PepLInk 380 Masking


#1

Hi
I am using the peplink 380 in one of our branches, and it is connected to our main office.
We are facing a problem regarding browsing within this branche.

Scenario is as below

1- MAchines Ip’s within our branch is 192.168.1.0/24
2- Wan Ip of PepLInk is connected to our main Firewall with Real IP 172.x.x.x

within the 192.168.1.0/24 i have machines who use Proxy within the browser to navigate, and the others do not use proxy to navigate.

How can PepLink treat this type of traffic? I want all the traffic from peplink to go through my firewall hence my firewall decide whether this user/ip go to the internet or no.

What is happenign now is that Peplink is masking teh origin IP and my firewall is only able to read the WAN ip 172.x.x.x

So or i allow this Ip to navigate through the firewall or no… as if all my branch is now one IP and i cannot diferenciate

Is there anyway to disable the maskign thet Peplink is doing so my firewall can detect the origin IP?

Thx

If any info is needed i am ready.


#2

Hello,

I am facing the exactly same problem.

Could you help me to remove the masking in the external interface Peplink?
But I need to remove the masking only of the remote branch that has the IP address 192.168.1.0/24.
When this origin goes out to the Internet, I need this requisition does not get masked.

Best Regards,


#3

Thank you for creating a ticket as well. Since you made a post here, I’m replying back in the forum. Normally what I suggest is to Drop-In your Peplink Balance 380 between your ISP modem and your firewall. Then 192.168.1.0/24 users can reach out to the firewall. Please see our KB article below.

I hope this helps.


#4

Hi Haruki… Thank u for ur reply.

I dont know how this Drop-In scenario can resolve our scenario… The guys within subnet 192.168 and not using proxy are redirected by the Peplink to the Wan interface whish is connected to my firewall … and my Firewall in all cases is not able to identify the prigin IP… and he is treating only the Ip used within the WAN interface…

I still dont know what we should do to let our Firewall identify the origin IP and treat each Ip alone.

Hope u got the idea about our current structure.

Thx


#5

when the http/https requests arrive in firewall at main site, the origin IP address
is maskared by Peplink WAN 1.
how can we remove this mask?

we need that the http/https requests from remote site arrive in the firewall with
the origin IP address (192.168.1.x/24)

Can you understand we structure?

Thank you.


#6

Thank you for the diagram. Now I got a better picture of how they are configured.

Your main goal is to route all the traffic originating from 192.168.1.0/24 at your remote site over to the firewall at your main site and filter http/https applications based on the IPs.
(I would call the Balance at the main site “BL1” and the Balance at the remote site “BL2”.)

More than likely, you would have to reconfigure this network at the main site in order to accomplish your goal, but I would like to ask you several questions here.

  1. At the main site, there is a device named “Balancer”. Is this another Balancer from another vendor?
    If so, what’s the model number?

  2. What kind of firewall is this? Please provide us with the model number.

  3. It seems to me that 192.168.2.0/24 clients at the main site have two routes to go out to the Internet.
    a. via 172.16.3.0/24 through the BL1
    b. via 192.168.1.0/24 and 172.16.10.0/24 through “Router”

    How are these clients differentiated if they can access the Internet or not with this setup? Is it based on which route the traffic takes, either BL1 or “Router”?

  4. How did you configure the SpeedFusion VPN tunnel between the two sites?
    (Just looking at the diagram, only MPLS seems to be used to establish the VPN tunnel. )

  5. Did you set up an outbound rule in the BL2 so that all the traffic is routed to the BL1 through the VPN tunnel?

  6. If that’s the case, do you see 192.168.1.0/24 clients under Status > Client List in the BL1?

The networks are being configured in a more complicated way than I thought. If the information I have requested should be confidential, we can deal with the case in our ticket system as well. Any feedback is much appreciated.


#7

Hello Haruki,

I will try answer your questions.

  1. At the main site, there is a device named “Balancer”. Is this another Balancer from another vendor?
    If so, what’s the model number?
    Other Vendor “A10 Network”

  2. What kind of firewall is this? Please provide us with the model number.
    Check Point

  3. It seems to me that 192.168.2.0/24 clients at the main site have two routes to go out to the Internet.
    a. via 172.16.3.0/24 through the BL1
    b. via 192.168.1.0/24 and 172.16.10.0/24 through "Router"
    b. via 192.168.1.0/24 and 172.16.10.0/24 through "Router"
    This is default traffic

How are these clients differentiated if they can access the Internet or not with this setup? Is it based on which route the traffic takes, either BL1 or “Router”?
When my clientes need go to remote office, the route redirect traffic to Peplink.

  1. How did you configure the SpeedFusion VPN tunnel between the two sites?
    (Just looking at the diagram, only MPLS seems to be used to establish the VPN tunnel. )
    The speedfusion is configurede MPLS and Internet with link aggregation.
    I can’t draw very good.
    SpeedFusion
    Main Site
    Link 2 and MPLS
    Remote Site
    Link 1 and MPLS

  2. Did you set up an outbound rule in the BL2 so that all the traffic is routed to the BL1 through the VPN tunnel?
    Exectly. In BL2 I configured all the traffic goes out to VPN Tunel.
    In BL1 I configured all the traffic to Internet goes out to Wan 1 ( Internet ).
    But the requests arrived in the Firewall only IP address Wan 1 Peplink.
    I need know Origin IP address remote Site that arrive in the Firewall Interface.
    Because I need filter what the clients can goes out from the internet.

  3. If that’s the case, do you see 192.168.1.0/24 clients under Status > Client List in the BL1?
    In the BL1 in Active session a can see 192.168.1.0/24 ( remote site clientes )

We need only remove masking goes out wan 1 interface BL1 when the traffic origin clientes before BL2, when destination in Internet.

Do you undertand our structure?


#8

Haruki lets make it much more simple than all that.
We have 2 types of users within our remote site
1- User who have proxy in there browsers
2- Users who dont have proxy in there browsers and will never have.

All the setup is working fine the way we want. unless for the users who dont have proxy.

What is happening is that our firewall is not identifying the ip of the user trying to browse because Peplink is masking the IP and sending to our firewall the WAN1 interface IP

So we are obliged to do one rule/policy for the WAN1 IP… and we should treat the WAN1 IP as if 1 client, which is not logical for us because within the users that dont have proxy we have directores who should have full access to the internet and we have normal employees who should have limited access to the internet.

When the user have proxy within his browser the request is hitting our firewall with the origin IP hence our firewall and proxy are able to treat it Ip per IP

What we want is to stop the masking on WAN1 interface and let the peplink send to our firewall the origin IP
based on that we will treat each IP aside and redirect it the way we want using the policy of browsing that we want.

If you need any further info let us know.

Thx


#9

Hakuri please can you give me a call so we can discuss this?

my number is +55 62 32501353

If you cannot call i can provide you with a LYnc invitation and we can have a VOIP call.

Appreceate your help.

Thx


#10

Thank you for the updates. I appreciate it. I got my team involved in this case, will reorganize your information and get back to you. Thank you for your patience.


#11

Thank you.
Just closed teh line with our colleague and left my number for you to call us

+55 62 32501353

We appreceate a prompt reply from yoru side… this project is somehow Hot and we need an answer from peplink quickly.

Thx


#12

Thank you both for providing these details, and I do understand what you are looking for. A new feature was added to the 5.4 firmware in the Balance that allows SpeedFusion peers to be content filtered at the main site.

Using this network for an example, you could have a LAN default route 0.0.0.0 pointing to the inside interface of the firewall (172.16.10.x) with the Balance LAN interface also on that same network. The LAN static route 0.0.0.0 would only be used for SpeedFusion peers. Would this kind of design work for you? I suspect this method could also simplify your deployment.