Hi,
sorry if this has been asked prior but maybe I’m not that much experienced with network and firewall configuration that I undestand it right:
We have a Peplink 310 5G and a Fusion Hub on Vultr.
We have the common task to use existing LAN connections from our clients for the internet connection. We connect this client-LAN to the WAN port of our Peplink. Mostly we use DHCP but sometimes we get an IP address from our clients.
In addition to that we secure the connection with 2x 4G/5G connections on our Peplink with WAN smoothing to ensure the connection is stable, even if the client WAN fails. We send any of our traffic though Speedfusion to our Vultr FusionHub (Dynamic Weighted Bonding).
What I don’t understand is, do we need any port forwarding or special firewall configuration in on the client side (the connection that is connected to the WAN port of the Peplink) to make that work? We didn’t have any problems yet with lots different client WANs but sometimes the clients asks, if we need special ports or firewall rules. I know about port 32015 and 4500. I tested this in our office. But even if these ports are not configured to be forwarded in our office firewall the Peplink uses this WAN connection for Speedfusion bonding anyway.
Could it be that the handshaking process with FusionHub is being processed through one of the cellular connections and is therefor not needed on the WAN port?
I would be happy to know what is going on here.
Thanks and cheers
Robert
This is a really good question.
No you don’t need inbound port forwarding on any of your B310 5G device WAN connections.
This is because when Speedfusion VPN builds the tunnels (in your case) it will initiate / build them outbound towards the public IP of the Vultr hosted FusionHub.
1 Like
Dear Martin,
thanks for the reply.
Just a quick question about your answer:
How does inbound traffic to the B310 work then if port 4500 isn’t configured for forwarding?
I just want to understand how the tunneling works to have an option to troubleshoot.
Thanks again and cheers
Robert
The B310 creates an outbound session to the FusionHub on TCP 30215 (the handshake port). Outbound traffic works fine as it passes through all the NAT routers and the source port for that traffic doesn’t matter, just the fact that it hits port 30215 on the hub.
During the handshake process, the B310 tells the hub about all of its available WAN links and lets it know to expect tunnel traffic from those WANs. The B310 and Hub also do the security piece at this stage, setting encryption levels and verifying pre shared keys.
Once security is sorted, the B310 starts building outbound UDP sessions targeting UDP 4500 on the Hub. The source port is randomly assigned in a high range by NAT.
The hub accepts the UDP sessions (assuming encryption / identification passes) and assigns each tunnel to the the logical SpeedFusion VPN container.
You can then see (in status > Speedfusion) on the hub the source IP and Port for each remote WAN on the remote peer.
Additionally if port 32015 is open for both TCP and UDP then a single port can be used for data an handshake.
Also if you use sub-tunnels then each new tunnel terminates on a new port on the Hub incrementally (so 4501, 4502 etc).
2 Likes
Thanks again Martin for that detailed post.
What I still don’t understand is how the inbound traffic to the b310 works when there is no port forwarding. How does FusionHub gets it’s traffic to the b310 without any forwarded port?
Thanks again and cheers
Robert
This is a result of NAT. When the outbound connection is initialed by the B310 all NAT routers let that traffic out to the remote end point keep track of the outbounnd connection source and destination IPs. Then when the remote end point sends traffic back the NAT router looks up its list of connections it is keeping track off and lets the traffic back towards the B310x if it comes from an IP that the B310x has already talked to.