Outbound policies and multiple tunnels

Product Discussion Pepwave MAX
1

Hi,

We recently got a MAX-HD4 and a Balance 380. We’re planning to use the unit to stream media to our studio using a Speedfusion VPN. I’ve set up the tunnel and all is working fine. Because of different requirements for different traffic (for example streaming vs. remote desktop) I tried the new sub-tunnel feature. The 2 tunnels establish fine. But it looks like Outbound policies on the HD4 as well on the 380 only take the source address into consideration, when selecting one of the 2 sub-tunnels.
I’m running firmware version 8.0.0. Is this a bug?

Best regards,
Steven

2

Do you mind to share how you confirm this? :thinking:

1 Like
3

Hi,

The setup I tested with on the HD4 is as follows:
2 tunnels configured:

image
image821×325 31.9 KB

image
image823×314 30.4 KB

Just for testing: one outbound policy rule:

image
image749×331 62.1 KB

When I generate traffic to an IP-address in the 192.168.15.0/24 range, traffic is routed through tunnel 1 instead of tunnel 2 as specified in the policy.
Internet traffic is routed through WAN 1 in this case.

When I change the outbound policy rule to this:

image
image746×340 57.4 KB

Traffic for the range 192.168.15.0/24 is still routed through tunnel 1.
Internet traffic in this case is routed through tunnel 2, as expected.

Note that the range 192.168.15.0/24 is defined as a static route in the BP-380. It looks like the static routes for traffic to be routed through the tunnel override outbound policy rules.

Best regards,
Steven

4

@lanman, I need more info.

  1. May I know how you confirm/check the LAN to LAN traffic (from 172.31.100.0/24 to 192.168.15.0/24) is routed wrongly? Possible to provide the screenshot?

  2. May I know these two subnets - 172.31.100.0/24 and 192.168.15.0/24 is belong to which device?

  3. Please share the screenshot of Outbound Policies (Network > Outbound Policy) for Balance 380 and HD4.

  4. Have you created sub-tunnel in both Balance 380 and HD4?

1 Like
5

Hi,

The setup is as follows:

image
image984×307 18.7 KB

Outbound policie on the 380:

image
image737×331 8.4 KB

PepVPN status as shown on the HD4:

image
image829×554 33 KB

I have created the sub-tunnels on both devices. I can get traffic through the second sub-tunnel from the HD4. But only if I specify “any” as destination in the outbound policy on the HD4. In that case all traffic not destined for one of the subnets behind the 380 (as configured in the static routes of the 380) are routed through sub-tunnel 2 (traffic to the internet).

I can see from the status page that both tunnels are connected and working. It is just that traffic to local subnets on either side of the tunnel are always routed through the default sub-tunnel (1), regardless of outbound policy rules.

Note that in my previous post I used 192.168.15.0/24, which is just a subnet of the /22 LAN.
Does not make a difference.

Thanks for your help.

Regards,
Steven

6

@lanman, thanks for the diagram. I have a better understanding now. I suspect something is missing in your outbound policies. Can you provide a similar screenshot from Balance 380 and HD4? I wish to check the sequence of your outbound policies.

Screenshot_1
Screenshot_11695×918 165 KB

If you wish to check how the traffic routes through the sub-tunnels, please check at Status > Active Sessions > Search.

1 Like
7

The screenshot you provided shed some light! I didn’t realize that I could drag the rules above the gray “PepVPN/OSPF/BGP/RIPv2” line.
How are these rules evaluated?

–edit–
It is working as expected! Always learning something new.
Thanks for the help!

2 Likes
8

:clap::clap::clap: Glad to hear that!

1 Like