Private WAN gateways

Private WAN doesn’t just allow remote sites to be networked together very easily—it also provides a number of ways to configure centralized access to resources outside the PWAN (for example, the Internet). Access can be configured via one of three types of gateways:

  1. NAT via PWAN router: Traffic bound for the Internet is sent to the partner’s datacentre routers after being NAT’ed to an IP address specified in the management application.

  2. Dedicated gateway via PWAN router: Traffic bound for the Internet is sent to a router dedicated to the space over a VLAN interface on the PWAN router.

  3. Dedicated gateway via bonder: Traffic bound for the Internet is routed to a gateway connected to a bonder. This allows architectures where Internet access is controlled by a corporate gateway at the head office.

More detail about each type of gateway is provided below.

At least one type of gateway must be configured for PWAN bonds to have centralized Internet access. If a gateway is defined for a space at one routing group, bonds assigned to aggregators in other routing groups will use that gateway unless their routing group has a gateway of its own.

A space can use different types of gateways at different routing groups. For example, a space could offer a gateway via a bonder at a Vancouver routing group, if the head office was near Vancouver, and a gateway via a PWAN router at a New York routing group.

Only a single gateway can be configured for a space at any routing group. For example, a space could be configured with one type of gateway at a Vancouver routing group and another gateway at the New York routing group, but cannot be configured with two gateways at the Vancouver or New York routing groups.

Bonds in a PWAN space are not required to use centralized Internet access. In addition to a private PWAN connected IP, each bond can have a public connected IP excluded from the PWAN that routes to the Internet just like the connected IPs on bonds in non-PWAN spaces.

Gateway types

For details on configuring any type of gateway, please refer to Space private WAN.

NAT via PWAN router

In this mode, traffic bound for the Internet is sent to the partner’s datacentre routers after being NAT’ed on the PWAN router to an IP address specified in the management application. Because traffic is NAT’ed to a single public IP address, the PWAN gateway should be integrated into the partner’s dynamic routing network. If this isn’t done, at least one static route for each space needs to be configured in the partner’s routers.

image0

When using this type of gateway, it may be useful to NAT inbound traffic to hosts inside the PWAN. For more information, see the Inbound NAT section below.

Dedicated gateway via PWAN router

In this mode, traffic bound for the Internet is sent to a router dedicated to the space over a VLAN interface on the PWAN router. Multiple spaces can be configured at a single routing group and each space can have its own VLAN.

image1

The dedicated router should have appropriate routes pointing back to the PWAN router. For example, if the space has a bond with the connected IP 192.168.1.1/24, the dedicated router should have a route for 192.168.1.0/24 via the IP on the PWAN router’s VLAN interface. No NAT is applied, and the PWAN router does not need to be integrated into the partner’s dynamic routing network.

Dedicated gateway via bonder

In this mode, traffic bound for the Internet is routed to a gateway connected to a bonder. This allows architectures where Internet access is controlled by a corporate gateway at the head office. The gateway can perform filtering, caching, or other actions, and route traffic to the Internet via a normal, non-SD-WAN connection, or via a public connected IP not included in the PWAN.

image2

As with gateways via a PWAN router, the gateway should have appropriate routes pointing back to the bonder.

Inbound NAT

Inbound traffic to the PWAN router can be forwarded to hosts within the PWAN using a variety of NAT rules. This would typically be used when the gateway uses NAT via the PWAN router. When using a gateway via a PWAN router or via a bonder, it would be typical to manage inbound traffic on the third-party gateways instead of in SD-WAN.

Inbound traffic can be routed in two ways:

  1. Applying a 1:1 NAT rule, where all traffic sent to a certain public IP on the private WAN router is forwarded to a single private IP address available within the space

  2. Applying port forwarding rules, which select traffic based on its protocol and port numbers, and sending that traffic to a single private IP address on the same or different port number.

When using inbound NAT rules, PWAN routers should be integrated into the partner’s dynamic routing network.