I’m a total amateur, but I wonder if someone can give me a solution to the simple problem described in the Title? What’s strange is that this never happened before on this site, and suddenly, yesterday, it is. I am entirely unclear about firewalls and such and simply don’t know how unblock a specific site. Any help would be much appreciated!
Hi David. What do you mean by “blocked?” Do you see an error message? Does the site respond at all? Can you shows us a screenshot?
Not sure. But what I CAN say is this: Your Peplink equipment did not do this to you. I’d inquire further of the nice folks who blocked you, perhaps using the “Contact support” link they provided. It’ll be interesting to see what they say if you’d be so kind as to share it.
Hi, Rick, actually, I assumed it was something coming from RealClearPolitics (that I hadn’t encountered before), and it’s obviously related to Speed Fusion Cloud since if I changed that connection just to Starlink or T-Mobile Home Internet, access to the site is not blocked. I just assumed there might be some Firewall setting to “unblock” what RCP is blocking! I do encounter blockages from certain other sites (not a lot), Ticketmaster, I recall, or a ticket-purchase site at my university’s athletics page - but only when I’m connected via Speed Fusion Cloud. Ditto for Netflix, but that seems to be a common problem. I did write RCP about the block, and if they reply, I’d be happy to post that here! Thanks! David
This is the CDN provider that RCP uses putting the SpeedFusion IP ranges on a bot list. RCP doesn’t even control the actual mechanism, they just select a check box that says “no bots”
You or peplink would need to work with cloudflare to see if the IP ranges or BGP ASNs (or however they arrange their rules) are exempted.
Until then you have to route those DNS domains directly via the consumer ISP space.
I had fastly.net block my Vultr space with a similar message and certain apps wouldn’t authenticate via the tunnel. Lots of vendors block or disrupt datacenter IP spaces for consumer applications, Netflix, Amazon, etc.
FWIW, I completely agree with @Paul_Mossip’s explanation. I did not read that you were using SpeedFusion Cloud/Connect in your first messages. That makes a huge difference.
We and our clients/customers have observed the behavior you describe with great frequency. What I will say is that the main purpose of SFC originally, as it was explained to us (first by @Travis here), was to improve “connectivity” for video calls, SIP traffic, etc. And, it works excellently for that. For other uses (like “hide my location”) well, not so well. We have not observed any blocks when using Zoom, various SIP providers, Google’s products, etc.
Hi, Rick, that’s an interesting observation, but of course, it makes it rather inconvenient to use generally as, well, one can’t! When various common sites are blocked via SpeedFusion, I have to either change the Enforced:SPC to something else, temporarily, or use a different WIFI directly. I have not experienced this yet on anything but RealClearPolitics, as well as certain online “ticket pay sites” like Ticketmaster or even my university’s athletics ticket sites. They clearly don’t like SPC either!
I think the likely more accurate diagnosis is that “they don’t like the server farm my SPC connects through.”
Since the IP address where your connection breaks out is the likely issue, adding outbound policies that connects directly (rather than through SPC) with the blocking destinations might be the immediate solution. I know, this might get tedious.
Alternatively, make a set of outbound policies where traffic particularly that benefit from (and is the intended core purpose of) SPC, such as video calls, SIP traffic etc. as mentioned by @Rick-DC is routed through the SPC, and all other traffic uses the direct ISP link(s). Slightly less tedious
Cheers,
Z
Just curious: Why are you directing all of your traffic to SFC? Whats’ the use case I wonder?
This is happening regularly for me, to the point that I have to wonder if SFC is worth it.
We use SFC for all traffic because our Starlink experiences fairly regular outages (trees we are unwilling to remove) and so we have VZW failover, with SFC to maintain the connections (since failover changes IP addresses otherwise, and all connections would have to re-negotiate, and then re-negotiate again when Starlink comes back up.)
There are so many sites that are blocking my SFC IP addresses that I need to check on to do my work… I understand the “No VPN” mindset of these sites, but it is quite frustrating.
-Michele
It seems, my previous post got truncated, or somehow I didn’t make it clear that, aside from my wife’s reliance on ZOOM, etc. (which could be easily dealt with by my attaching only her device to SFC), my main reason for wanting SFC is precisely the same as Michele’s: STARLINK! Other kinds of failovers (Priority, etc.) just don’t work as seamlessly as SFC, which in principle I really like. It may well be that there is/was an/the “(… intended core purpose of) SPC,” but that’s kind of an unsatisfactory situation, having bought an expensive BalanceTwo (which I love…) precisely for seamless hot failover, and - perhaps increasingly? - this may not work on some important sites. If certainly other sites (video calls, etc.) decide some fine day to block sfc, then the entire service will be crippled, but I imagine Peplink knows this very well!
Whether SFC is worth it or not is all a matter of use cases, of course. It sounds like you have a set of choices, none of which are optimal for you. For example:
- Send all the traffic through SFC.
Works well, except when it does not (due to the VPN policies of some service providers). - Drop SFC altogether, and use load balancing.
Works well, except when Starlink does not. In which case you get failover-caused gaps in service (the lag before the Starlink disruption is discovered, and then the brief lag as sessions are switched to the backup VZW service). - Analyze your usage, determine where the failover lag is too disruptive or where the blocking is w.r.t. sites you don’t tolerate being blocked.
For the former, route them through SFC, for the latter, use prioritized load balancing.
These are options (there are others, employing other Peplink-supported functionalities), and you have tools available to deploy as suitable for your use case.
But at the core: You are stuck with VPN-averse service providers and a flaky primary ISP.
Cheers,
Z
as an alternative you could look at building a fusionhub solo with a smaller cloud provider who isn’t on the radar of the vpn blocking. generally you could get one hosted for around $5-6 which would have an IP address dedicated for you. It would likely reduced the sites which are blocking the shared IP which is used by SFC and the hosting provider.
Excellent recommendation. As a side note, our company employees run 100% on virtual desktops running in Azure (aka AVD). If any of the Azure public IPs we used was blocked at any site, my department would start hearing complaints about unreachable sites. We have been on Azure for two years now without any issues at all as far as connectivity to internet sites is concerned. Might be worth trying fusionhub solo in Azure given no license is needed.
We run fusionhub on AWS but using our own IPs. I can’t speak to AWS provided IPs being blocked or not. It is nice that AWS lets companies that own IP blocks bring them to their environment.
I received my answer on this post, with a video on how to setup the outbound rules to override the SFC settings by domain. Post