Scenario:-
Transit Duo with 2 x cellular connections providing a temporary installation for a corporate customer, whilst they wait for a fixed-line. However, their Firewall on the LAN of the Transit needs a Public IP address.
Solution:-
Install a FusionHub Solo on Vultr
Once the FusionHub has been initialised and the status changes to "Running" Click on the settings for the FusionHub and add a second IPv4 IP address - this is the IP address that will be used for the customer's Firewall.
We see the following details for our FusionHub:
Primary IP is 78.141.234.147
Additional IP is 192.248.173.204
Use a Subnet Calculator
Use something like this tool > Here < to work out the Host Address Range needed for the additional IP address (192.248.173.204 in our example). Ideally we want to use a /30 network, where possible, as this only has 2 IP addresses (the Host and one for the LAN). However, with our IP address, this doesn't work - we need to use a /29 network:-
This is the /30 network:-
This is the /29 network:-
With the /29 network, our IP address (192.248.173.204) is in the Host Address Range.
Transit Config
NOTE -
Do not save / apply the changes until the config on Transit / Peplink router is complete, otherwise you may lose access via InControl
Transit LAN Networks
Set the Transit LAN IP to fit. For our IP address we can use 192.248.173.201 (remember this is a /29 network) as the LAN IP and then create 192.148.173.204 as the only DHCP option, with a 5 minute lease time (customer's will always want to try this with their laptop first)! Change the name of the VLAN to "Routed Public IP".
Add a new LAN to the Transit, called "Management IP" and this is a normal /24 network - note, we've re-used the untagged LAN, so this can be the default 192.168.50.1.... A new SSID can be created and associated with this VLAN.
Transit Port Settings
Change the LAN port to Access / Routed Public IP
Where a Peplink device with multiple LAN ports is used, then use LAN 1 for the "Routed Public IP" and then change all of the remaining ports to Access but select the Management LAN - this will ensure anything else connected to those ports will still have access to the internet, but we won't have multiple devices all trying to use the same public IP Address.
Add a Static Route for a new public IP
The idea here is that we only want to advertise a single Public IP over VPN and te only way we can do that is with a /32 static route so we add one:
Configure OSPF Route Advertisement
We have to change this as by default the entire /29 subnet would be advertised over the VPN and we only want to advertise the single IP. So we change Network Advertising to just the Management Network and then make sure Static Route Advertising is enabled that then advertises the /32 static route we added over OSPF to the Fusionhub.
Configure a new SSID
Add a new SSID (if not already configured) and assign that to the Management VLAN.
Build the VPN to the FusionHub as normal
This is a normal, Layer 3 VPN between the Transit / Peplink router and the FusionHub.
Configure Outbound Policies
One Policy where Destination is the Domain Peplink.Com - local Breakout (lowest latency / Priority - cell 1, cell2) - The idea is that Peplink.com traffic MUST not use the VPN
Second Policy where the Source is our IP address 192.248.173.204 / Destination is Any - Algorithm is Enforced - VPN
The Changes can be saved and Applied now
FusionHub Configuration
Change the WAN Configuration from NAT to IP Forwarding and disable NAT on Remote Peers
Complete the VPN / SpeedFusion configuration as normal.
The Public IP address should now be available to the device connected to the LAN port of the Transit.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article