NAT over SpeedFusion Tunnel

I have a requirement to port forward to a VPN server over a SpeedFusion tunnel between two Pepplink Balance Routers but as the source IP of the VPN client is a public IP address I need to source NAT this connection to be an IP in the range protected by the VPN or somehow route the client public IP address back over the VPN - we do not want to route all outbound traffic back over the tunnel.

I can easily do NAT over VPN tunnels with other firewalls and routers but I have been stumped by the Peplink!

Can anyone help?

This should be possible, I think I understand what you are trying to do anyway - a diagram may help if I have misunderstood you. :slight_smile:

Is it something like this:

Remote VPN Client β†’ (Peplink A WAN IP) ← (SF VPN Tunnel) β†’ (Peplink B LAN) β†’ (VPN Server)

If so, assuming you don’t have NAT enabled on the SF VPN profile, on Peplink A you would do a NAT port forward towards the LAN IP of the VPN server behind Peplink B.

The exact config for this can vary a little depending on what model balance you have, if you provide some more detail I can maybe make some screenshot examples.

In some respects, that should take care of it, the connection tracking in the Balance should ensure that the return traffic is routed via the path it arrived on, if not an outbound policy on Peplink B would be required that matches the public IP of the VPN client as a destination and sends traffic towards that IP via the SF tunnel.

Depending on the type of VPN server you have behind Peplink B you may also need to look at some of the service forwarding configuration on the Peplinks to stop them trying to terminate the VPN (this mostly matters if it is an IPSEC tunnel relying on NAT-T).

1 Like

Thanks Will,

I got sorted in the end, turns out it was an issue with Windows 10 and L2TP termination behind a NAT device, so the Peplink does behave in the expected way.


1 Like