Tunnelling Static public IP from one WAN to a dynamic Unknown public IP on the remote WAN of a BR1 (e.g a DSL)


#1

How can i configure SpeedFusion or VPN Tunnelling on two BR1 in the following scenario.

  1. One end has a static public IP Address on its WAN;
  2. And the WAN at the remote end has a dynamic unknown public IP address via a DSL/cellular modem.

#2

The remote end simply points to the public IP address as PepVPN can be established in one direction.


#3

Both BR1 were inicially bench tested ok, using static public IP addresses on their WAN ports, before deploying them to site.

At one site, we could only get a DSL modem ISP, (providing hard coded/unknown IP on its modems) for one end, while the remote end is in our headoffice.

Is there any particular configuration i need to do on the “Dashboard” or “Advanced” pages,

Presently, the " Remote IP Address / Host Names (Optional)" column of the BR1 at the headoffice is blank


#4

In this scenario the BR1 with DSL can point to the other side’s static public IP and the Remote IP Address / Host Names (Optional) field remains blank at the head office.


#5

Yes! this is the present setup/configuration and yet, the BR1s are not communicating.

The internet can be accessed from both LANs of the BR1s.


#6

Does the remote BR1 have a public IP on its WAN or is the ISP’s modem/router providing NAT to the WAN of the BR1?
Have you forwarded the PepVPN ports on your office ISP router through to the Office BR1?


#7
  1. [quote=“MartinLangmaid, post:6, topic:10273”]
    Does the remote BR1 have a public IP on its WAN or is the ISP’s modem/router providing NAT to the WAN of the BR1?
    [/quote] =========> The ISP modem is NATing to the WAN port of our remote BR1 (with an unknown address)

  2. Have you forwarded the PepVPN ports on your office ISP router through to the Office BR1? ==========> No! We are yet to integrate into our head office network. The BR! at the headoffice is presently and directly connected to a laptop/PC hence, we have not configured any forwarding port yet. The WAN port of the BR1 at the headoffice is directly attached to a public IP of our dedicated internet access at the headoffice.


#8

Ok. So to clarify. Is there a firewall / router between the WAN of the BR1 at your office and the internet? If so you will need to forward ports 32015 TCP and 4500 UDP on that firewall/router through to the WAN of the BR1.


#9

No, we are yet to connect to the firewall or internet gateway at the headoffice end.

Because we are not yet successful with this unusual remote end (without a known valid public IP address), we decided to avoid the firewall’s complications hence, from our WAN switch at the headoffice, we connected the ISP directly to the BR1, with a valid public IP Address. .


#10

It should be noted that the ISP’s provided broadband device is a SIM operational broadband modem/device, with an ethernet and WLAN/hotspot features.

It is observed that it does not have those other many features that other basic routers have like, Port Forwarding, IP Filtering, ACLs,etc.
I’m sure this device connects to its Basestation using dynamic IP connectivity features hence, no stable/static IP address.

Though like Ron_Case explained that:
“The remote end simply points to the public IP address as PepVPN can be established in one direction.”

Since the headoffice has a dedicated public IP address we should have a seamless PepVPN tunnelling, using the BR1s.

Note again: The two (2) BR1s were inicially bench tested successfully, before one of them was deployed to site and the other remained at the heaadoffice.


#11

Hello Mart! Hello Ron!!


#12

How about the ddns option? What’s your advice?


#13

Can you please redirect me to a similar or related topic(s) where such an issue has been resolved in the past?


#14

Charles,
For this to work, at least one BR1 (lets call this one the hub device) has to have ports 32015 TCP and 4500 UDP accessible publicly (on its wired WAN on or cellular wan) so that the other BR1 (the client device) can connect to it and bring up a PepVPN connection.

The client device can be behind nat with a dynamic IP and behind a firewall, so long as outbound traffic from it is not blocked on those ports.

The Hub device has to a publicly routable IP (or a least an IP that the client device can route traffic to directly). This can be a static or dynamic IP but if it has a private IP (when it is behind a NAT router for example) then ports need to be forwarded to it or the tunnel won’t come up as data can’t flow.

If both BR1s are behind NAT routers that you have no control over, then you need to connect both BR1s as clients to new and different hub device that has those ports available.

When we use BR1s with just cellular connections, many times the mobile network operators will assign private IPs to the WAN of the BR1 from a pool of addresses behind a NAT router in their infrastructure. That same NAT router will block inbound connections.

In those cases I would normally host a FusionHub Virtual Appliance in AWS / Axure / Elastichosts that has a public static IP and use that device as the hub to enable the two client BR1s to route traffic between each other successfully.

You need to discover what your office IP address is, whether its public or private and whether it is behind a NAT router to work out if it can be used as a hub device.

If it has a dynamic IP you can use the mypep.link dynamic dns service in incontrol to provide a dns hostname that will always point to the dynamic IP of the hub device.