Problem with route updates on pepvpn


#1

I have two data centers, each with an HA pair of balance 710s, soon to be replaced with balance 2500s.

Remote sites have max-br1 with cellular backup.

This is a hub-to-spoke network, with no traffic allowed remote site to remote site.

Problem:
Even with “intervlan routing” unchecked on all devices, all devices receive all routes. The only thing that checkbox appears to do is apply a firewall to stop traffic.
At least, that is the way it is functioning for me. I noticed this because the hub 710s show the remote routes, but there is always one remote link that also shows routes to the other data center and back out to other remote sites. If that max-br1 is rebooted then those routes shift to another link. this is even with the allow intervlan routing unchecked on all the units.

This is a very serious problem for two reasons:

  1. by the end of 2016 I will have between 1,000 and 2,000 remote sites. It will be a massive waste of bandwidth and processor to update 2,000 routes to every node when they need just 2 for the two data centers. Especially since they will update every time a remote link goes up or down!
    That is assuming that the MAX-BR1 can even handle thousands of routes without choking

  2. the remote sites are different customers/companies. It is a massive breach of security to even show the existence of other networks. The fact that they are unreachable does not solve this. I WILL fail security audits.

Suggested solution: either by changing the functionality of the inter-vlan routing checkbox or addition of another control allow us to say “publish other vpn routes”.
or perhaps add it as a control in the pepvpn/speedfusion profile: “publish this route to other vpn clients”.

Does anyone else see this as a problem, or am I missing some benefit to publishing unreachable routes?
and sorry - I meant to post this in feature requests


#2

Hi,

I will move this to feature request. Let’s open to other’s for the suggestion.

Thank You


#3

This issue now ties in with a request I just made to have expert mode added to the max-br1 so that we can better control routing, and a bug report about turning on vlan support causing routing issues to the untagged lan.

I just ran into an issue where a customer with ipsec VPN connections to their data center and pepvpn connections to my data center (for hosted PBX service) had terrible problems with the routes. In addition to the problem with the untagged lan, we were unable to properly control the routes to keep the traffic to their data center going over the ipsec tunnel. It appears that the routes to the other pepwave units were overriding the routes on the ipsec tunnel, so traffic was flowing out over their internet wan instead of staying on their fiber connection.

I believe the solution requires multiple things:

  1. be able to control what routes are distributed over the prpvpn connection (i.e. tell it to NOT distribute the route on the ipsec tunnel)
    and - once the vlan issue is resolved, be able to say “distribute route for VLAN 27” and “no not distribute route for VLAN xx” (Reason - the only thing connecting across the prpvpn is the IP phones, connecting to my two softswitch clusters. Those phones will be on one vlan. all other devices, on the untagged lan just hit the Internet or connect to their serviers over the ipsec tunnel. But those devices MUST NOT be reachable over the pepvpn)
  2. Be able to set route metrics to say “here is the priority”, including ipsec tunnels
  3. be able to add static routes on the vpn and ipsec connections instead of just on the LAN.