Speedfusion star topology - with the hub behind a firewall

Product Discussion InControl
1

Use case:
An IC2-defined speedfusion star (hub and spoke) network.
Hub: Balance 580 behind a firewall. Fixed IP addresses, connections cannot be initiated from the outside.
Spokes: Various Balance, Max and FusinHub devices, all with at least one Static IP address.
Routing: All traffic at the spokes to be routed through the hub.

Issue:
The set-up of the PepVPN connections are stuck in “Starting…”

Observations:

  • Point-to-point PepVPN connections between the B580 hub and the spokes work well
  • Star PepVPN topologies where the B580 is a spoke work well.
  • Star PepVPN topologies where the B580 is the hub and all the spokes are on the internal network (behind the same firewall as the B580) work well (the spoke devices can all access the hub directly)
  • Star PepVPN topologies where the B580 is the hub and some of the spokes are on the internal network work only for the spoke devices that can access address the hub directly, The “outside” devices are stuck in “Starting…”

As far as I know, the only way to force routing of all traffic from the spoke devices through the hub is by employing the “Send all traffic to…” option for a star configuration (FusionHubs do not have the option to define Outbound policy rules).

Suggestions?

1 Like
2

For IC2-generated star topology networks, the default configuration is to have the endpoints call in to the hub site. It’s possible to set the configuration to allow the hub site to generate the connections to the endpoints. On the “Profile Options” page of the PepVPN Management wizard for your profile, enable ‘show advanced settings’ and disable ‘suppress endpoint IPs’

Please note that this is a default value since it prevents the hub device from receiving a new configuration from IC2 every time one of your endpoint devices reports a new IP address (which is very common for mobile/cellular links). I’d recommend you enable the dynamic DNS settings (available on the device details page) for each endpoint device in cases where you want the hub to connect out to the endpoints instead of vice versa.

2 Likes
3

Thanks - that worked most wonderfully :slight_smile:

In our use case all the spoke devices have static IP addresses, but your suggestion about the utility of dynDNS services as an augmentation is well taken and appreciated.

Z

1 Like
4

I’m glad it was a simple fix for you. If you have any further problems, let us know.

2 Likes