Hi,
We proposed a Balance 20x to act as an LTE failover for the a client’s fixed line internet and CPE firewall. We were going to use drop-in mode, but the client only has 1 static IP and purchasing a block of 5 is not an option. Their CPE firewall has 2 WAN ports. Is is possible to pass the public IP from the LTE to WAN 2 of their firewall or will we be wokring in a double NAT scenario? Also, is the 20x the best model for this setup?
You can still use drop in mode and share the single static IP.
Yes, but not when in drop in mode. Are you sure it has a public IP? most cellular IPs are not.
IN this case I would use drop in mode and either use Peplink InTouch if the inbound connectivity is just needed to access things on the LAN, or add a FusionHub and port forward from the WAN IP of the fusionhub over speedfusion VPN to the LAN of the Balance (so you get a single NAT hop and a single public IP that works seamlessly over whatever WAN connections are up).
Its a good box and seems like a good fit for your requirement here.
Is there a document on how to use Drop-in mode when they only have a /30 from the provider?
No, but here is an example - its really very easy.
Here is the untagged LAN on a B20X configured using shared Drop-In Mode on one of my customer devices:
Here is the additional VoIP VLAN configured.
I then present the VoIP VLAN on LAN ports 2 onwards (access mode) so that any dumb switch attached to those ports presents the VoIP VLANs to the handsets.
Here is the Drop In Mode Shared IP Help text:
Normally, this device consumes one IP address. If you do not want it to consume any IP address, check this checkbox. A Shared IP Address in Drop-In Mode Settings and a Management IP Address in Management IP Settings are required.
When this option is enabled, the Shared IP Address will be used in connecting to hosts on the WAN (e.g. email notification, remote syslog, etc.) The device will also listen on the IP address when hosts on the WAN access services served on this device (e.g. web admin accesses from WAN, DNS server, etc.)
The Default Gateway address will be used in connecting to hosts on the LAN (e.g. email notification, remote syslog, etc.) The device will also listen on the IP address when hosts on the LAN access services on this device (e.g. web admin accesses from LAN, DNS proxy, etc.)
Thanks Martin. You have been very helpful. I plan on setting this up on the bench on Friday. So I understand, the voice VLAN will use the default gateway as the outbound IP?
To access the phones remotely, we will use In Touch because the VPN is disabled?
Inbound Access rules still apply to the voice VLAN?
Speedfusion Cloud will still work on the voice VLAN?
CPE firewall will failover to LTE due to the outbound policy rule?
Yes.
VPN isn’t disabled. You can still use the Peplink WAN for SPeedfusion and thats what I do so SpeedFusion VPN using wired WAN and cellular to a hosted FusionHub to improve VoIP call quality. You can do user VPN to the FusionHub IP to do remote management if you like. Or use InTouch.
Yes
Yes (or self hosted FusionHub).
Yes - clever isn’t it?
I got everything up and running and I’m impressed. I have an issue accessing devices for InTouch. Error Access Error: Certificates do not conform to algorithm constraints. These normally don’t have an issue when not using Drop in Mode. I was referring to remote access via L2TP VPN to access the devices locally. I haven’t set up a FusionHub before, but something I would like to look into. We have been using Speedfusion Cloud with success for our clients.
Setting SIP as “high” will give voice priority even in DIM, correct?
InTouch issue was my end. Had wrong protocol. Working now.
Log it with Peplink Engineering for review.
Actually I don’t know. I don’t think you can set the port used for L2TP/IPSEC - I think its forcefully set to 4500, so if the gateway you are infront of doesn’t have any VPN service listening on 4500 it might work…
Yup.
Thanks again for your help. This is a game changer for us. We usually run parralel to the customer’s firewall. They don’t have to purchase additional static IPs as well.
Does the firewall throughput matter when in drop in mode? The CPE firewall will be a Sonicwall TZ570 with 2.5 Gbps of firewall throughput.
Sure. That’s rating is the fastest the Peplink can get data from LAN to WAN. You’ll be limited to ~900Mbps on the B20x. In fact, unless you connect using a SFP you’re limited to about that anyway as Peplink don’t support multi-gb ethernet natively on any device yet.
Hi Martin,
We had an issue where the bandwidth was not the same speeds when connected directly to the ISP. Are there any limitations on this?
What were the comparative speeds?
Hi Martin,
Speeds are actually fine. We are having an issue where port fordwarding is not working on the Sonicwall behind the Peplink. Also, the Sonicwall SSL VPN doesn’t work. Plugging the Soincwall directly to the ISP works fine. Have you run into this? Peplink states there shouldn’t be an issue and my ticket has been open for a few weeks with no resolve.
The same thing by any chance? ie Https not being forwarded?
You will have to move the web admin interface away from the default http/https ports to port forward inbound traffic on those ports through to the sonicwall.
Hi Martin,
We use 4343 and 4433 for the ports to access the Sonicwall. For testing, I changed the admin port of the Peplink to 9933 and it still didn’t work. I do see the traffic hit the Sonicwall, but it’s dropped. Plugging the Sonicwall directly to the WAN works fine. The question is, why does it look different when coming through the Peplink?
Here are the details from the Sonicwall- The destination IP is correct.
Hmm interesting.
So that drop code is for packets arriving with the wrong sequence number or in the wrong order… the question is why of course…
What firmware are you running on the Balance 20x? Upgrade to latest if not on 8.2.0.
I expect the sonicwall is on SonicOS 6.2 or below can you confirm?
On 6.2 and below there was an option on the diag.html page to turn off TCP sequence number randomization’ which might help here, but it would be good to work out why we’re seeing out of sequence packets first.
Is the port forwarding coming in over SpeedFusion VPN or direct to the original WAN IP?
Firmware is SonicOS Enhanced 6.5.4.5-53n
The HTTPS management over 4343 is coming direct through the original WAN IP.
Peplink Balance 20x is 8.2.0 build 5141
