Drop-In-Mode w/ a local LAN

I have a very interesting use case which I think should work but in testing I am getting some odd results. What I want to do is use Drop-in mode to give a customer use of their existing firewall while segmenting off VoIP traffic to go directly to a peplink. I am testing with a MAX BR1 Mini as its what I have available with drop-in mode but would probably use a different device for production. What I keep running into is that the Voice vlan has no internet access while the DROP-IN wan is active. If I unplug the WAN and do cellular failover then traffic out of of the ‘local’ voice vlan works. The post at Drop-In-Mode suggests that I should be able to use WAN1 from ‘local’ networks even if its in drop-in mode. I am curious if the issue could be related to using VLANs instead of a different physical port but I don’t want to purchase another device on a hunch.

Welcome to the Peplink forum community! Drop-in mode was first introduced with Peplink Balance routers, typically using multiple WAN interfaces. The VLAN feature (with a drop-in mode configuration) was added for increased functionality.

The BR1 can also be configured for a drop-in mode deployment now. There is a current limitation however as the VLAN does not get a NAT when going out the drop-in mode WAN.

Engineering is working on solving this for future firmware releases.

1 Like

Is the limitation specific to the BR1 or do all Peplink routers have this limitation? If its just the BR series I will be happy to get a different version for testing but I did not want to do that without confirming that what I want to do is possible.

This is with all devices. Please note however, it is still possible for VLAN networks to go out the other WANs. Stay tuned as there will be beta firmware to test with here.

1 Like

Thank you for that. If we used a separate physical port that was untagged would it still apply since VLAN tagging isn’t in effect or would it still be affected by the limitation?

The issue is not because of VLAN tagging, but instead the private (VLAN) network does not get a NAT if it goes out the drop-in mode WAN. This is needed for routing to the public IPs on the internet.

1 Like

Following up on this one. I do see the option on the Balance 20x for NAT on VLAN traffic under the drop in LAN settings. Is there an updated Drop IN document on how to set this up? Does the WAN and LAN used for drop in need to be the same IP address? Can we still use access rules and port forwarding on the unit?

Support for VLAN clients ability to route traffic over the Drop-in mode WAN was added in 8.1.0 firmware, referenced 18403 in the release notes.

Drop-in mode is explained and configuration steps are in the user manual here.

Thank Ron. So I don’t have to dig for this answer… Does port forwarding rules still work to redirect traffic to the appropriate VLAN?

Port forwarding rules for VLANs with a drop-in mode deployment can only be used with secondary WANs. VLAN networks do get a NAT for outbound traffic using the drop-in mode WAN with the option enabled, but the Balance functions as a bridge for inbound traffic on the drop-in mode WAN.

Thanks. So the only way to get to the VLAN would be on the secondary WAN if it’s always up? This wouldn’t be ideal for a cellular backup. Has anyone else configured a workaround for this?

NAT mode can be used if inbound routing to internal VLANs with port forwarding on the primary WAN is required. The Balance functions more like a bridge with drop-in mode configured for the WAN.

We would like to install the Peplink Balance 20x in front of an existing firewall using drop in mode and also utilize a voice VLAN connected to one of the LAN ports of the 20x. We sometimes don’t manage the data VLAN and only manage the voice network. We would like to offer the option of an LTE backup to the data firewall along with some functionality for our voice VLAN on the Peplink. We would need access to the voice VLAN remotely to manage the phones. Is it not possible? Would we have to purchase 2 Peplink routers?

If you are using DIM and you need to be able to access devices behind it , just setup the port forwards as normal on the router downstream.

If it’s on a seperate vlan then add an interface on that downstream router or a static route so that it knows how to reach it.

This is for phone devices that are directly behind the Peplink on another LAN port. I’m assuming you’re referring to devices connected behind the DIM firewall and not the Peplink? Could I accomplish this by using a Balance 30 Pro? WAN 1 for DIM to existing firewall. WAN 2 using the same ISP but another IP in the range and then LTE on WAN 3. Port forward rules will use WAN 2? Let me know if anyone has set it up like this.

You can do this but you need to do a wan side switch In front of the peplink unless you have multiple portal from the ISP modem.
What you propose makes sense , DIM ip in front of existing firewall, just using one ip, additional ips on wan2. Setup port forwards for wan2 as normal.

What devices are you needing to port forward ?

Just one device fir the port forwarding rules. I will give the 30 Pro a shot. My only concern would be the firewall in DIM if the ISP In WAN 1 fails. I’m assuming it’ll go out LTE because WAN 2 will fail at the same time.

yes it would go out the LTE.
You can change what it would do using Outbound Policies (OBP).