I’m new to using Peplink devices so I’m not sure if what I’m trying to do is not possible or if I’m missing something.
Background:
We have the MAX BR2 Pro for another project but I’m currently evaluating it as a 5G replacement for the current devices we use to remotely access our hardware at a customer site. I’m assuming that something cheaper like a MAX BR1 Mini 5G will have the same features as the MAX BR2 Pro aside from the obvious hardware differences.
We need to be able SSH into our hardware and to be able to transfer files back and forth. We are using scp to do the file transfers.
Problem:
I cannot use an SSH tunnel to connect to a computer through the MAX BR2 Pro.
I can SSH into the MAX BR2 Pro through its public static IP address but when I try to connect to the remote device, I get the following errors.
Window 1:
PS C:\> ssh -L 10000:192.168.1.2:22 -p 8822 [email protected]
>
> channel 3: open failed: administratively prohibited: open failed
>
Window 2:
PS C:\> ssh -p 10000 [email protected]
kex_exchange_identification: read: Connection reset
Connection reset by 127.0.0.1 port 10000
PS C:\>
From my googling, the recommended solution for this error is to make sure TCP forwarding is enabled in the sshd config file. I believe this is not directly possible with the Peplink device. Am I missing this option somewhere in the settings?
I have not configured the firewall at all, and it appears to allow everything by default.
The MAX BR2 Pro is on Firmware version 8.5.1 build 5714.
That way I can manage access to internal resources through InControl user management and I force users to use MFA so it’s quite neat.
Or I will sometimes host a Fusionhub on an internal network (port forwarding just the ports needed for Speedfusion VPN), get the remote devices to build Speedfusion VPN tunnels to that Fusionhub, then set up port forwarding rules on the Fusionhub to the LAN IPs of the remote devices I need to get access to. Works well but requires more clicks to configure.
SpeedFusion VPN is how I do this. We use FusionHub to aggregate and have it own, say, a /16 block. We then use BGP to advertise that /16 to the rest of the infrastructure and we can SSH/SCP to any end device on the /16 that’s “owned” by the FusionHub and it’s subordinate devices in the field.
You can either use InTouch, or set port forwarding on the BR2 to forward SSH from the public IP directly to the end device.
(With the port forward in place, when you SSH to the router you’ll actually hit the end device’s sshd directly.)
I was able to SSH to the device behind the router using InTouch but I don’t know how that would be easily possible via a script. We already have a few bash and python scripts to automatic routine functions.
I was also able to the use the OpenVPN under the Remote User Access Settings very easily to do everything I would need to. The only holdup there would be getting allowance from corporate IT.
Doing the port forwarding for each device also worked for me but we have some security concerns about having ports open on the internet that directly go to our hardware.
And, as for having a fusion hub setup, we’re trying to keep this as simple as possible so that someone not as knowledgeable as myself in networking or the peplink environment can keep this setup going.
So it looks like for now, we’re just going to keep going with our current solution and review the the available options again sometime down the road.
