selected Quad9 as DNS: 9.9.9.9
But still I could not resolve any website.
No matter how I configure DNS, I cannot get this to work anymore. I found a forum post of someone seeing a similar problem, which never got answered: Pepwave BR1 Mini - LTE Connected but can't surf the web
So I suspect there’s something wrong in my DNS settings, maybe something got out of line and cannot be repaired through the GUI anymore. Just to illustrate my point (and this may also very well be my misunderstanding of network concepts in general or the Balance One specific):
- I have removed DNS server settings everywhere, except on the two WANs
- On the two WANs I have ticked “Obtain DNS server address automatically”
- DNS servers: 1.1.1.1 (1.0.0.1)
- “Use the following DNS server address(es)” is not ticked
- On each LAN I have ticked “Assign DNS server automatically”
- DNS Proxy, DNS caching, Include Google’s DNS, and DNS Resolvers, are all not ticked
My understanding now is that, on the LAN connection of my PC, the router’s IP should be offered as DNS server (Peplink Balance One manual, page 123). That is not happening. When I renew the DHCP lease I am offered Google’s DNS (8.8.8.8, 8.8.4.4).
When I untick “Assign DNS server automatically” on the LAN and populate the DNS with 1.1.1.1 and 1.0.0.1, and then renew the DHCP lease, then I am offered 1.1.1.1 and 1.0.0.1.
But in either of these two cases, when FusionHub is configured I have no WAN connectivity, or at least no DNS resolution.
What am I doing wrong?
Should I start over?
Honesty I am stuck too. DNS and routing are two separate things.
If you are on a PC and run nslookup and can resolve dns names to IP addresses then DNS is working.
If you then set your outbound policy for that same PC by source IP address and say send this traffic over the PepVPN tunnel and that tunnel is up and passing traffic then you should have internet access.
The only time that might not work when the PepVPN is all green lit is if the Fusionhub WAN is set to IP forwarding and not NAT, but that is a non standard config that you’ll likely remember doing so it seems it wouldn’t be the cause in this case.
I have DNS now working as I want it when I am connected to the internet without FusionHub. nslookup for any domain works. Then, when I enable my FusionHub outbound policy (which I created the same as you did on your video) then nslookup seizes to work. Something that struck my eye is that I cannot tick the box in “send all traffic to” anymore: it’s greyed out. On the FusionHub side I have NAT set. Another thing that struck my eye is that in FusionHub I have a “lan” connection too (now set to connection method “none”) whereas in your video you did not seem to have that.
You’ll see a LAN connection too in the web ui when you have added a private lan connection to he underlying VM in DO. You don’t need a LAN connection unless you want to route over VPN to other services with private IPs on DO too.
Ok. definitely routing then since your DNS servers would not change when you re route traffic via Fusionhub.
Thanks to the help of @MartinLangmaid this problem was resolved. He was able to drill it down to a firewall rule blocking internal traffic. Because VPN traffic is considered internal, FusionHub was blocked. I am very glad Martin helped me out with this! (at the same time, I am feeling a little bit embarrassed since I was the one blocking that traffic in that rule in the first place… 
).
Thanks Martin!
2 Likes
Very glad we got to the bottom of this one!
Really not your fault and nothing to be embarrassed about, using SpeedFusion / PepVPN for internet access - which is by any definition a WAN activity, then needing to remember that ‘internal’ firewall rules cover the same VPN traffic is a bit counterintuitive now.
).