Third-party firewall to check outbounding internet traffic from speedfusion


#1

Hello all,

we’ve got a problem.

We have somes sites we linked, with speedfusion tunnels, to the headquarter.

We want all the internet traffic, from all the sites, going thru the speedfusion to the HQ site, and then outside on Internet.

And, most of all, we want to protect internet incoming with a third party firewall, BUT also protect and check outbound traffic : URL filtering, etc.

  • Speedfusion are built, everything’s fine.

  • To enforce internet traffic from remote site to go to HQ, we added a outbound rule on remote peplink to redirect “all” to speedfusion. It’s ok.

  • on the HQ peplink, we added a rule to enforce internet traffic to be routed to the third-party firewall (a CyberRoam HA system).

Problem is :
Everything was fine WHEN we used drop-in mode on the peplink : on the firewall, we added a rule to push all incoming traffic from peplink’s address, using drop-in mode : as an example, 172.22.34.2, to a WAN internet connection (for example, 172.22.34.254). Peplink is between the firewall and the wan connection, it can “catch” the paquets and send them to what we decided.

Our problem is the drop-in mode was not possible (too much difficulties). The peplink, of course, is still between the firewall and the wan connection.

He has got an address like 172.22.34.254 for the LAN side.

The problem is to configure the firewall to add a rule saying something like “all traffic incoming from 172.22.34.0 side has to be sent to 172.22.34.254”.

Do you know if we can had a second LAN address on the peplink, to use one for the traffic peplink-to-firewall and the other for firewall-to-peplink, after firewall’s checks ?

Thank you for your help !


#2

We now have a feature to help with content filtering for Speedfusion peers. The Balance can use a lan default route “0.0.0.0” to point to a content filtering device on your lan instead of using the WAN interfaces.


#3

Hello,

thank you for your answer.

but I probably missed to explain my problem : how can I set up the firewall if there is only one lan address ?

i mean the 0.0.0.0 default route is already done, so all traffic is forwarded to firewall. But all this trafic IS coming in with peplink’s lan address : The problem is to configure the firewall to add a rule saying something like “all traffic incoming from 172.22.34.0 side has to be sent to 172.22.34.254”.

Thank you for your help


#4

It could be more comprehensive with this draft :


We really want to use the third-party firewall to check incoming AND outgoing packets. So, all traffic from remote sites should be redirected to the firewall. It’s Ok.

By the way, how to set up the firewall if we can’t user two ip address on the lan side of the peplink ?!

Problem is a ring :

  • Everything is outbound from peplink to firewall
  • Everything from wirewall is outbound to peplink, lan address
  • back to first step : peplink will send to firewall again…

We were able to do that, only by using drop-in mode : default gateway for the firewall was the ipaddress of the internet router. Firewall receive packet from peplink (address 1) and, after check, send it to internet router (address 2). Peplink was in drop-in mode, between firewall and router, catching packets.

How to do this without drop-in mode ?

Any help will be appreciated !

Thank you,


#5

This will require a layer 3 device on the inside to prevent the loop.