Replace MPLS and Backup site : Design question


#1

Hello all,

We want to remove MPLS using peplink appliances, but we have some questions about the fact it’s possible, and how to do it… so, any help will be appreciate :slight_smile:

  • What we have right now is a classical MPLS Wan, wit h a backup site, as you can see here :


As you can see, all traffic is sent to the HQ site. Servers are there, and people are working on them. When some traffic need to go to internet, it goes thru a “dedicated” link protected by a firewall. No problem.

  • What we want to do is to remove the MPLS and build a Wan, using speedfusion links between peplink appliances, something like that :


My first question is : is it possible to use the same peplink appliance on the HQ site to build the speedfusion links with all sites, AND receive the Internet flow after the firewall check ?

As you can see, we want to aggregate links to maximise speedfusion links. Can we build something to be sure the internet traffic coming from remote site will be routed to firewall, and if not dropped, be routed back to peplink, to go to internet and not to speedfusion ?

Some advice about what and how to do ? Using drop-in mode and force route on firewall ? other ideas ?

  • …of course, we want to be able to use the backup site, just in case we loose the HQ one. So we want to be able to do something like that :


Do you think it’s possible ? Some advice about what and how to do ?

Thank you very much for your help, and perhaps someone already built something like that : any feedback will be greatly appreciated.


#2

This application will work just fine, you just need to create two SpeedFusion tunnels - one to the HQ site and one to the DR site. Then you just need a simple priority-based outbound policy rule at the remote sites to route all traffic across the SpeedFusion tunnel. Priority 1 will be the HQ and Priority 2 will be the DR, and all traffic will go to the HQ unless it goes down, then all traffic would route to the DR site.

This is very easy to configure and will work very well.


#3

Dear Tim,

Thank you very much for your answer, so it’s ok for the last part of my question regarding disaster recovery. Fine !

What about the first question, regarding the capacity to use the same wan links and peplink appliance to first receive all flows from remote sites thru speedfusion links, and then, when this flow from remote site has to go to internet, give it to the firewall (to check firewall rules like “ok to go outside our private wan” or “this user can go to this url”), and then give it back to peplink appliance to go outside, of course not thru speedfusion links in this case ?

We really don’t want remote site’ people directly go to the net without being filtered by HQ firewall.

Thank you very much.


#4

You can send all internet traffic from the remote sites through a SpeedFusion VPN. The Peplink at the HQ site can have a LAN default route of 0.0.0.0 for SpeedFusion peers that points to a device on its LAN for the purpose of content filtering.


#5

Dear Ron,

Thank you for your answer.

I’m probably wrong, but I’m afraid of something :
adding a LAN default route of 0.0.0.0 than point to the firewall, as you say, will sure redirect all incoming flow from LAN to firewall : so the firewall will be able to do the check, it’s perfect.
BUT if it’s ok (the firewall rules can leave the packet going outside), the firewall has to forward the packet outside : i’ll probably give it the peplink as gateway (what else to go outside ? I don’t want other link anymore). So the packet will income once again to the peplink, thru the LAN port… and because of the 0.0.0.0 route, the packet will bn fordarded once again to firewall, isn’t it ?

Perhaps the solution will be to add a LAN rule on the peplink saying that packets incoming from [firewall’s IP Address] will be outbound to the net ? these rule should so be before the 0.0.0.0 one. is it correct ?

Thank you for your help.


#6

Since you mentioned that you don’t want remote site people to directly go to the internet without being filtered by the HQ firewall, I suggested the previous method. You can certainly use the stateful firewall in the Balance.

If internet traffic from the remote sites is routed through the SpeedFusion VPN, by default it is sent out the WAN links at the HQ side. Outbound policy rules are used to determine which WAN links to use, and firewall rules can be applied in the Balance for inbound or outbound traffic.


#7

I’m already doing something similar with my HQ site as we work towards getting rid of MPLS. Sinisan, I will describe it the way I picture it and maybe that will clarify how to do this.

HQ:WAN#1 has an internet connection to receive SpeedFusion tunnels

HQ:WAN#2 has a connection to our LAN that allows uplink to our main firewall(be careful with how you handle NAT)

HQ:LAN has a connection to our LAN to allow HQ traffic to reach SpeedFusion tunnels and remote sites. This also has static routes pointing to a Cisco Router to reach HQ subnets. If traffic from the remote site is destined to HQ, it does not use outbound policy.

On our Cisco routers, we have static routes that point to HQ:LAN interface for the remote site subnets.

On HQ Peplink, we have an outbound policy that states the following for traffic received from the remote sites:
>>Priority 1, use HQ:WAN2 to be filtered through our firewall
>>Priority 2, use HQ:WAN1(not the SpeedFusion tunnel) to go to internet without filtering

The only reason we have the Priority 2 rule is to allow traffic to continue reaching the internet, even though it’s unfiltered, in the event of firewall or HQ>WAN2 link failure.

HTH, sorry if it seems long winded. If anyone knows how to better do this, please let me know. There is always room to improve.