Site to site VPN in front of firewall


#1

Greetings. I currently have a Balance305 that I works great. I currently leverage multiple WAN connections with it. I will have the need to connect a remote office site. I am thinking of making this VPN connection with peplink devices. I’ll either incorporate my existing 305 and buy a new one or may have the option of buying two new peplink devices. My current peplink sits before the firewall.

What are my options? Ideally I’d like to VPN between the peplinks and everything behind the peplink at the remote site would behave as if it were at the primary site. Could, would all traffic from the remote site come through the primary site’s firewall? Would I then even need a firewall at the remote site? How would the VPN tunnel work if a WAN interface went down? Can it auto failover to the secondary WAN without disruption or do multiple VPN tunnels exist?

Thanks for your thoughts and experience in advance.


#2

So many options! Almost too hard to reduce that down to a small list at this stage.

This is possible. Search for Layer2 VPN on this forum there are loads of great examples.

If using layer 2 yes. If using layer 3 you can choose which traffic comes over the VPN and which would break out locally to the internet.

Peplink devices have inbuilt stateful firewalls - these are normally more than adequate for most deployments.

You could use Hot Failover between available healthy WAN links.

Yes. Speedfusion Hot failover or bandwidth bonding will allow for seamless failover between healthy active WANs.

The big question you have is with the B305 sitting in front of your current firewall (on the WAN of your firewall I assume) how best to build a topology that suits your requirements. I would suggest you share a network diagram so that we can suggest some possible topologies taking into account your requirements and the type of firewall you currently have (and what firewall features you currently use).


#3

Thank you very much Martin! Below is my current network diagram at my primary site.

https ://pasteboard.co/Hgi5WpQ.png

Let me know what you guys think, and again, much appreciated!

I am unable to upload a file as a new user.


#4

OK, so if it was me from a topology perspective I would:

  1. Leave the 305 in its current position and add a VLAN to the 305 for remote site routing.
  2. Assign that VLAn to a spare LAN port on the B305
  3. Connect that LAN port to your Switch Stack and use L3 rules there to decide / define inter vlan routing rules that suit your purpose.

From the perspective of Layer 2 (bridged) or layer 3 (routed) you can choose either. Personally I prefer the simplicity of working with Layer 3 routing so that’s Likely what I would do. Although if you did use L2 then devices at your remote sites would be transparently bridged to the new VLAN on your switch and use your Watchguard as their default gateway so there might be utility in that configuration.

When you add more Peplink remote sites (in L3), you could just set a route in your switch stack (or on your watchguard - wherever you manage routing) that sets the new B305 VLAN IP as the gateway for the remote subnets.


#5

I like your idea!! Would my remote LAN be on the same subnet or VLANs that I currently use at the primary site?Would all traffic from my remote site go over the PepVPN/Speedfusion tunnel(if use L2), eventually hitting the watchguard for everything, including internet traffic(would get the benefit of not having a firewall at the remote site and take advantage of our existing services on the watchguard)? Is that a bad idea for routing? Do you think the remote site would take a performance hit because of it? If I went L3, would the peplink be the default gateway then for the remote site?

Also, Im new to peplinks. Is there an advantage to use one or the other in regards to SpeedFusion or PepVPN?

Thanks.


#6

I just looked and my 305 only has 1 LAN port, but 3 WAN ports. You mentioned a spare LAN port above. Would that be the 1 WAN port I have left?


#7

You have an older HW version with a single LAN port… latest version has 3 LANs. Not the end of the world, you could use a spare WAN for the remote site traffic but it would restrict you to layer 3 topologies.

To do this you would:

  1. Connect a spare WAN (eg WAN2) to a new or existing VLAN on your switch stack.
  2. Set the WAN to IP forwarding (so disable NAT)
  3. Create an outbound policy rule for traffic from the Watchguard to only use WAN1
  4. Create an outbound policy rule for all other traffic to be be sent via WAN 2.
  5. Add a static route to your switch stack / watchguard that sends remote site traffic via the WAN2 IP.

OR you could put a managed switch on the LAN of the B305 to give you the ports you need to make the original plan work.

in answer to your earlier questions:

They could if you wanted. With a Layer 2 PepVPN you are creating a transparent bridge between physical ports at the remote site and/or VLANs at the remote site. If you bridged physical ports, you could then pass multiple VLAN tagged traffic across the Layer2 VPN. Or you could bridge a single VLAN. Whatever works best for you.

Yes. When using Layer2. Although you could bridge a single VLAN over Layer 2 for some devices at a remote site (which would then access the internet via your current watchguard), and let others break out directly to the internet locally (using Layer3).

It depends. You will add latency to the internet traffic, and your current site would need to have enough bandwidth to cope in that internet relay role. The Balance 305 also will need to support enough PepVPN/Speedfusion throughput. The other thing to worry about is multicast broadcast traffic since in L2 that will traverse the VPN also. This can be desirable (for easy network discovery and some special types of traffic / discovery protocols like SONOS) but is often a waste of bandwidth.

Yes. You’ll immediately lose 19% of available bandwidth to VPN overhead and latency will increase which will ultimately affect bandwidth availability also.

Yes, but you can still choose to force internet traffic over the VPN to breakout at your current site via the watchguard. Or not. Layer3 gives you more granular control of where different types of traffic will be routed.

Sure. A device will full speedfusion capability can be much more resilient than one without. You can take advantage of bandwidth bonding & packet level failover for VPN so your VPN sessions stay up even when a WAN link fails. This can make VoIP uninterruptible and keep file transfers and the such going even when WAN links are unreliable. When combined with 4G (either USB dongles or if using the MAX devices embedded modems) you can keep a remote site seamlessly connected to your head office even when the fixed line internet connection fails.

You size Peplink devices by the number of WAN ports, the number of supported remote peers (ie remote sites that you want to connect to), their Speedfusion/PepVPN throughput capability and their standard routing throughput capability. Same with the MAX range of products, but then you can also consider the number of 4G WAN connections too.


#8

OK Martin, I finally got management to budge and spend some money! What I would like to do is buy three new Balance 380’s, I would use two of them in an HA configuration at HQ and the third one at the remote site by itself. I would pre configure the old B305 as a warm spare at the remote site in the event the 380 there craps out.

Would you please mock up a design that incorporates this in the original design? I really appreciate the diagram. It helped big time when I went to management. What do you think?

Thanks again.


#9

Always good to get some new kit - good stuff!

The topology would be the same as this:

But instead of the B305 you would use a pair of B380’s in HA - look at this article here:


#10

Thanks again! What app did you use to make that network map? Would I be able to edit it to add the other Peplink for documentation purposes?


#11

I use gliffy.com for my diagrams.


#12

Nice. I signed up for a free trial. Is there anyway to import what you have here already in? I tried with the png file but it didnt work.


#13

Here is the diagram I drew for you - in gliffy format. You should be able to import it.


#15

Hello Channelzer0,

You could set this up in a couple of different ways. One of the more simple ways would be to use two switches, you connect one ISP to each switch and run two ethernet connections from each ISP switch to each Balance. Between the firewall and the Balances setup another switch and connect each Balance to this switch, and than the switch to the firewall. A diagram of this deployment can be found in this post here.

You could get away with one switch between the ISPs by configuring some of the ports to be access ports.


#17

Hi!

Did you build a loop in your test-setup with the L2-VPN?