Hello, I am unclear if FusionHub can be a simple gateway to the Internet for my LAN.
For example, in the following diagram from the manual, could the “Video Server” access the Internet via FusionHub with NAT? I’m trying to get this working but using LAN IP of FusionHub for gateway on another device it does not seem to be routing out. Is there a way to enable logging or something to see if it is accepting the packets and passing or rejecting, or another way?
Yes. When you have WAN and LAN attached like this then yes the Fusionhub can act as a basic router / firewall.
When I have done similar things in the past, I would use a dedicated virtual firewall appliance alongside the Fusionhub (we call the service we deliver based on this topology HybridNET).
This topology lets me use a nextgen firewall (My peference is OpnSense) and get all the features and toys that provides with a Fusionhub that has the sole responsibility of Speedfusion VPN termination.
Do your firewalls bypass FusionHub with a separate gateway, or are they going through FusionHub? I think you are saying that you are using FusionHub as a gateway – but because the yellow arrows jump over fusionhub I’m not 100% certain.
I have redundant Mikrotik switches on my private network and I just need to give them a gateway. So I am hoping I can just use the internal network LAN IP address for FusionHub. That isn’t seeming to work right off the bat for me. Is there any way to see connection activity on Fusionhub so I can troubleshoot my setup? I don’t think there is anything like tcpdump or firewall logging actions like in PFsense, right?
My goals… (1) Not wasting another public IP just for a gateway, (2) I don’t have to worry about hardening my Mikrotik switch config to put them on a public IP, and (3) not adding complexity to my network with yet another networking device/appliance.
My network and infrastructure (VMware) is already getting bloated with so much stuff that I fear I’ll be managing the infrastructure more than what I need it for.
So typically In My deployments the firewall and Fusionhub both have public IPs, and remote peer traffic exits to internet from Firewall (coming via the Fusionhub first of course). There would be nothing to stop the fusionhub from being on the LAN of the firewall though.
Yes you can do a packet capture on the support.cgi page.
OK, thanks for clarification. I do have access to the internal LAN working fine. But it doesn’t seem like I am being allowed to use FusionHub as a gateway for the LAN to the internet (I think it is working fine for any local to remote LAN connections through the tunnel though.
In below traceroute, fusionhub is 172.16.25.195 and I am trying to ping google DNS from another device on the LAN…
root@mail:/etc/netplan# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 _gateway (172.16.25.195) 0.265 ms 0.215 ms 0.189 ms
2 * * *
3 * * *
4 * * *
5 * * *
But I am able to see the remote side PeplinkMAX device…
traceroute to 192.168.100.1 (192.168.100.1), 30 hops max, 60 byte packets
1 _gateway (172.16.25.195) 0.254 ms 0.176 ms 0.113 ms
2 192.168.100.1 (192.168.100.1) 108.365 ms 112.885 ms 112.855 ms
root@mail#
I enabled a firewall rule so I could get some logging and there are many items like this, which appears to be the ping going out? So the problem may be that it doesn’t go any further or is not able to come back?
Sep 08 12:50:47 fsh-XXX Firewall: Allowed IN=br0 OUT=eth0 MAC=00:50:56:90:1e:e2:00:50:56:a4:46:88:08:00 SRC=172.16.25.199 DST=8.8.8.8 LEN=74 TOS=0x00 PREC=0x00 TTL=63 ID=12320 DF PROTO=UDP SPT=54412 DPT=53 LEN=54
I am seeing FusionHub’s direct pings to a remote host coming in but it does not seem to be passing through pings coming from another device on the LAN.
The LOGS say that it is passing the pings through the firewall but I can’t find evidence so far that they are exiting FusionHub.
FUSIONHUB FIREWALL LOG:
Sep 08 13:18:22 fsh-XXX Firewall: Allowed IN=br0 OUT=eth0 MAC=00:50:56:90:1e:e2:00:50:56:a4:46:88:08:00 SRC=172.16.25.199 DST=142.XX.XX.XX LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=25834 DF PROTO=ICMP TYPE=8 CODE=0 ID=11 SEQ=17
I can see direct pings arriving on the remote DST IP (from fusionhub web interface tool), but the above logged ping from a host on the LAN does not arrive at the remote destination host.
So does this mean that this is a bug, or that it is not in the scope of FusionHub functionality? Or am I still not configuring properly?
POSSIBLE SOLUTION: in trying various settings and troubleshooting I had tried to manually set a route to 0.0.0.0. I removed it and now I seem to be able to get through FusionHub. Maybe that conflicted with an automatic route?
I will continue to test and verify that all is working to see if I can configure my mikrotik devices as desired.
For anyone else trying to sort this out… I have just setup FusionHub with both public and internal LAN interfaces/IP addresses. For WAN interface, the single radio button for NAT is selected (not using the IP forwarding mode and NAT option hidden there).
