=====================
Private WAN gateways
=====================

Private WAN doesn't just allow remote sites to be networked together
very easily—it also provides a number of ways to configure centralized
access to resources outside the PWAN (for example, the Internet). Access
can be configured via one of three types of gateways:

#. NAT via PWAN router: Traffic bound for the Internet is sent to the
   partner's datacentre routers after being NAT'ed to an IP address
   specified in the management application.
#. Dedicated gateway via PWAN router: Traffic bound for the Internet is
   sent to a router dedicated to the space over a VLAN interface on the
   PWAN router.
#. Dedicated gateway via bonder: Traffic bound for the Internet is
   routed to a gateway connected to a bonder. This allows architectures
   where Internet access is controlled by a corporate gateway at the
   head office.

More detail about each type of gateway is provided below.

At least one type of gateway must be configured for PWAN bonds to have
centralized Internet access.
If a gateway is defined for a space at one routing group, bonds assigned
to aggregators in other routing groups will use that gateway unless
their routing group has a gateway of its own.

A space can use different types of gateways at different routing groups.
For example, a space could offer a gateway via a bonder at a Vancouver
routing group, if the head office was near Vancouver, and a gateway via
a PWAN router at a New York routing group.

Only a single gateway can be configured for a space at any routing
group. For example, a space could be configured with one type of gateway
at a Vancouver routing group and another gateway at the New York routing
group, but cannot be configured with two gateways at the Vancouver or
New York routing groups.

Bonds in a PWAN space are not required to use centralized Internet
access. In addition to a private PWAN connected IP, each bond can have a
public connected IP excluded from the PWAN that routes to the Internet
just like the connected IPs on bonds in non-PWAN spaces.


Gateway types
--------------

For details on configuring any type of gateway, please refer to `Space
private WAN <../../spaces/space-private-wan.html>`__.

NAT via PWAN router
++++++++++++++++++++

In this mode, traffic bound for the Internet is sent to the partner's
datacentre routers after being NAT'ed on the PWAN router to an IP
address specified in the management application. Because traffic is
NAT'ed to a single public IP address, the PWAN gateway should be
integrated into the partner's dynamic routing network. If this isn't
done, at least one static route for each space needs to be configured in
the partner's routers.

|image0|

When using this type of gateway, it may be useful to NAT inbound traffic
to hosts inside the PWAN. For more information, see the Inbound NAT
section below.

Dedicated gateway via PWAN router
++++++++++++++++++++++++++++++++++

In this mode, traffic bound for the Internet is sent to a router
dedicated to the space over a VLAN interface on the PWAN router.
Multiple spaces can be configured at a single routing group and each
space can have its own VLAN.

|image1|

The dedicated router should have appropriate routes pointing back to the
PWAN router. For example, if the space has a bond with the connected IP
192.168.1.1/24, the dedicated router should have a route for
192.168.1.0/24 via the IP on the PWAN router's VLAN interface. No NAT is
applied, and the PWAN router does not need to be integrated into the
partner's dynamic routing network.

Dedicated gateway via bonder
+++++++++++++++++++++++++++++

In this mode, traffic bound for the Internet is routed to a gateway
connected to a bonder. This allows architectures where Internet access
is controlled by a corporate gateway at the head office. The gateway can
perform filtering, caching, or other actions, and route traffic to the
Internet via a normal, non-SD-WAN connection, or via a public
connected IP not included in the PWAN.

|image2|

As with gateways via a PWAN router, the gateway should have appropriate
routes pointing back to the bonder.

Inbound NAT
------------

Inbound traffic to the PWAN router can be forwarded to hosts within the
PWAN using a variety of NAT rules. This would typically be used when the
gateway uses NAT via the PWAN router. When using a gateway via a PWAN
router or via a bonder, it would be typical to manage inbound traffic on
the third-party gateways instead of in SD-WAN.

Inbound traffic can be routed in two ways:

#. Applying a 1:1 NAT rule, where all traffic sent to a certain public
   IP on the private WAN router is forwarded to a single private IP
   address available within the space
#. Applying port forwarding rules, which select traffic based on its
   protocol and port numbers, and sending that traffic to a single
   private IP address on the same or different port number.

When using inbound NAT rules, PWAN routers should be integrated into the
partner's dynamic routing network.

.. |image0| image:: /attachments/12320814/12320829.png
.. |image1| image:: /attachments/12320814/12320977.png
.. |image2| image:: /attachments/12320814/12320832.png
