Configuring Outbound Policy

It was stated that the SOHO MK3 has a restriction that only one WAN can be priority 1 in PepVPN outbound policy configuration. Does that mean that when the first outbound policy of Priority is created, that any further outbound policies of Priority must be in exactly the same priority order?

And is USB in the Priority Order list for the SOHO MK3 PepVPN outbound policy configuration, or just WAN and Wi-Fi as WAN? Also, what outbound policies can be created? Just Priority, or others too like Enforced?

I no longer have a SOHO MK3, so can’t test it myself. The posts from @Jason_Seib say ‘I got it to work by following the steps provided by @Rokas_Musteikis. The rules area is located in the PepVPN of the advanced tab section. Originally, when I clicked on PepVPN it only had a local ID box with a greyed-out name. If you click save on that box, it opens up the rest of the page which contains the rules area. It doesn’t say “outbound policy” anywhere but that is the correct outbound rules area’. So does this mean Jason_Seib got the XBOX set to WAN priority 1 in one outbound rule and the rest of his devices on Verizon set to Wi-Fi as WAN priority 1 in a second outbound rule?

If Jason_Seib was successful in doing this, then the PepVPN outbound policy configuration means that the Surf SOHO is working as a dual WAN router with WAN and Wi-Fi as WAN active at the same time. Or possibly even more if the USB is part of the Priority Order and can be set above WAN or above Wi-Fi as WAN (granted, if you can configure USB this way it doesn’t mean that it actually works on the SOHO MK3, just that Peplink either needs to ban configuring USB above anything, or make USB work for more than failover to honor what can be configured).

I finally had some time to look at my setup and found that it’s not working as I would like. I decided to test it by setting up two new rules, the same as before, but using IPs of computers, so I can speed test and see where they are getting their signal. I have T-Mobile in WAN ethernet and Verizon in WAN USB. I tried testing both computers with T-mobile on top and Verizon below on the priority list of the outbound rule. With this arrangement, they both used the Verizon signal. I reversed the options, moving Verizon on top with T-mobile below. Once again, both used the Verizon signal. Then I navigated over to the dashboard and changed Verizon(USB) from priority 1 to priority 2, and T-Mobile from 2 to 1 and repeated the tests. This caused both computers to use T-mobile instead of Verizon. It appears that the priority levels of your WANs on the dashboard supersede any outbound rule priorities. It just throws it at whichever WAN is priority 1 on your dashboard.

Next, I tested the same rules as before, set to “enforced” instead of “priority”. This worked for controlling which signal the individual computers received. I was able to run simultaneous speed tests for both Verizon and T-Mobile with this layout. The one problem I ran into with “enforced” rules was with the YouTube app on my Apple TV. If I enforce it to T-Mobile with Verizon active in the USB, the app wouldn’t load. Although, it works fine if I shut off my Verizon hotspot. All the other apps worked in this configuration, I would use this setup if not for the YouTube app.

My solution, for now, is to put Verizon(USB) as priority 1 and T-Mobile(WAN ethernet) as priority 2 on the dashboard page. Then keep the Verizon hotspot off unless I want to game on the Xbox or download a large file. In that case, I’ll turn on the Verizon hotspot so it can take over as priority 1. Does anyone know why the SOHO doesn’t use the priority 1 WAN that it should in an outbound rule?

Here are some configuration guidelines from the Peplink Surf Soho manual:

  • Outbound Policies are applied only when more than one WAN connection is Active. Hopefully the Dashboard shows both as WAN (T-Mobile) and WAN USB (Verizon) as WAN Connected and active for you.

  • The Soho supports Enforced and Priority outbound policies. You should probably enable “Terminate Sessions on link recovery”. Otherwise, a session can remain connected on the wrong WAN. See:

  • I don’t know if “Independent from Backup WAN’s” needs to be enabled, but probably. Same thing with Standby State. It may need to be configured so that the connection remains connected, not disconnected when the WAN connection is no longer in the highest priority and has entered the standby state.

I don’t know how re-arranging Priority on the Dashboard affects the priority you select in the Priority Outbound Policy (I no longer have a Surf Soho, but have ordered one to arrive in a week or two). I am assuming that the priority order you set in the Priority Outbound Policy is unaffected. And does that mean that anything in the Outbound Policy list is executed before the Priority settings in Outbound Policy or the reverse, with the Dashboard settings superseding the Outbound Policy which seemed to be your experience (but were the two WAN connections active as required to execute Outbound Policies…)? Hopefully someone can clarify this.

The Enforced Outbound Policy seemed to behave much more as I expected with the exception that the YouTube app on your Apple TV misbehaved. I wonder if this could have something to do with the configurations which I mention above, particularly “Terminate Sessions on link recovery”. Another thought which occurred to me is whether Apple or YouTube tries to connect back via an Inbound connection. It seems like a remote possibility unless there was Port Forwarding going on. But then again, FTP transfers can do this. Again, maybe someone can lend assistance on this.

Finally I will comment that you got further than I did on Enforced connections in 2018 using WAN USB. I wonder if that is because you had WAN USB at Priority 1 or Priority 2, not Priority 3 on the Dashboard (I can’t remember anymore what I did). Perhaps Priority 3 is always reserved for Cold Standby so that you can only have two Active connections. Another difference is that I was using WAN USB with a USB to Ethernet adapter. Probably Peplink (@TK_Liew?) would be best to comment.

Testing on 8.1.3 reveals the secret, rather bizarre behavior of Outbound Policy Rules for Surf Soho under PepVPN. I set up WAN as Priority 1 (Connected) and USB to a second Ethernet line as Priority 2 (Standby).

  • Enforced rules works as expected. You can enforce traffic to either WAN (Connected) or USB (Standby).

  • Priority rules for some reason will not honor USB in Standby mode even though USB in Standby mode is honored for Enforced rules. As a result, when you use Priority rules with Drop the Traffic for USB (Standby) in the interface list by itself, no traffic goes out on USB or WAN. If you expand the interface list to USB (Standby) followed by WAN (Connected), traffic goes out on WAN.

This look like a bug in the Priority outbound policy rule handing of Standby, which is Priority 2 on the Dashboard. @TK_Liew, do you agree that Priority rules should be honoring USB (Standby), similar to Enforced rules honoring USB (Standby)?

@Rokas_Musteikis, your 7 Oct 2021 directions were to use a Priority rule. It turns out that your advice (thank you) didn’t work because of this bug.

@Jason_Seib, I don’t know why your YouTube app on your Apple TV doesn’t follow your Enforced rules and I don’t have a setup to test this. I do wonder if you did not have “Terminate Sessions on Connection Recovery” enabled, which would allow existing connections to continue when you dynamically changed configurations. You may need to get Peplink to look into this.

Testing notes: WAN was to Comcast. USB was to Centurylink using a TP-Link TL-UE300 USB 3.0 to RJ45 Gigabit Ethernet Network Adapter.

@Paul_Mossip has provided the key to making the Output Priority rule work on the Surf Soho. On WAN configuration, enable “Independent from Backup WANs” which puts multiple WANs in priority 1.

I did this for WAN and USB, and voila, the Outbound Priority rules worked as desired and expected. For the record, the order of interfaces within Priority 1 define the order of failover.

CC: @Rokas_Musteikis and @TK_Liew