Fusionhub, Peplink’s virtual SpeedFusion VPN concentrator, provides versatility for managed service providers. Not only does it give MSPs probably the easiest VPN configuration in the world for their customer devices, but it adds multi-WAN bandwidth aggregation and packet level failover for their customers too – an awesome value add.
No Physical Restrictions
Up until the general availability of Fusionhub, the only way to achieve SpeedFusion VPN termination in the cloud was to host a physical appliance in a datacenter – either alongside existing virtual servers in the same physical location as their underlying hypervisor hardware, or in an alternate third party hosted datacenter environment where co-location of physical hardware was possible.
These location restrictions do not affect Fusionhub – since as a custom Virtual Machine it can be hosted on the same existing hyper-visor as other cloud based VMs – greatly simplifying network topology and architecture.
The Simplest Way to use FusionHub
FusionHub was designed for outbound internet connection bonding as its primary purpose. The idea here is that a customer could have a Balance Router with 2,3,5,7 or 13 DSLs (or other fixed line services like FFTC) connected to it (and a cellular USB dongle) and combine all of the available bandwidth together into a single logical VPN tunnel through which they can access the internet. In fact, any of our SpeedFusion enabled devices cab be used with FusionHub (and single WAN devices too using PepVPN). As an example a solution using a HD2 at the client site would look like this:
- A SpeedFusion tunnel is created from an HD2 with two cellular internet connections.
- The FusionHub terminates the SpeedFusion VPN connection and forwards all traffic back out to the internet using NAT.
- Outbound internet traffic goes back out to the internet using the FusionHubs WAN IP as the source.
With this configuration, a client PC connected to the LAN of the HD2 can use the aggregated bandwidth available from both cellular connections at the same time, and if one of the links were to fail, the users session would stay connected as failover within SpeedFusion happens at a packet level (we call this Unbreakable VPN).
Adding more client devices
In this simpliest form, a Fusionhub can support as many remote devices as it is licensed for (assuming there is enough bandwidth at the Cloud network to support their traffic). So adding additional devices is as easy as pointing their SpeedFusion profiles at the external IP of the Fusionhub.
When more than one remote device is connected to a FusionHub in this way:
- All remote devices can route traffic to each other as all remote LAN segments are advertised to each remote device over SpeedFusion (unless Layer 3 isolation is ticked in the FusionHub profile settings which blocks access between remote networks).
- All remote devices will use the same single public IP on the WAN interface of the Fusionhub for accessing the internet with Fusionhub providing outbound NAT.
- SpeedFusion enabled remote devices can bond available bandwidth across their WANs to provide higher bandwidth access to the internet as well as packet level failover in case a WAN link fails.
So an immediate question is who would use a FusionHub service like this? Here are some use cases:
A single site rural business with slow DSL speeds
Imagine a rural business, perhaps a farm shop, or one based in an industrial estate in the countryside far from the exchange. In the UK there are many examples of businesses like these who can only get 1-2Mbps of bandwidth over DSL with anything from 245 – 600Kbps upload – sometimes even these slow speeds can be extravagant depending on how far from the exchange they are. If that business had a hosted Fusionhub instance, they would be able to combine up to 13 DSLs at their office location (using a Balance 1350) and bond all of these connections together to give them faster download and upload speeds. Taking into account the VPN overhead – a rural site like this could get a virtual connection to the internet that is 20Mbps down and 6Mbps Up.
A home user with slow DSL speeds
I have seen a number of examples recently where DSL is poor <2Mbps but 3G+ is great (7Mbps+), and in these cases a Balance 20 with a USB cellular dongle connected gives a home user the ability to combine the available bandwidth over DSL and cellular to give them easy to manage bandwidth. Since the Balance and MAX client devices have great management of their WANs, they could even use a cellular connection with a capped bandwidth contract and stop using it automatically when the cap is reached. Of course they could also add additional DSLs too if they wanted.
Lowering latency for satellite broadband Users
Some home and business users with poor DSL speeds have installed satellite internet connections for improved bandwidth at their location. Satellite internet is great, but the high latency over a satellite link can reduce its viability for many typical internet services. SpeedFusion supports the concept of Asynchronous VPN where the download bandwidth of a satellite connection can be used in combination with the upload speeds of a DSL or cellular link to greatly reduce the perceived Round Trip Time (RTT) for data over the bonded link.
Mobile or temporary Sites
Our range of single and multi cellular routers in combination with a cloud based FusionHub instance can provide high bandwidth, highly resilient connectivity just about anywhere. When using multi cellular devices with data connections from multiple service providers, a moving vehicle that passes in and out of the providers coverage can seamlessly redirect traffic at a packet level across the available cellular links, keeping active sessions up and maintaining the connectivity throughput.
For Temporary site deployment, one of our cellular routers can be deployed immediately providing bonded bandwidth over whatever connectivity is available at the site (cellular, fixed lines, even using WiFi hotspots as a WAN) and then fixed lines can be added later if needed as they become available.
Advanced FusionHub Deployments
Fusionhub is not a direct replacement for a full Balance appliance – rather it is a VPN concentrator/gateway, and as such it has a reduced feature set that reflects that role. It only supports a single virtual WAN adapter for example (with a single WAN IP) – and so can not do load balancing, nor does it it come with the full suite of perimeter management tools like advanced firewall management or outbound policies.
In fact the best way to think of Fusionhub is as a gateway device/router to your SpeedFusion/PepVPN remote devices. If you want to manage the routing of network traffic to and from your PepVPN WAN then you will need an additional Layer 3 device in your Cloud. A typical deployment might look like this:
In the example above we have:
- Remote Devices connected via cellular and fixed lines to the internet.
- These are connected via PepVPN to the Fusionhub in the cloud.
- Fusionhub has two virtual interfaces, its WAN that has a public IP and its LAN that has an IP that is routable within the cloud environment.
- The Remote sites therefore can connect to any IP on the LAN network of the Fusionhub. This might be internal Web servers, backup services, a IP CCTV storage solution – anything hosted in the cloud network.
- Alongside FusionHub we have a virtual firewall/router (a PFsense, or Vyatta router perhaps) that has its own WAN IP(s) and is also connected to the LAN.
- The Virtual Router has a static route that uses the LAN IP of the Fusionhub as a gateway to the remote devices.
- The Virtual Router performs three main roles:
- It acts as the gateway device for the internally hosted cloud services
- It can forward requests for any of its WAN IPs via the FusionHub to the remote devices (NAT) so network services like SMTP / VoIP can be forwarded over SpeedFusion VPN to the remote devices.
- It can act as the internet gateway for the remote devices, and using outbound NAT rules can statically assign one of its WAN IPs as the external IP of a remote device.
- The virtual router could also support OpenVPN or IPsec VPN connections to and from a third party network. This would allow a non Peplink WAN to be extended to incorporate a new SpeedFusion WAN using the Cloud as a connection node to the existing corporate WAN.
FusionHub to FusionHub VPN
Another capability of FusinHub that can be easily overlooked is its ability to create a PepVPN tunnel to other FusionHubs. This enables you to host multiple FusionHubs in multiple datacenters globally and easily interconnect them with dynamic routing included.
So you might have a global enterprise with a FusionHub hosted a US datacentre for US based locations to connect to, and another FusionHub hosted in the UK on Amazon Web Services with the UK sites connected to it. With a couple of clicks you can create a VPN between the two FusionHubs so that all of the UK sites can route traffic to all of the US sites. As new sites are connected in either region, routing is updated automatically and all existing sites can route traffic to the new site immediately.
Easy Centralised Management with InControl 2
FusionHub appliances – like all of Peplink’s products can be centrally managed using InControl 2 our cloud management platform. This gives a MSP a single pane of glass for all devices and virtual appliances globally.
This has been a really quick look at what FusionHub is and how can you use it in your deployments. Hopefully you have found it useful. If you have any questions about FusionHub or your own deployment of it do feel free to get in touch – I’d love to help.