How to let clients in VRF access Server in FusionHub network

Product Discussion FusionHub
1

We have customers with Balance 310X at their HQs and 20X at their branches. Their offices will be connected to each other using FusionHub. Some of customers also have server at our datacenter, too. Their servers serve both Intranet and Internet.

Currently, we successfully implement VRF to separate each customer’s sites from other customer’s. However, we cannot config to let them access their servers at datacenter.

At datacenter
Router Firelwall has 3 IP addresses.

  • forward Speedfusion ports to FusionHub
  • forward all traffic to 200.1.2.2 to 10.30.0.100 for Client A
  • forward all traffic to 200.1.2.3 to 10.30.0.200 for Client B

FusionHub

  • firmware version 8.0.1 build 1644
  • use VRF to separate each client’s traffic from other clients

Server for customers are located on FusionHub’s local network.

At each clients’ site
Peplink Balance 310X (HQ) or 20X (branch)

  • use multiple links to make speedfusion connection to datacenter
  • use OSPF to announce local networks
  • clients might have overlap IP addresses (which is fine because of VRF)

vrf
vrf600×800 80 KB

2

Add this outbound policy rule to branch router for Client A:
Source: Any
Destination: IP Address 200.1.2.2
Protocol: Any
Algorithm: Enforced
Enforced Connection: SpeedFusion Profile

Do the same for Client B but with Destination IP Address set to 10.1.2.3.

As VLAN is not supported in FusionHub now, the outbound policy rule is important to make sure Client A cannot access Client B’s servers.

3

Thanks for your answer. I add the rule to Client A’s router and verify using traceroute that the route from Client A’s HQ to Client A’s Server does route via SpeedFusion.

However, after route goes to FusionHub, it failed to reach Client A’s server. Traceroute’s result are:

  1. 172.16.1.2 310X’s LAN
  2. 10.30.0.10 FusionHub
  3. *
  4. *
    (Asterisk all the way to 30.)

Result of traceroute from Client A’s server to Client A’s HQ IP are:

  1. 10.30.0.10 FusionHub
  2. 10.30.0.1 Firewall’s LAN
  3. 200.1.2.1 Firewall’s WAN
  4. Internet

It seems like route won’t go into Client A’s VRF.

4

Please open a ticket here.

5

Here’s more detail diagram. I’ll create ticket, too.

  • Each client’s offices are connected using SpeedFusion in their separated VRF
  • Each client’s server is located at FusionHub’s WAN network. They have to be reachable as Intranet server from their respective offices and as Internet server from public Internet user. That is, the server is not in VRF but should be accessible from respective VRF.
  • Some client’s users are work from home. They will be connect to some sort of VPN server and should be able to connect to their server and offices.

vrf2
vrf2600×800 87.7 KB