I will provide a network map of exactly what I need to be able to do. Give me a day or 2, thanks.
http://www.gliffy.com/go/publish/image/9415747/L.png
Thanks Martin for recommending Gliffy a while back. Cool platform.
Requirements:
- Provide numerous different customers with ability to have a Speedfusion peer back to our FuseMe Data Center.
- Only Hosted VoIP LAN at remote customer sites should be tunneling via Speedfusion peer. (VoIP Traffic, UDP SIP and RTP)
- Remote Hosted VoIP Subnets should communicate back to FuseME Data Center utilizing WAN Smooting and Bandwidth Bonding.
- Remote Hosted VoIP Subnets should NOT be able to communicate with each other. Each Speedfusion peer should be completely separate from the next because each peer will be for a totally different customer.
- All remote Hosted VoIP subnets will first as a priority algorithm run through Speedfusion peer and if peer fails then all Hosted VoIP Traffic will revert out remote site local ISP.
Purpose:
- To give our customer base an added service for Qos for VoIP Phones and Data.
- To have the ability to sell our customer base a single Speedfusion peer.
- To use Speedfusion peer for VoIP phones in the event ALL or 1 of remote customer ISP’s is having packet loss, latency, and so forth. Use an an emergency peer until we resolve issues with customers local ISP’s.
Recommendations:
- Any recommendations on how I should set up remote location customers Outbound Policies for the VoIP subnets to run back to the FuseMe Data Center Balance Devices would be greatly appreciated.
- Any recommendation on how to set up Internal Firewall Rules for an environment like this and how to make it that each Speedfusion peer CANT communicate with one another would also be greatly appreciated.
- Any type of visual picture would help a lot as I am a much faster learner via visuals.
Thanks,
TJVoIP45
Hi Tjvoip45 ,
Thanks for the info. We have a better understanding now. Look like multitenant design is needed. You have 2 options.
- Deploy FusionHub on Data Center
- This is the recommended design to support multitenant environment. Fusionhub is more scalable.
- FusionHub for MSP is suitable for your environment. The design and connection are more simple and straight forward. Please find here for more details.
- Deploy Balance router on Data Center with SpeedFusion NAT mode enable.
- This is not scalable. Anyway it is good to go if the production environment already installed with those Balance routers and you just want to implement SpeedFusion with current setup.
Do let know which option you preferred. We can discuss and provide further advice on this.
Thank you.
Thanks TK, I am going to go with option 2 at this point in time. I enabled NAT Mode at Data Center 380 end Speedfusion. Could you let me know exactly how this works and if I am going to be able to accomplish having up to 20 Speedfusion Peers from different customer back to the 380 without those peers NOT talking to each other.
Also, I am a little confused on what you mean by when you said, “This is not scalable” forgive me for not interpreting everything correctly.
Update: So I created 2 different Speedfusion Peers from a Balance 380 to 2 210’s and had both the peers from the 380 end in NAT Mode. 1 of the 210’s received a 10.21.102.10 within the peer and the other 10.21.102.9.
I don’t want either of these 210’s to communicate with one another but each could ping each other via their separate peers. What am I missing? Do I need to create the internal Firewall Rules for each one of these devices as well to deny each other? If so, I don’t get how that would work because the 10.21.102.10 and .9 at both the 210’s can technically change? Its not like I can statically assign each 210 with the local LAN subnet IP that the 380 is giving it.
Hi tjvoip45,
Ideally you need multiple FusionHubs/Balance routers to support multitenant environment. For example you will have difficulty if you have customers below:-
- Customer A with 10 remote sites. Each site needs to communicate to each other.
- Customer B with 5 remote sites. Each site needs to communicate to each other.
- Customer A and B can’t communicate with each other.
With FusionHub, you can easily deploy FusionHub A and B support environment above. But this is difficult if you are using Balance router.
How SpeedFusion with NAT mode work?
Explanation below based on your provided diagram. I assume Voip server is hosted on Untag Vlan.
- Enable DHCP server on Untag Vlan on Balance 380. Ensure the IP is sufficient since each remote site will grab IP from this DHCP server.
- Enable NAT mode for Untag Vlan on each SpeedFusion profile on Balance 380.
- After SpeedFusion with NAT mode established below is the communication flow:-
- Insurance company ----> Data center, Allow.
- Law firm ----> Data center, Allow.
- Insurance company <-----> Law firm, Deny
- Data center -----> Insurance company or Law firm, Deny.
- All remote sites source IPs will be NAT to the IP that assign by Balance 380 on Data Center.
Hope this help.
TK,
Completely understood on the first part you just mentioned above. In that scenario though I wouldn’t even need our Data Center Speedfusion peer because I would just use the Speedfusion technology between each of the customer sites. This platform I am trying to accomplish is more for a customer with 1 location that could take advantage of the Speedfusion technology permanently or temporarily as a service for better bandwidth utilization and or better VoIP quality.
Reason being for us over here to actually have the Balances onsite is for more control and faster response.
Here is a Speedfusion Peer from the 380 Test to the 210 Test with NAT ONLY enabled at the 380 side of the peer.
Here is the same Speedfusion Peer on the Test 210 back to the Test 380 WITHOUT NAT enabled.
Does this look correct?
Under 3. that you wrote above, I am assuming you are talking about the internal firewall rules?
My other issue is this. Since the 380 is now assigning the remote 210’s an IP from the 380 native LAN, what happens when the DHCP lease is up and the 380 native LAN assigns a new IP to 1 or all of the remote 210’s? And now I already have all my internal firewall rules set up for the original IP’s that the 380 assigned to the remote 210’s Speedfusion Peers. That would be a pain to have to deal with constantly, no?
FYI: The Hosted VoIP Data Center and the Data Center where our Balances sit are at 2 separate locations.
Hi tjvoip45,
Yes.
Item 3 I mentioned above is the default behavior of SpeedFusion NAT mode. Not related to Internal firewall. In fact Internal Firewall may not using with my suggestion below.
Please refer to your diagram again. Once SpeedFusion NAT mode was established between Data Center, Insurance company and Law firm, Balance 210 of Insurance company will be assign an IP 192.167.53.10 (for example) and Law firm will be assign an IP 192.167.53.11 (for example). So VOIP LAN on Insurance company and Law will be NAT to 192.167.53.10 and 192.167.53.11 respectively when communicate to Data Center side.
For the Native Vlan on Insurance company and Law firm, you may turn on Expert Mode and route them to internet on both Balance 210.
Do let me know if you still have question :).
TK you are the man! I see now, took me time to digest. You don’t know how much your help is appreciated!
Hi tjvoip45,
This is my pleasure to support you!
This is testing the tunnel without sending any UDP traffic from the phones from this 210 to the 380 without WAN Smoothing turned on. Virtually no packet loss. I am sending all phone UDP VoIP traffic locally out fiber connection and my call quality is perfect.
This is sending the UDP VoIP traffic through the Speedfusion tunnnel to the 380. Why so much packet loss? I have WAN Smoothing turned on to “Normal”. Call Quality is terrible, every 5th words drops out.
This is my outbound policy on the 210 with Speedfusion tunnel actively sending VoIP traffic back to 380 using WAN Smoothing on “Normal”. I have Priority: VPN, FIOS, CV. No expert mode enabled, I didn’t see the need because all my other traffic was being sent out locally according to my active sessions.
***Sorry this pic was wrong, it was supposed to be my VPN was Priority first.
Correct me if I am wrong but I don’t need Internal Firewall Rules to block any traffic with my setup with the 380 NAT mode on its end correct?
Also, Am I getting so much packet loss through my tunnel because I have WAN Smoothing on “Normal” and it is taking to much bandwidth? Should I leave it “Off” and if so, would there be any benefit for my VoIP traffic at that point.
Thanks again, and sorry to be a pain.
Hi tjvoip45,
Please disable WAN Smoothing and test again. WAN Smoothing only needed when your WAN link has packet drop. Fyi, WAN Smoothing will consume extra bandwidth since it is duplicating the packets.
Correct me if I am wrong but I don’t need Internal Firewall Rules to block any traffic with my setup with the 380 NAT mode on its end correct?
Yes.
Please provide Real-Time bandwidth usage (Status > Real-Time) as well for next post if you still facing problem.
Ok, thanks I have taken disabled WAN Smoothing on the 210 and also upgraded bandwidth. Call quality seems to be fine now. Thanks for the help again!
You guest it. I am actually still having problems sending UDP VoIP traffic through Speedfusion from 210 to 380. Just to confirm:
- With the configuration you recommended, being the 380 was put into NAT Mode. I don’t need any “Internal Firewall Rules” at both the 380 and 210 end correct?
- I opened up my SIP Port and RTP range at both the 380 and 210 ends Outbound.
*Correct my if im wrong but isn’t it true that my VoIP Traffic will now be Triple Natting as opposed to 1 time NAT process communicating to our hosted VoIP Feature Servers?
- 1 NAT going through the Speedfusion from 210 to 380
- 1 NAT from the 380 LAN out to its internet connections to the hosted VoIP Servers
- 1 NAT coming back from the hosted VoIP Servers to the 210 VoIP LAN
If this is the case I just don’t see how this can work correctly. I am at a loss because the speedfusion tunnel is actually making the VoIP quality terrible as oppossed to keeping it steady at all times through any little trouble and picking the best routes. I have some real time graphs below.
The only other thing I can think of is there is a problem because both the test 380 and 210 I have setup are running over the same ISP’s. 380 with ex. 23.220.223.41 and 210 with 23.220.223.42. Same thing for both ISP’s for both Balances. Should I maybe enforce VoIP traffic at the 210 through the Speedfusion through ISP 1 and at the 380 receive traffic through the other only?
Here is from the 380 to 210 Only Using FIOS.
Here is from the 210 to 380 Only Using Cable.
Here is 210 Outbound Policy even after making the new speedfusion peer as stated above.
Even with that Outbound Policy as stated above, ALL of my SIP Sessions are now going out locally through 210 ISP’s but according to my Outbound Policy all my VoIP traffic should be going through the Speedfusion peer. Speedfusion is turning my brain into a fusion wasteland!
Update: All active session on 210 are now running through VPN, I dk maybe it just took longer than normal.
Hi tjvoip45,
I need to go through all your settings in Balance 380 and Balance 210. Please help to open ticket and turn on Remote Assistance on both units.
Do let me know the ticket number once this is done.
Thank you.
[Ticket #757463] and both Balances have remote turned on. Once again, thanks for the help.
Hi tjvoip45,
Noted. I will follow up from there.
Thank you.
Hello Peplink Team,
Just read over all of these and I am a bit confused. Wouldn’t it be better to have a strong peplink at the location of the hosted servers, and have customers connect to that using speedfusion? If we have an off-site data center, is it really possible to have the customer’s “borrow” our bandwidth to get out to an external server host? If they have 2 ISPs with poor connections, wouldn’t they still have poor quality?
Thank you
TK,
Still issues of choppy calls and one way audio through speedfusion from 210-380. I have made the necessary change in the firewall rules and outbound policies to make the feature server domain the IP instead. I have also allowed inbound firewall rule for my SIP port and RTP from the hosted feature server this time as well.
I still don’t understand how VoIP in this particular setup can operate properly when natting 3 times. I can understand VoIP with Speedfusion with say a 3CX onsite PBX but I am having my doubts with what I am trying to do in the Hosted VoIP environment with utilizing speedfusion.
I will test more but say I still have the issues, can I turn off NAT Mode at 380 end and just create internal firewall rules for each Speedfusion Peer per customer and just keep them from speaking to each other that way?
It would be really nice to create a Speedfusion Peer and within the Profile at each end be able to just pick in like a drop down menu of all then remote LAN’s I want to communicate in both directions. Let the Speedfusion Peer say initiate itself to establish all routes and recognize all remote LAN’s and then you can in the drop down menu as mentioned pick in each direction which LAN that can talk to each other, eliminating internal firewall rules. And now you could see in the speedfusion tester only the remote LAN that you have chosen to communicate with. Much more simple in my opinion.
Then under the LAN settings of the remote Balance you could disable inter vlan routing to stop other LANs from hitting the speedfusion connected LAN or Have the inter vlan routing enabled at the remote site and be able to define exactly which LAN can communicate with each other instead of all of them if you have inter vlan routing enabled.
At the end of the day its annoying to have to create internal firewall rules to stop traffic through a VPN tunnel but still see all the remote LANs that you don’t want to talk to and still be able to ping them internally. This would also allow for narrowing down 3 times NAT to 2 for hosted VoIP environment.
Let me know what you think and if you have any more suggestions for my scenario or if anyone has experience with VoIP through Speedfusion in the Hosted environment NOT onsite because I would love to hear any configuration suggestions.