Hi everyone, I have FusionHub running on ESXi. We have a /29 at the data centre with ESXi, just trying to figure out how to add the rest of the IPs. I have one assigned to FusionHub, then I tried adding a 2nd NIC but that just added LAN to FusionHub. I then added a 3rd and 4th NIC but they don’t appear in FusionHub. Thanks.
FusionHub is designed for the following deployment mode:
May i know the requirement for the 3rd & 4th NIC ?
Thanks. So today we have fibre as primary with a /29. Each IP is used for something different, like one IP is for the PBX. The SIP provider authenticates by IP address, so all PBX traffic must come and go from the same IP. We have another IP that points to a FTP server, another IP that points to a CRM server etc.
Today we have Cradlepoint with LTE as secondary, however if the fibre fails, the phones don’t work since the LTE has a different IP from the fibre so we can’t authenticate with the SIP provider, and customers can’t access our FTP server or CRM system since the IP is changed on the LTE as well. It’s not possible to just have 1 IP for the whole company, and to be honest we were looking to upgrade to a /28 as we have the need for more IPs.
We just have 1 location there’s no head office etc. I wanted to use FusionHub to provide hot failover so VoIP calls don’t fail, and then same with inbound fail over so that customers can still access our FTP server and employees can access the CRM. I also just wanted to know in general as we sell fibre for a living and it always comes with a /29, so any time we use FusionHub for hot fail over customers keep expecting to have 4+ IP addresses as just 1 for a whole company is not enough.
You wouldn’t install the Fusionhub at your location, it would be in the cloud as a VPN concentrator allowing routing. from there back to the servers in your location.
To do what you want to do, you would install a firewall appliance in the cloud alongside the Fusionhub. The firewall appliance can have as many virtual IPs assigned to it by your hosting provider as needed (ie one per service). It would then route traffic directed at those public IPs to via the Fusionhub over SpeedFusion to your servers.
Your SIP provider auth would be against your hosted firewall IP - not the ones on your fiber at your premises. If the fiber link failed and you had alternative connectivity (like LTE) then the tunnel would stay up your IP would stay the same (as its the on hosted in the cloud) but traffic would pass over the physical failover links at your location rather than the primary fiber link.
Thanks I think that makes sense, I’ll have to check into that with our network people and also draw it out to fully get it but it sounds like it makes sense to me. To clarify though I don’t mean we’d put FusionHub at our location, it would go in our ISP’s data centre on their IaaS platform. Today we just have 1 location, it has fibre with fail over to LTE and the fibre has a /29. We want to change those IPs to the /29 in the data centre where FusionHub is, so in addition to the hot fail over etc, we’d also be able to in the future change the fibre to another provider, but not worry about changing the IPs since it’s the ISP’s DC IP’s we are using.
If I was on AWS would it be the same? I’d have one instance running FusionHub, and then another instance running the firewall?
Good stuff. You’ve got it. the /29 at the remote location becomes redundant - only a single IP is needed for outbound SpeedFusion VPN traffic. Inbound comes via the hosted IPs in the cloud. Yes two instances, a virtual firewall appliance and a Fusionhub. Same idea in AWS or any other hosting environment.
Is there any recommend firewall to use? Our ISP with vSphere had Astaro preinstalled as a VM. I hadn’t heard of it before but looks like it is a firewall, wondering if that might work or if there’s any other recommendations on ones that would work well with Peplink for this purpose? Thanks!
Haven’t used Astaro before (I think Sophos acquired them?). There is not official recommendation as such. I use opnsense and can certainly recommend that for this kind of job.
Since the FusionHub isn´t a multiple wan solution, any suggestion for using FusionHub behind Peplink Balance as a gateway? The idea is to have multiple wan connections (with public IPs) on the balance so it can work as redundancy for the FH.
The balance will not make any other function but balance inbound traffic to FH. I am not sure if forwarding ports (handshake and data) from its multiple wans to the local IP of the FH will work… We are assuming that SF profiles in remote peers will aim to public IPs hosted by the balance…
Have you work with a similar architecture?
I like this idea. Since the Fusionhub would have a single WAN IP (a private IP on the LAN of the balance), and the Balance would keep track of the sessions passing through it I think that would work fine.
I’d likely add a couple of persistence rules (By destination mode) in outbound policy for the 4500 and 32015 ports to keep things tidy and the PepVPN sessions between the FH and the remote sites locked to the same WANs on the balance.
If you used the balance for inbound load balancing (so it is the authoritative DNS provider) that would be even better - the remote sites would then use DNS instead of a hard coded IPs when they connect to the FusionHub.
Just curious, why don’t you use the Balance device as the hub device to establish the PepVPN/SpeedFusion connections ? Any specific reason why you still need a FusionHub for your deployment ?
Thanks Martin! We also think that using the balance for inbound load balancing (as DNS) will be a better solution.
I appreciate the suggestions, best regards.
We need a hub that can serve as an MSP Hub for multiple end-customers. Maybe I am wrong, but using a Balance for this scenario may complicate things:
-End-customer LANs might be duplicated between them
-We need to isolated traffic between end-customers
The plan is to have MSP FH in a local data center with multiple WAN connections and deploy a second MSP FH in AWS as backup.
We appreciate any comment, best regards.