How to Add a Public IP to a device on the LAN of a Peplink Router

Created by Steve Taylor, Modified on Wed, 28 Jun, 2023 at 6:25 PM by Steve Taylor

Scenario:-


Transit Duo with 2 x cellular connections providing a temporary installation for a corporate customer, whilst they wait for a fixed-line.  However, their Firewall on the LAN of the Transit needs a Public IP address.


Solution:-

Install a FusionHub Solo on Vultr

Once the FusionHub has been initialised and the status changes to "Running" Click on the settings for the FusionHub and add a second IPv4 IP address - this is the IP address that will be used for the customer's Firewall.



We see the following details for our FusionHub:

Primary IP is 78.141.234.147
Additional IP is 192.248.173.204


Use a Subnet Calculator


Use something like this tool > Here < to work out the Host Address Range needed for the additional IP address (192.248.173.204 in our example).  Ideally we want to use a /30 network, where possible, as this only has 2 IP addresses (the Host and one for the LAN).  However, with our IP address, this doesn't work - we need to use a /29 network:-


This is the /30 network:-


This is the /29 network:-


With the /29 network, our IP address (192.248.173.204) is in the Host Address Range.



Transit Config

NOTE - 

Do not save / apply the changes until the config on Transit / Peplink router is complete, otherwise you may lose access via InControl


Transit LAN Networks

Set the Transit LAN IP to fit.  For our IP address we can use 192.248.173.201 (remember this is a /29 network) as the LAN IP and then create 192.148.173.204 as the only DHCP option, with a 5 minute lease time (customer's will always want to try this with their laptop first)!  Change the name of the VLAN to "Routed Public IP".


Add a new LAN to the Transit, called "Management IP" and this is a normal /24 network - note, we've re-used the untagged LAN, so this can be the default 192.168.50.1....  A new SSID can be created and associated with this VLAN.




Transit Port Settings


Change the LAN port to Access / Routed Public IP

Where a Peplink device with multiple LAN ports is used, then use LAN 1 for the "Routed Public IP" and then change all of the remaining ports to Access but select the Management LAN - this will ensure anything else connected to those ports will still have access to the internet, but we won't have multiple devices all trying to use the same public IP Address.



Add a Static Route for a new public IP


The idea here is that we only want to advertise a single Public IP over VPN and te only way we can do that is with a /32 static route so we add one:

 


Configure OSPF Route Advertisement


We have to change this as by default the entire /29 subnet would be advertised over the VPN and we only want to advertise the single IP. So we change Network Advertising to just the Management Network and then make sure Static Route Advertising is enabled that then advertises the /32 static route we added over OSPF to the Fusionhub.


Configure a new SSID

Add a new SSID (if not already configured) and assign that to the Management VLAN.


Build the VPN to the FusionHub as normal


This is a normal, Layer 3 VPN between the Transit / Peplink router and the FusionHub.



Configure Outbound Policies


One Policy where Destination is the Domain Peplink.Com - local Breakout (lowest latency / Priority - cell 1, cell2) - The idea is that Peplink.com traffic MUST not use the VPN


Second Policy where the Source is our IP address 192.248.173.204 / Destination is Any - Algorithm is Enforced - VPN




The Changes can be saved and Applied now


FusionHub Configuration


Change the WAN Configuration from NAT to IP Forwarding and disable NAT on Remote Peers



Complete the VPN / SpeedFusion configuration as normal.


The Public IP address should now be available to the device connected to the LAN port of the Transit.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article