Hi everyone,
If I have a fibre internet connection with 1 or more static IP addresses and then I’m using drop in mode and failing over to LTE which also has a static IP address, what are the options for remote connectivity if I’m using a BR1 or HD2? Just wondering what most people do.
So for example, if my fibre static IP is 99.99.99.99 and my LTE static IP is 88.88.88.88, if we have remote users or customers that are accessing servers on premise via 99.99.99.99 and that goes down, what do most people do to easily know to connect to 88.88.88.88? We use Route 53 on AWS for our DNS, and I had tested it before creating a DNS entry like remote.company.com, with priority 1 being the 99.99.99.99 and priority 2 being the 88.88.88.88 which did seem to work when I tested it ages ago. Wasn’t sure though if that was because AWS is fast at updating DNS or if that would work for everyone.
I know with the Balance devices you can use them as a DNS server which would be an option but in general we are using more cellular based devices like BR1 or HD2. I’m just wondering the difference between doing what I mentioned above, making 2 DNS records on a current DNS host like Route 53, Cloudflare, etc, vs using a Balance as the DNS server.
Lastly, I know there’s dynamic DNS, but from what I can see it seems to be by WAN, meaning you’d have to set up 2 separate dynamic DNS records, with one for each WAN (like remote1.dynamicdnsprovider.com for WAN1 and remote2.dynamicdnsprover.com for WAN2).
You can use Peplinks own dynamic DNS service (mypep.link) that is baked into IC2. Sometimes I’ll add a corporate cname record that resolves to the myrouter.mypep.link dynamic address to keep it tidy.
Generally I would use a Fusionhub for remote access though. So Pepvpn to the Fusionhub which stays up no matter what, a static IP on the fusionhub the customer can use for remote access. Job done.
1 Like
Hi Martin,
Thanks that’s great news I didn’t even know there was a Find my Peplink service. The reason I didn’t want to do it through FusionHub is because most of our customers have a /29 or larger block on their primary connection, so they have multiple Static IP’s in use for various servers/services at their office, so FusionHub in this case isn’t as ideal. If they only have a single IP or dynamic then definitely FusionHub works great.
I’m having issues trying to get inbound working via FusionHub as it always says the ports are closed. I can post another thread, but using AWS and can’t figure this out not sure what I’m missing.
I have a Windows Server at 172.31.1.30 connected to the Balance 305 which is 172.31.1.1. I’m then doing SF to FusionHub on AWS with LAN 172.31.3.44 and public IP 15.222.15.X. Can’t seem to get it to work to RDP or FTP into the server at 172.31.1.30 via 15.222.15.X.
The Balance 305 inbound is set like:
If I RDP to the cable connection at 99.226.X.X it works fine, same with other services running on TCP.
On FusionHub I have inbound port forwarding set as:
And the WAN tab as:
But port checks show all ports are closed on 15.222.15.X AWS public IP. I have the firewall on AWS set to allow all ports open. I do not have NAT mode enabled on SF profile.
Just wanted to add, I was finally able to get this work by just trying for fun to forward FusionHub to the IP of the SERVER (172.31.1.30) on prem and not the IP of the Balance 305 (172.31.1.1) and it works?
I thought I was supposed to put the IP of the Balance 305 here so that traffic gets forwarded from FusionHub to it, and then the Balance 305 uses its port forwarding rules to forward traffic from there? Further confused as if I go on the Balance 305 under Services and delete the “All TCP from PepVPN forwards to 172.31.1.30” it still works when connecting to FusionHub’s IP remotely to do RDP and whatnot.
Maybe I’m just getting mixed up but love if someone can correct me if wrong, but based on this it seems like:
-
If you want to port forward from FusionHub’s IP to servers connected directly to a remote site Balance device, where the Balance is the primary router, you don’t need to set up any port forwarding on the Balance itself, but do it all instead from FusionHub, setting port forwarding rules to point to the servers IPs connected to the Balance, while enabling the IP Forwarding WAN option, and the SpeedFusion Peers Access Internal Network option.
-
If you have another 3rd part router/firewall as the primary router at the remote site, such as a Cisco Meraki, and you’re using the Balance device mainly as a load balancer or for fail-over, you would then instead set up port forwarding rules to servers on the Meraki, and then have FusionHub port forward to the IP of the Meraki.
Is that correct? Seems like it but wanted to verify. Thanks!!!
Yes that’s right. When you port forward on the Fusionhub you are port forwarding over the site to site VPN connection so you can have a target IP that is the actual LAN IP of the target server. You can of course use the internal firewall rules on the remote balance to secure that further if you desire.
If the LAN of the balance had a customers firewall connected you would indeed need to port forward on that customer firewall and set the port forwarding target at the fusionhub end to the WAN IP of the 3rd party firewall (which would be an allocated LAN IP of the balance).
Great thanks! Just curious, when would you ever use this on the forwarding on the Balance side?
If you just use FusionHub to do all the forwarding, just curious when you’d set up forwarding on the Balance picking PepVPN as the connection.
Quick second side question, but would this mean if the Balance was doing drop in mode to an existing router/firewall would that mean port forwarding from FusionHub wouldn’t be possible being that the customers firewall would have a public IP assigned to it vs one assigned from the Balance? Or would you just put the public IP of the customers firewall as the server IP address?
When you have configured a NAT Mode profile on the Fusionhub, the balance pepVPN would get a private IP allocated to it from the Fusionhubs DHCP server (for NAT mode profile in Network > VPN | Speedfusion) .
The balance then can port forward from that allocated IP address as if it was a WAN port.
You could use this where you have loads of sites and they all have the same IP addressing schema and they all have a CCTV NVR you want to remotely access securely. If on the device at the remote sites you port forwarded from the PepVPN NAT IP then that IP could be used to remotely access the NVRs.
Not sure about drop in mode and port forwarding to it.
