Configuring SpeedFusion behind a firewall

If Balance/MAX unit is placed behind a firewall, you would need to define the firewall rules and inbound port forwarding policy on firewall unit for the following port numbers in order to allow SpeedFusion traffic passing across the firewall.
SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing the connections by default.

Note on Data Port:
This is the outgoing UDP port number for transporting VPN data.

By default, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable.

You can use a custom port number if the [Custom] option is selected, an outgoing port number range from 1 to 65535.

Also, if you have configured and active [IPsec VPN] or [L2TP with IPsec] profile on the Peplink router, then UDP port 4500 will be occupied and SpeedFusion will use next available port (UDP 32015).

When using multiple tunnels between 2 locations (when using Outbound policies within a PepVPN or SpeedFusion tunnel ) multiple ports are in use (1 for each-subprofile).
The UDP data ports used when using are:
4500, 4501, 4502, etcetera or (when port 4500 is in use by IPSEC or L2TP) 32015, 32016, 32017, etcetera.


Customer wants to put Balance on a private NATted address behind a firewall. The WAN IP applied to the Balance 380 will be on the network that the remote Peplink device (HD2) will need to communicate with.

Standard config:
Balance 380 WAN – Public IP
Balance 380 LAN – Private IP on LAN advertised across PepVPN

Customer request:
Balance 380 WAN – Private IP on LAN that needs to be advertised across PepVPN
Balance 380 LAN – no connection

Is this possible?

Yes this is fine. You’ll just need to make sure the OSPF settings on the B380 are configured to advertise the WAN as well/instead of the LAN.


Perfect - thanks Martin. I saw those settings on the OSPF section, just wanted to verify before greenlighting the architecture.

1 Like

Thanks for this article. The PepVPN data port selection sounds clear.
Use UDP4500 if there is one PepVPN.
If UDP4500 cannot connect, use TCP32015.

We have a firewall between to Peplinks with only UDP4500 allowed between them.

If UDP4500 is the data channel, what ports/protocols are used for the initial setup of the PepVPN?

When performing a capture we do not see any UDP packets at all from our Peplink to the IP addresses specified in the PepVPN profile. Am I correct that there are other ports/protocols than UDP4500 used at the “Starting…” phase ?


Hi Dana, TCP 32015 is used as the ‘handshake’ and is needed to establish the tunnel. Data payload is using UDP 4500 by default. Thanks

1 Like

Dear All,

I need some help regarding placing the peplink 380 behind a firewall and essentially using the peplink only as a vpn concentrator.

The proposed setup looks like:

My problem is that even though the peplink vpn is effectively established (green box) between the two peplinks, when I perform a windows tracert to it seems that for some reason the traffic path is being routed through the LAN port and never works; this port does not have anything plugged into it.

Our firewall if performing the NAT.

I have enabled OSPF on WAN 1 in peplink 380.

Could someone please point/guide me to the right direction?

Thank you,

WAN and LAN have the same subnet. LAN always wins. Change the LAN IP range on the Balance 380 from to and it will work.


Hi Martin,

Thank you for your reply. From 10.20.30.x I am now able to ping and access shares on a server on 192.168.1.x; however I cannot ping back the same IPs, that is, from the same server on the 192.168.1.x I cannot ping 10.20.30.x. I have made sure the routing table is correct. On the server I have also created a windows static route 10.20.30.x mask; tracert 10.20.30.x also shows me that the next hop is and stop there.

Perhaps some other setting which I am missing?

Thank you

Yes because the WAN on the B380 is set to NAT mode. You want it to be set to IP Forwarding with the 'Apply NAT on Remote PepVPN Peers" option unchecked.