Hello!
[This is my first post here. I hope it is in the relevant category]
We use a pair of Balance 580 to connect two sites via SpeedFusion VPN and stream video from the farfaraway site’s encoder to our technical center’s decoder. The aim is to use a satellite network, currently Starlink, as a backup when the international terrestrial connection is failing.
Unfortunately, very few video transport protocols get through.
I managed to establish a RIST tunnel between the encoder and the decoder and to stream video. That was a first successful step.
Then as the quality was not satisfying, we wanted to make new tests using Zixi protocol but the two would not connect (neither in push nor in pull).
I thought it had to do with the Zixi port, so I tried SRT using a different port (the port number that was used successfully with RIST). No SRT either.
Hereunder is a sketch of the architecture:
-
in blue/green the stream I am trying to create
-
in black the main stream that does not use Peplink.
-
I have considered that the VPN is between the two Peplinks private addresses 10.x.8.1 and 10.y.4.30 and declared the routes according.
-
Are there any firewall settings in the Balance580 that I could have missed?
-
I found in another post here that it is advised to set the WAN routing parameter to ‘IP forwarding’ instead of ‘NAT’. Done. To no avail.
What could be wrong? What could be missing?
This project is my first encounter with Peplink so I have much to learn for sure.
On the other hand, this is a POC to implement this kind of architecture on more sites worldwide, so I want to have everything clear.
Thank you all!
Isa
Hello, @isabelle.dattee
Welcome to community… 
So… Nice project!! 
I did the same, here at Brazil…
The distant site have a dynamic ip address (not public ip address)
The local site have a fixed ip address (public ip address)
Can you check the speedfusion status? Are both site estabilished?
I just configure the encoder and decoder with their lan ip address… okay?
Hi @MarceloBarros
Yes the VPN is OK -even with a dynamic address on the Starlink WAN- I can ping equipments from one end to the other.
It’s only the video protocols that seem to be blocked, or misrouted.
It seems strange but I know that ‘strange’ does not exist in technology! There is always a reason.
Concerning your project : if you trust the network between the encoder and decoder you can send directly in UDP or RTP, otherwise you need a streaming protocol like SRT or another.
Isa
Hi, @isabelle.dattee
so… ping between works… nice.
Do you have firewall rules?
My project it is working nice… SRT and VoIP working well.
They are used in live events and for VoIP groups at sport events.
And what is your architecture? Do you have any drawing?
Sorry… No drawing…
Customer never ask to me to do it… So… I never drawed it.
Balance is the at the LOCAL (datacenter)…
All the other 22 peplink are in remote locations.
Each case have a Peplink device and antennas to improve LTE signal.
Inside of truck, there is a network switch and they connect what they want, to stabilise the streaming service.
We do this all the time, with various video protocols and generally there are no problems in establishing RTMP, SRT, RUDP, NDI-HX etc. across a SpeedFusion tunnel. It is a pretty common use case for Peplink + SpeedFusion to facilitate this kind of transport.
Out of the box there is no real fire walling enabled in the Peplink, especially where SpeedFusion is concerned so unless you have configured or changed the rules there I’d look somewhere else.
Assuming you did not enable NAT on the VPN profile (as it seems you can ping end to end that is unlikely - but to be clear you mean that a device in the same subnet as the video encoder can ping a device in the same subnet as the decoder directly?) then I’d be looking at that “firewall” you’ve drawn in your diagram as where to begin.
If you were to move the video decoder infront of that firewall, i.e. directly attached to the Peplink does it work as expected?
Hi @WillJones ```
My company’s security rules are strict, even ping is reduced, I could ping from the local Peplink to the remote encoder and from the remote encoder to the local Peplink’s private address.
But as my RIST tunnel established immediately I thought everything was fine.
The bigger the disapointment with Zixi and SRT
It is not possible to bypass the firewall, even for tests. The security team would report me to the police 
. I tried streaming to another decoder which is not behind the same firewall. It worked but it’s useless as i’m not using the SpeedFusion VPN either…
What could be missing in the firewall rules?
At a guess they’re dropping the ports you require for the protocols you want to use, they might also depending on the firewall they are using be doing more sophisticated application inspection / protocol inspection to determine what to let through.
It sounds like a sensible way to approach this might be to gather the required source/destination IPs and ports and work with your firewall and security people to permit the required traffic, but if you want to rule out the SpeedFusion and Peplink components you might need to gather some evidence that it is doing what you expect.
On the Peplink there is a hidden support page you can access that lets you take a PCAP from the appliance perspective:
https://192.0.2.1/cgi-bin/MANGA/support.cgi (replace the IP with yours, the support URL can also be accessed via Ic2 remote web admin).
You can also configure a firewall rule on the Peplink too with some logging too perhaps matching the specific traffic you are trying to pass:
Advanced > Firewall > Access Rules > Internal Network Firewall Rules
Logs are then available in Status > Event Log > Firewall
Thanks a lot for these good ideas, especially to get logs from the Peplink to know is anything is coming that far or if the traffic is blocked upstream (by the firewall).
I’ll try it.
