[Help]FusionHub, NAT mode and internal network


I am trying to establish the following setup via InControl:

One company with HD4 for main site and HD2 mini for mobile offices and vehicules.

I’d like to have all external connections to the Net from clients NATed to a public IP address assigned by fusionhub to each device (HD4,HD2) and to be able to access internal networks of each site from the others.

So far, I achieved some of it separately:

I can successfully nat everything to the hub address but not to individually assigned IP per box but then the two networks are invisible to each other (no ping successful to internal ips or even to fusionhub dhcp assigned ip)
I can successfully reach internal networks from other box but then I don’t have nating activated ( connected to HD4 can see connected to HD2)

I could create a hub per device and then maybe interhub routing but it sounds overkill for what I want to achieve.

Of course, I’d like to avoid configuring each IP in a table as my client can extend and modify his own network.
I didn’t activate the layer3 isolation, I tried activating the “speedfusion peers access internal network” but nothing seems to do the trick

Thanks a lot for your help!

Inter-peer routing under NAT mode is not allowed in FusionHub. We are working on this feature. We can provide a pre-beta test to you on next 2 weeks. You must disable NAT mode to allow inter-peer routing at this moment.

Ok, thank you for your answer.

I’m looking forward to it. It will be most probably very useful for SFA members.


Can you share a graphical network diagram?

By default, all remote sites that connected to FusionHub will have visibility of each other (LAN segment). Unless you enable NAT mode on FusionHub.

Here you will find what I am trying to achieve.

Each HD4 has SIM cards with different operators. I’d like to avoid that end-users end up with one of the mobile operators IP address to surf on the Net. If I do a NATing, I have only one address for all of them. I want to be able to assign from my pool of IPs, one public IP per peer.

My main concern is to have individual IP address from my own pool for each.

The only solution I see currently is four times one hub with one HD4 in NAT mode and assign the public IP to the hub but its consumes way too much VMs.


Apparently my problem is not easy or well understood…

Peers behind a HD4 recieve Mobile providers IP address that are already NATed. If I must make the HD4 accessible to the outside world, they must receiev somehow external ip address from my pool and I don’t see anything else than the fusionhub to provide them.

Hi, I get it it. You want to allocate external IP’s from the Fusionhub to the WANs of the HD4s. There is no easy way to achieve this at the moment, since there is layer 3 routing in place between the HD4 and Fusionhub over the SF tunnel to the Fusionhub.

This is possible using just our balance products with the addition of another device at each client location. So you end up with:

External IP range -> perimeter firewall device -> Core Balance -> L2 SF VPN -> HD4 -> Customer Firewall Device

In this configuration, an additional firewall device has the public IPs on its WAN and acts as the gateway device for the customer firewall / router (which also has a public external Ip in the same range. They are connected over a SF layer 2 VPN, with the HD4 on the WAN side of the customer firewall.

Fusionhub does not currently support Layer 2 VPN, although this is currently under development. I’ll check with engineering to see if they can think of another way to achieve this.

Is it possible to have at least the setup with one hub/one peer/one public IP and all ports except management forwarded to the peer?

I would have to deploy hubs for each but at least I’d have a solution . I am available foe beta testing.