Configuring SpeedFusion behind a firewall


If Balance/MAX unit is placed behind a firewall, you would need to define the firewall rules and inbound port forwarding policy on firewall unit for the following port numbers in order to allow SpeedFusion traffic passing across the firewall.
SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing the connections by default.

Note on Data Port:
This is the outgoing UDP port number for transporting VPN data.

By default, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable.

You can use a custom port number if the [Custom] option is selected, an outgoing port number range from 1 to 65535.

Also, if you have configured and active [IPsec VPN] or [L2TP with IPsec] profile on the Peplink router, then UDP port 4500 will be occupied and SpeedFusion will use next available port (UDP 32015).

When using multiple tunnels between 2 locations (when using Outbound policies within a PepVPN or SpeedFusion tunnel) multiple ports are in use (1 for each-subprofile).
The UDP data ports used when using are:
4500, 4501, 4502, etcetera or (when port 4500 is in use by IPSEC or L2TP) 32015, 32016, 32017, etcetera.

Balance 210 behind an ASA firewall - Speedfusion ports?
SpeedFusion: Unable to establish a VPN connection
[Resolved] SpeedFusion Problem
PepVPN/SpeedFusion Configuration clarification
Balance 380 ports
Fusionhub hyper-v
Multiple WAN Link with MPLS Link
Balance one L2TP port mapping ports?
Balance 380 ports
Outbound policies within a PepVPN or SpeedFusion tunnel
Peplink Balance VPN
Design config firewall and peplink
Balance one site-to-site to Balance 710
HD4 bonded VPN behind fortigate
Layer 2 Bridge w/Balance 380 + MAX HD2
Layer 2 Bridge w/Balance 380 + MAX HD2
Pepvpn tunnel goes from "Starting" to "Create tunnel" the back to starting

Customer wants to put Balance on a private NATted address behind a firewall. The WAN IP applied to the Balance 380 will be on the network that the remote Peplink device (HD2) will need to communicate with.

Standard config:
Balance 380 WAN – Public IP
Balance 380 LAN – Private IP on LAN advertised across PepVPN

Customer request:
Balance 380 WAN – Private IP on LAN that needs to be advertised across PepVPN
Balance 380 LAN – no connection

Is this possible?


Yes this is fine. You’ll just need to make sure the OSPF settings on the B380 are configured to advertise the WAN as well/instead of the LAN.


Perfect - thanks Martin. I saw those settings on the OSPF section, just wanted to verify before greenlighting the architecture.