Balance Speedfusion VLAN Connectivity


#1

Hello,

I’m certain I found posts about what I am looking to do a few months ago, but was unable to find the posts again while searching over the weekend. Here is what I am looking to do:

Headquarter site Balance 380
Remote sites have Balance 20 or Balance 30
Speedfusion VPNs are setup between the sites.

Headquarter site has a specific VLAN (11) that needs to be able to reach VLAN 10 at each of the remote sites, but the remote sites (VLAN 10s) should not be able to see each other. It is not necessary for VLAN 10 at the remote sites to be able to see VLAN 11 at headquarters.

Thank you for your help or pointing me to the proper post.


#2

Jon,

Your requirements were similar to mine. First off, I don’t think from my understanding you can truly utilize speedfusion without both ends of the Balances being speedfusion able. Balance 20 and 30 have pepvpn but not speedfusion. In terms of the VLAN’s not being able to talk to each other your going to want to Block the networks (VLANs) in the internal firewall settings on the 380. Or you can turn “nat mode” on on the 380 end of the speedfusion tunnel so that your remote traffic goes through nat first coming back to the 380.

In my situation I am using this for a hosted voip environment so I have “nat mode” turned off but you may benefit from that for your situation. Either way give them a shot and see if you can or can’t ping certain devices from each end.


#3

Thanks for your quick reply TJ.

I was using the ping utility from within the router which does not work reliably across a PepVPN. Turns out, everything was working as expected, it just appears to time out when pinging from inside the router. The actual machines on the network are able to communicate without issue!

Also, your comment about changing the NAT setting due to hosted VoIP struck me as strange. I reached out to my VoIP engineer and confirmed we don’t make any such changes for our hosted VoIP customers. The only changes we make in a Peplink environment are to set All VoIP Protocals to Highest priority and under Service Passthru we change SIP to Compatibility Mode. I’m curous what benefit you receive changing from NAT to IP Forwarding… could you elaborate? I’m not sure if we will be doing any new VoIP deployments with Peplink routers unless they add MAS scoring or something similar. I understand it is in the pipeline, but kinda seems like an essential metric for enterprise VoIP.


#4

Hi guys

NAT mode is the correct direction to look at.

However, allow me to double-confirm on the requirements, which is as per stated below (correct me if I’m wrong)…

  1. HQ VLAN to be able to access every remote VLANs
  2. Remote VLANs isolated from one another
  3. No requirement to allow remote VLAN access to HQ VLAN

If the above is correct, all you need is to enable “NAT mode” for each of your Balance 20/30’s PepVPN profile for connecting back to HQ.
This way, HQ will be assigned an IP of the local subnet when connecting to the remote site, and be able to access the local subnets shared by this particular remote site’s routing table.
Traffic this way is uni-directional, which fits the above 3 requirements.


#5

Ah I see now what your doing. And in regards to Nat, I was talking about nat within the pepvpn tunnel not from WAN-LAN and vise versa. As what KV Chen stated above, this is probably your best route to go for what you are trying to do. Natting within the vpn tunnel and then again from LAN-WAN and vise versa isn’t the way to go for quality purposes. Double natting with voip never works out correctly. My setup is a bit unique in what I am trying to do though with my setup only being for the hosted environment for our Voip customer base. We are sitting high end balance devices at our data centers and allowing a speedfusion connection from our customers to our data centers and each speedfusion peer doesn’t communicate with one another. I hope this clears things up.