Simplifying multiple Peplink devices handling multiple WANs

prosumer · 2017-04-23 15:59:27 UTC

I have a Balance One Core (with 5 WANs) and an older Balance 30 (3 WANs; no LTE). I now have more WANs than either can handle alone. Currently I have the 30 load-balancing two similar links and passing that to the One as single LAN. NAT, DHCP, etc. is set up on each device with unique local IP ranges.

I also have some Pepwave devices connected into Balance One WAN ports, set up similarly.

Is there a simpler way to set up this network so that most administration is more consolidated onto one of the routers, e.g., the Balance One, especially Outbound Policy, DHCP reservations, and Status (client list, sessions,bandwidth views)? I don’t want to use InControl.

prosumer · 2017-12-04 19:51:03 UTC

Can I connect two local Balance devices via PepVPN connecting a WAN port on each so that I can share more than 5 WAN links to the LAN, and do all of the DHCP to local clients from only one of the Balances? How could this be set up? Are there any performance penalties I should consider?

MartinLangmaid · 2017-12-05 23:23:30 UTC

No. But you can put one balance on the WAN of another giving you N-1 where N is the total number of WAN ports available on both balance routers.

The primary router would act as the default gateway and provide DHCP for your local LAN segment, you would put the secondary balance on one f its WAN ports. the Secondary balance would have a different (unique) subnet on its LAN.

For the primary balance to load balance efficiently it would need an indication of how much total bandwidth is available via the secondary balance.

prosumer · 2017-12-05 23:39:54 UTC

Thanks, that’s the way I’ve been running, but in trying to troubleshoot some issues, I’ve wondered if double NAT is contributing. It would be easiest to manage load balancing algorithms in one place for each distinct WAN, but the 13-WAN Balance is hard to justify for a home ;-). Just trying to make best use of the equipment I have. I’m actually triple-NATting in a couple of cases due to Pepwave MAX devices connected to the outer Balance. Generally things work fine, just a few edge cases.

MartinLangmaid · 2017-12-05 23:44:43 UTC

I would only leave NAT enabled on those WANs who’s next hop is your ISP and use IP forwarding on the others. Use static routes on those routers with NAT enabled to show them where to route traffic back to the primary routers LAN.

prosumer · 2017-12-06 00:10:28 UTC

So for example, if layer A are the ISP-facing routers, layer B is the middle Balance, and layer C is the Balance that runs the LAN…

Layer A has NAT enabled, layer B has IP passthrough, and only the innermost layer C Balance has DHCP enabled? What is the advantage of this, other than what I assume is slightly less processing to do NAT and DHCP at each layer? Or, conversely, are there disadvantages of NAT and DHCP enabled on all routers?

MartinLangmaid · 2017-12-06 00:28:39 UTC

The primary advantage is that inbound traffic only has one NAT hop. You can do NAT and PAT from the WAN of layer A routers directly to IPs of LAN devices on Layer C router. Also NAT sensitive applications (like VoIP) only have a single NAT hop to traverse outbound.

There is no real performance benefit to speak of, it just means you don’t have to do a bunch of NAT rules on each layer of devices to get traffic in from the perimeter.

Also, since there is no NAT between layers B and C, you can get outbound policies on layer B routers based on the real source IPs of LAN devices on Layer C…

prosumer · 2017-12-06 02:24:50 UTC

Thank you for the explanation. The last point is especially compelling for me since at layer B, not only is it harder to set outbound policies, it’s harder just to know what LAN device to attribute traffic to (e.g., when looking at active sessions). I’ll give this a try.

prosumer · 2017-12-06 17:49:36 UTC

As I’m thinking through this and preparing to test, two questions came up:

First, restating the assumptions:
• Only layer A (outermost) will have NAT; layers B & C will have IP Forwarding
• Only layer C (innermost) will have DHCP

The questions:

Layer B is a Balance router with multiple WANs, so does IP Forwarding work on a per-session or per-packet basis and support multiple WANs?
One of the layer A devices is a Pepwave MAX with two LAN connections: one connects directly to a WAN port on the layer C Balance, the other is to a VPN device (essentially a layer B device) which then connects to a different WAN port on the layer C Balance. Does IP forwarding support multiple LAN-side connections?

Presumably I still keep strong (inbound) firewall rules at each layer, but must provide static routes from outer layers to inner layers.

MartinLangmaid · 2017-12-06 22:25:54 UTC

IP-Forwarding is just NAT disabled and the router doing what normal routers do - this is session based.
Yes

Yes

prosumer · 2017-12-07 02:29:29 UTC

Sounds good. Thank you again!

prosumer · 2017-12-13 17:44:02 UTC

I’m trying to test this now on one of the Layer A Pepwave devices. NAT is still on. If I leave DHCP on, I don’t get the benefit of seeing and using LAN client local addresses in Layers A and B. But if I turn DHCP off, then how do I determine the LAN address of the Layer C main Peplink Balance router to put into the Static Route? Without a static route, the Pepwave will not connect to the Balance, and the Pepwave is unreachable.