I just purchased a B One device but have not set it up yet. Before I go to the trouble, I have a few questions because I just realised some restrictions that might mean this product does not make sense for me.
My use case is a marine vessel, I have x3 cellular WAN connections with different providers which vary in reliability. I have x3 because each is bandwidth limited (and then throughput limited), and I wanted some resilience. I am currently using pfsense to failover the connections if one fails.
I bought the B One so that it could aggregate the connections if throughput limited after bandwidth exhausted, and still end up with decent bandwidth whilst maximising availability. I thought SpeedFusion Cloud is the solution to this… and maybe it is, BUT:
I realised that my company, for information security reasons, does not allow me to use a VPN (and can detect if I am) and I must appear to be in the country I’m supposed to be in. This poses me two problems with SFC, as it doesn’t appear to have a node in my country and seems to use VPN.
So, I guess the questions are:
Can I exclude my work computer and mobile phone for any SFC setup using the B One, and still have some sort of resiliency for those devices? (and conversely, all other devices on board use SFC with bonding)
If yes, what kind of high level config do I need to look into to make that happen?
Any other considerations I haven’t thought of?
Note to self: Should have figured this all out before purchasing!
You can use failover/load balancing to distribute the load between the 3 different connections. If one fails (and you can configure these tests in heath check) it will move to another.
You can specify which links to use, in what order, by source (ie which device of yours), destination (ip, domain name, SaaS provider or protocol… or all of the above) with outbound policy. Setup your outbound policy in IC2 not on the device for maximum SaaS options.
You can then setup Speedfusion cloud to send traffic via Peplink’s hosted endpoints with that same outbound policy- so you could:
a) choose to not route your work device via speedfusion cloud
b) route only traffic for websites or services you use personally via speedfusion cloud
c) any other combination you can think of
Speedfusion Cloud can use fancier traffic protection technologies like wan smoothing (duplicating traffic and sending it over multiple links at once) or Forward Error Correction. You can even choose to apply these rules (using sub-tunnels) differently to different traffic types!
If you have somewhere convenient in-country with reliable internet (home, family home etc) you could put another Peplink their, connect them both to speedfusion cloud and use relay mode to route your work traffic through speedfusion and out the device at home. Your work won’t detect that as VPN, and you could still use the above traffic protection techniques as you choose.
Thanks so much for the detailed response. Looks like I have some tinkering to do.
Re your answer #5, why won’t it be detected as VPN? Aside from it being a more reliable connection, why couldn’t I achieve this without the second site in country?
Detecting something as being a VPN endpoint is all about where the traffic is exiting- so Peplink’s public speedfusion endpoints, or commercial VPN providers endpoints, can be found by the provider and traffic types that get observed (ie like lots of different users traffic existing via an IP address belonging to a hosting provider or public cloud provider).
If you send your traffic via your home address (as an example), it will just look like your traffic is coming from a normal residential type connection, as you would expect.
As for why you can’t do all the optimisations without a second site, its because you have to control both ends.
In the 1st case, where you just load balance, you send the traffic out and wait for the response, if its gets lost in transit you resend- your device is being reactive to problems. Quite quickly, but still after it happened. By using the tunnel with say wan smoothing, it will send each packet out multiple times, on different links, and then re-assemble it at the other end and discard the duplicates. So when the latency or packetloss varies, it uses the “fastest” one of each packet, no matter what WAN, and reassembles it. To do that, it has to control both ends of the tunnel.
LAN client routing: Unfortunately this isn’t what I get. When I select “route by LAN client” I only have one item in the dropdown which is my next router that is downstream from the B One. So all I can do is redirect ALL of my internet traffic or NONE, instead of being able to pick/choose. Is there a way around that?
For outbound policies: my work connection authenticates through a specific web page which then launches a VMWare Horizon Client. Is it possible to redirect those specifically?
Related: Is it possible to route streaming traffic (Netflix/Apple TV/Disney+/YouTube) through particular connections?
Unrelated: I am getting extremely poor speed using the B One’s wifi (wired LAN is fine). The signal strength appears to be ok on my [wifi 6] mobile device that I’m connecting it to, but using a SFC or non SFC connection yields very poor results. It is downstairs but my other/existing wifi routers don’t have this issue. Edit/update: Right next to the router I get decent speeds but if I go one floor up it’s poor - seems I need separate access points unfortunately.
I do have overly complicated setup, but for historical and feature reasons:
I have a pfSense router that was replaced by the Peplink B-One. Whilst it had failover capabilities it couldn’t do bonding or similar features to SFC (as far as I know anyway). For now I’ve kept it in the flow because it also has the pfBlockerNG package installed (ad blocking), but I can take it out and do that some other way.
Next I have a Ubiquiti Unifi Dream Machine Pro, and a bunch of Unifi switches / APs / Cameras hanging off it with the rest of my devices. This is a router/switch so I’d have the same issue even if I took out the pfSense router. I don’t want to take this out because my entire network ecosystem is based on Unifi and works really well, all the devices play nicely together and the management software is perfect for my needs and skill level.
=> So whilst I can take out the pfSense box without too much trouble, I’m not sure how I can handle the UDM Pro as it controls my vlans / wifi and more. I want to keep this on the network and make use of its features.
You can keep using your pfSense firewall behind the B-One if you wish. You just have to remove the NAT rules on the outside/wan interface of the device. Then in the peplink make sure you put static routes for the subnet behind the pfSense firewall pointing to the ip address of the pfSense box itself. Just so it knows how to reach those client subnets. Should be a pretty straight forward for the pFSense.
For the Unifi Dream Machine pro. With the update yesterday to Network application 8.3 you can choose the nat functions of the wan interfaces there as well. You can now(again) choose to disable NAT/NAT exempt the clients behind the UDM-Pro by network. Thus just performing normal routing and a static route in the Peplink here would still be required.
After much experimentation I’ve finally got the routing working as expected (disabled firewall/NAT on pfSense, disabled NAT on UDM-Pro). I can now ping my end workstation client from the Peplink CLI and vice-versa. All of my client devices show up in the “client list” in WebAdmin → Status → Client List.
However, when I go to SFC → Route By LAN client, the dropdown still only shows one item which is the next downstream router from the PepLink (pfSense in this case).
Even if that did show up all of the clients as per client list, I want to be able to route all but a small number of devices through say SFC and the rest through the standard means.
Removed pfSense router to simplify my network. Now it is PepLink Router → Unifi Dream Machine switch (with NAT turned off as per @Wayne_Eveland’s suggestion above) → Client devices such as cameras, laptop, PCs, etc
Successfully set up SpeedFusion Hub in a cloud service provider in my country and got SpeedFusion VPN working. This is great as it has bonded my x3 cellular connections together (this is notable as PepLink doesn’t have an SFC location in my country and even if it did, the costs are very high)
At this point I don’t have any addition Outbound policy set up other than the default
All outbound traffic is routed through the SpeedFusion VPN connection (Advanced → SpeedFusion VPN → Send All Traffic To (my SF VPN connection))
Upgraded firmware to 8.5.0 beta 2, but this didn’t help any of my issues
Outstanding challenges:
Not sure if my company will still think I am using a VPN, time will tell and if they do then the other questions become more important, as I will need to be able to isolate my remote work traffic somehow.
All my outbound traffic is going through the SpeedFusion VPN connection. I don’t know how to partially direct some through particular WAN(s) instead of using the VPN or SFC.
For SpeedFusion Connect, if I try to “Route By LAN client” then it only shows one item in the list, which is my Unifi Dream Machine Pro. However, all of my downstream client devices appear in Status → Client List. Their IPs are shown but no MAC address.
With the help of Peplink support (thank you) I have now solved this.
I have set an outbound policy (top priority) for my work device to route through my standard WAN connections.
I have set an additional outbound policy (2nd highest) to route all traffic through SpeedFusion VPN (which connects to a SpeedFusion Hub in a local cloud service provider).
So now my work device traffic is going through my standard WAN connection and everything else goes through the SpeedFusion VPN.
Annoyingly when I tried connecting my work device through the VPN, my company were able to pick it up and blocked my access - even though I used a local CSP. It’s a shame because my standard WAN connections are not as good as the SpeedFusion VPN.
yes, they can tell in that instance. if you use a private one somewhere (a trusted home or business connection) with speedfusion cloud relay, they won’t be able to tell.
