PepVPN traffic through firewall in pass-through mode


#1

Our design is a Balance 580 “above” the firewall in pass-through mode. This works great and lets the Balance handle failover and the firewall does the antivirus, content filtering, and reporting on user activity based on Active Directory login. When we add locations via other Balance units or Max BR1’s with PepVPN, we want all traffic to go back to the Balance but go out the firewall. Is that possible? When we setup a profile and checked “Send All Traffic to Remote Hub”, it did route everything through the Balance but then it goes right out the WAN side of the Balance when what I want it to do is route that to the LAN IP of the firewall to get out to the Internet. So the goal is to have all PepVPN traffic go through the firewall but the firewall is “below” the Balance. Is there a way to do this?

Thanks,

John


PepVPN all traffic through firewall with IPSec tunnels
#2

Good news, there is a way to do this. You are already on the right track with the first step by sending all traffic from the remote site through the VPN. The Balance 580 simply needs a 0.0.0.0/0.0.0.0 static route pointing to your firewall. The 0.0.0.0 static route is for VPN peers only so you can do content filtering with your firewall. The firewall then NATs the traffic from the original source when going out to the internet.


#3

Awesome. So where to I add that Static Route. I don’t really have a way (that I see) to add one for the SpeedFusion VPN. Do I add it to the LAN/Network Settings? I do have Static Routes there that routes traffic to the internal LAN networks to the External WAN IP on the firewall. Is that where I add the default route?


#4

Yes, under: Network> LAN> Network Settings - the static route of all zeros will only be used for the VPN peers. The firewall does a NAT for internet traffic which ultimately uses outbound policy rules in the Balance.


#5

Worked like a charm. Thanks! I do have a big speed drop going through the PepVPN but I’ll start a separate thread for that.


#6

One big caveat on this, it also forwards the InControl traffic through the firewall when you add that 0.0.0.0 rule and not just the VPN traffic. As soon as we added the 0.0.0.0, all the PepVPN remote traffic did indeed go through the firewall and we just needed to add firewall NAT rule to NAT that traffic going out but it worked perfect. But for the Balance itself trying to get out to InControl, we see that traffic coming from the WAN IP of the Balance. This setup is Pass-Through so the Balance has a external IP and the firewall of course has another. So I’m not 100% on how I’d handle traffic. I don’t think I can NAT the Balance WAN IP traffic to be the firewall WAN IP. I may be able to just add a rule without NAT’ing but I usually see devices have issues with the requests come from one device (the firewall) but then returns direct to another device (the Balance). For now, we just backed out that static route to test after-hours onsite.

Any insight is appreciated. Again, everything worked great and our remote PepVPN clients immediately had content filtering through the firewall which was awesome…but we then InControl showed the Balance as offline.

Take care,

John


#7

Hi John,

Please enable Expert Mode on remote PepVPN peer to allow local break out for InControl2 traffic.

Expert Mode for Balance router


Expert Mode for BR1


Hope this help.


#8

Awesome! Thanks.