PepVPN endpoint behind 3rd party firewall


#1

I have a situation where I need to deploy a Peplink Balance One behind an existing firewall. However, this location is the destination endpoint for two other locations to connect to for PepVPN connections, as those two locations do not have public IP’s, while this location does.

I’ve tried opening up the ports cited in this document http://www.peplink.com/knowledgebase/configuring-speedfusion-behind-a-firewall/ but things don’t seem to be working correctly. I never seen the VPN connections complete successfully.

If I completely remove the firewall and only use the Balance One, the VPN connections establish very quickly and never have any issues.

Questions:

Does the Balance one have to accept VPN connections only on WAN connections/physical ports, or can it be configured to accept them on LAN connections? This may be part of my problem - which IP/network to NAT the VPN connections to from the firewall.

Recommended configuration for this setup. Preferably I would like to not use the WAN connections AT ALL on the Balance One and have it’s LAN ports used for LAN as well as the inbound VPN connections.


#2

Another question - since I’m really only using the Balance One for VPN, can I use FusionHub for this instead, and have it run as a VM and accept the VPN connections from the remote endpoints? That seems like a much more simple solution…


#3

I suppose I should also mention that I need full routing between my local LAN and those remote Balance One sites, so if FusionHub can’t support forwarding traffic, then that wouldn’t be an option…


#4

Drop-in mode can meet this requirement, but it’s only supported on Balance 210/310 and above.

You can, but FusionHub is purpose built for DC environment. Pricing and specs wise, I won’t consider this option.

Back to your question, yes it should be on the WAN connection. If a similar profile works without firewall, I will suggest double-checking the port-forwarding on the firewall, and also the IP addresses you’ve assigned.
In most cases, what you need to configure on firewall is port-fowarding/static-NAT of TCP port 32015 and UDP port 4500 from firewall WAN interface to BPL-One’s WAN interface that runs on same subnet as firewall LAN.
If you have a network diagram perhaps you can PM me that for me to take a look?

Alternatively,
my usual recommendation will be to deploy Balance One in front of firewall. Main reason is the scalability of supporting up to 2 WAN links.
Configuration wise, aside from what you already tested, you’ll need to reconfigure firewall WAN interface, and also an additional static route of firewall LAN subnet, with gateway pointing back to firewall WAN interface on your Balance One.


#5

The issue is that I am running into the problem I reported here https://forum.peplink.com/threads/4886-Cannot-Achieve-Gigabit-Throughput-on-WAN-Balance-One?p=19583#post19583 with the Balance One - throughput limitations on a gigabit connection, hence the reason there is a firewall in front of the BP One. If I swap them, then my throughput is impacted significantly.

It sounds like the only solution is to have a transit network between the firewall and BP One, connected to the WAN port on the BP One, and then have the LAN side of the BP One on the existing FW LAN subnet. Then advertise routes to the remote sites via the FW’s routing table to go back out the BP One.

FusionHub also still sounds like an option, as long as I can point static routes to it and it will forward those to the remote locations. I got a quote for the smallest implementation, and I’m OK with the cost.


#6

That method you mentioned might be too tedious to configure and maintain in the long run.
Better if I can help you resolve the problem of establishing PepVPN tunnel through the firewall.
Perhaps you can open a ticket for us to check further on this.

For FusionHub, if you haven’t done so, you can there’s a 30-days trial available.
You can do so by following this installation guide.


#7

I have FusionHub setup and running - very easy product to get going. Great job on that!

I have a test system with a Balance One as my firewall - is there some setting I need to put in to completely disable PepVPN on the Balance One? Even if I create port forwards to the FusionOne box, I don’t think the traffic is being forwarded.

I’d like to be able to test with this prior to making changes to the other production environment.

I created port forwards for TCP port 32015 and UDP port 4500 and forwarded them to the IP address of the FusionHub.


#8

I happened to have a similar setup.

As per following screenshot, create a dummy profile, and change the handshake port to an unused port.
The handshake custom port option will be accessible by clicking on the “Question Mark icon” on the top right corner.



#9

Perfect! That got it up and running. I now have PepVPN/SpeedFusion connections going to the FusionHub, and all of the routing and other details are working just perfectly. Thanks for helping with this! This is a viable solution to my faster site with the firewall.


#10

One other question:

Is there a recommended platform that can do 1Gbps from WAN/LAN instead of the Balance One? I see a ton of choices in the Balance family, but I’m looking for one that can do this throughput that also isn’t super loud or has other enterprise features I don’t need.

I’m looking at this as an alternative instead of using the FusionHub, and just replacing my existing firewall with Peplink Balance altogether, but it has to keep up with 1Gbps WAN to LAN.


#11

You would need to go with a Balance 380 or higher Enterprise-grade model.


#12

Ah thanks. That’s what I expected, and a bit overkill for this particular site.