Single static public IP from any WAN source

https://forum.peplink.com/t/single-static-public-ip-from-any-wan-source/15184/2

Normally the static IP is automatically assigned to the SIM-card, as long as you use the right APN settings.

Example: Dutch provider KPN has multiple standard APN’s, such as ‘internet’ and ‘kpn4g.nl ’.
When using these APN’s, you will always get a dynamic IP adress.

When a customer has requested a static IP adress, they are told to use the ‘advancedinternet’ APN.
If you configure this correctly in your Peplink/Pepwave device at the Cellular settings, it should work.

*** We have heard that Verizon will give you a static IP Address for a One Time Charge of 500.00 However that will work by way of the APN Setup, meaning they will issue an IP address that will not change, providing by way of APN (simular to DHCP) Dynamic but offer a “Reservation” of the IP that is allocated to the devices.

MartinLangmaidRegular

Apr 04, 2018

This kind of requirement comes up quite regularly and everyone will have their own approach depending on the politics and technical/compliance requirements but this is what I would do.

  1. Set the default LAN on the BR1 as the volunteer network. Let them connect via its wifi AP or plug in a switch to LAN1 for any volunteer wired device connectivity. They can do what they want on this network pretty much (within the bounds of available bandwidth).
  2. Create a new VLAN, assign it to the LAN2 port disable inter VLAN routing and plug the managed secure network VPN router into that Port. (the volunteer network users can’t even ping to this network using this configuration, but even if they could, the only thing that can access is the WAN of the secure router which will be locked down tight as a drum).
  3. Create a PepVPN tunnel between the BR1 and either a Cloud Hosted FusionHub (option 1) or a Balance device in the secure HQ/DC (option 2). Set the secure router to send all of its traffic over the PepVPN.
  4. Using either option 1 or 2 presents traffic from the WAN of the secure router from a known static IP (the Fusionhubs public IP or the Balance LAN IP in the DMZ). Which stays the same no matter how the BR1 is actually connected to the internet.
  5. Since the secure router has a static IP it can now create its own secure VPN connection over the existing PepVPN connection. All secure devices can be plugged into the LAN of the secure router onboard the vehicle and only these devices can communicate with the central secure network.
  6. The volunteers can then have full control of the BR1 and manage how it connects to the internet. They can connect to any public wifi hotspot, use cellular or wifi WAN or plug direct into a landline network connection (if one was available). Once they have connected the BR1 to the internet, the PepVPN connection will come up, then the secure router onboard can create its IPSEC tunnel and secure traffic will flow.
  7. If it was me, I would then physically isolate the onboard secure router. Likely in a lockable cabinet/comms rack or peli style case with a padlock so that no one can accidentally (or otherwise) plugin a volunteer device into the secure router. The onboard secure network is then logically and physically isolated from everything else.
  8. I would also consider a bigger MAX device that supports SpeedFusion Bonding so that I could enable WAN smoothing and use multiple WAN links at the same time to guarantee the delivery of the IPSEC VPN traffic.

image.png