Best firewall to use with a Peplink 580?

Hi All,

We use a Peplink 580 to distribute the bandwidth of 5 ISPs across our office. Before we started using the Peplink, we had only 2 ISPs and used a DrayTek Vigor 2820n to manage the load. The DrayTek had a really comprehensive built-in firewall compared to the Peplink. I have read as much as I can about using drop-in mode but i don’t know if this is the right solution for us.

Can anyone tell me if they use any other firewall/proxy in conjunction with the Peplink (other than a Microsoft ISA server) and how they have it set up? I’m looking into UnTangle or GFi WebMonitor as possible solutons but don’t really want to have a proxy setup - unless I am able to tell the Peplink the proxy server to use and all other clients follow suit.


Drop-in mode should be the right solution for you.

Any decent firewall should work well with Peplink. I have come cross customer using firewall from all the big names alongside Peplink.

First of all we want to be setting up your firewall as usual - as if you had only one WAN. Once everything is all set and tested to be working, then we will move on to configuring Peplink in Drop-in mode. This page will work though the config. Many users are actually surprised by how easy it is to deploy a Peplink in Drop-in mode. Once Peplink is also set, we can then simply “drop” it in-between your WAN1 modem and your firewall. Once everything goes well after Peplink comes in the picture, we can then connect your other WAN to Peplink’s WAN2/3/4/5 and enjoy the extra bandwidth and resiliency that comes with it.

Hi Kurt

Thanks for your reply. I did try the method you suggested but had issues with the NAT and only had a limited time to get it working.

Do you know if my other options of UnTangle or GFi Web Monitor would work in conjunction with the Balance 580 or can you recommend any other software firewalls?

Just out of interest, I know the Balance 580 can be used in drop-in mode between a firewall and the network but is it possible for a physical firewall to be dropped in between the Balance 580 and the network? (assuming the physical firewall had such a drop-in feature).

Many thanks,

In Drop-in mode Peplink will be bridging your WAN1 modem and the firewall. Peplink will only provide NAT for your other WAN e.g. WAN2-5. There should be difference before and after Peplink. I believe your issue with NAT exists before Peplink comes in?

It better be! I’m kidding. It’s definitely possible. I just finished looking into about 30 such devices in preparation for our move to SpeedFusion VPN. I was looking for an affordable transparent anti-malware web security appliance (we’ll need six of them… 5 sites and a spare) without all the bells and whistles of a full-blown Unified Threat Management (UTM) device that includes full router functionality, VPN capability, etc., etc. The Peplink Balance devices do it all except anti-malware, so an ideal device for our deployment would be something that can sit transparently between our Peplink Balance routers and our LAN switches and handle anti-malware only. Problem is, those devices can be very expensive, usually even more expensive than devices that do it all in one box. I was looking for something affordable, and something that was IPv6-ready. We don’t want to buy six devices that could prevent us from moving to IPv6 down the road if we decide to. So, based on the requirements of affordability and IPv6, it turns out that our options are pretty limited. We will probably just go with SonicWALL TZ 205s and install them in “in-line layer 2 bridge mode.” That is sort of like SonicWALL’s version of “drop-in mode.” The TZ 205 has way more capability than we’re looking for, but installing these inexpensive UTM devices and using them solely for their anti-malware functionality should do the trick. And, they’re IPv6-ready.
If anyone else is willing to chime-in here I would be interested to see what devices other Peplink Balance customers have installed for network security.


Even if Peplink balance is a fantastic device, I never use firewall functionnality. I prefer to use a “real” firewall like Palo Alto or Fortinet.
For antimalware appliance, in fact, these kind of device (like fireeye) are quite expensive.
You should have look at Damballa. They offer a Microsensor that can be deployed at branch site (1,5K) and a management console at the HQ.

Hope it can help you.



Hi Ralph and Paul

Thanks very much for your suggestions - both seem to be the type of thing I was looking for. I’ll do some more research about those.

Thanks again