Fusionhub : Route PepVPN traffic to LAN


I use fusionhub in lan/wan mode, with a fortigate to route all traffic from balance 310X of each site to internet.

All is ok, each balance on remote site can access to internet through the fortinet by the pepvpn.

But lan site can ping each other through pepvpn when “Route pepvpn traffic to LAN” is tick on fusionhub (need it to forward pepvpn traffic to the forti and then to internet)

If I untick it (no more internet → normal), and then each site can ping each other.

Any idea ? Missing route somewhere ? Bad ospf configuration ?


For information, If I disable “Route pepvpn traffic to LAN” and put a static route (for example) to via (forti) on FH, it’s ok i can ping each remote site between them, and via forti.

Check your firewall logs on the Fortigate. When route all traffic via LAN is enabled all traffic - even peer to peer traffic, is sent via the LAN gateway.

If it doesn’t work when you have it turned on, the Fortigate is where the traffic is getting stopped. I often forget to add the peer to peer IP ranges as allowed in the 3rd party firewall (the fortigate in this case) when I’m setting this kind of config up.

1 Like

@MartinLangmaid Thanks for your reply.
There’s no way to keep peer to peer traffic routing in fusionhub and route all other to the fortigate gateway (internet) ?
I don’t want to overload the fortigate with peer to peer traffic.

No there is. Uncheck route pepvpn traffic to LAN.

Stick a static route in for on the FusionHub with the fortigate LAN as the next hop. That should keep Remote peer traffic on the fusionhub and send general internet traffic via the Fortigate.


Unfortunately it’s not working if a put a static route for to, but if i put for example to it works… Strange ?

@Andrey_Stryukov / @Lai Any idea to solve it ?

That’s a shame. I need to lab this up to investigate. Normally I use send traffic to LAN option.

When “Route PepVPN traffic to LAN” is enabled, all traffic from PepVPN (including inter-site) will route to LAN gateway. To enable inter-site routing, please add static route “PepVPN_remote_network via FusionHub” in the LAN gateway.

In your case, you need to add following static routes in LAN gateway: via via

This design is to provide a flexibility to pass all traffic (including inter-site) to a LAN firewall/packet sniffer, etc. and let the appliance to determine what to do next.

Hi Kenny,

Thanks for your reply, then there’s no way to let inter-site traffic in the fusionhub, and pass other to the appliance ?

This is not supported currenlty, we will add this to feature request.

1 Like

Ok, Thanks.

After reviewing this feature, we tend to not pass inter-site traffic to LAN if “Route PepVPN traffic to LAN” is enabled. This is same as Peplink Balance firmware’s behavior.

Can we have an option to ‘include inter-site traffic’ if this feature is changed as you describe?

Otherwise I will have a bunch of installs that will need a complete rebuild since I rely on all traffic coming from remote peers to pass through a firewall appliance on the LAN of the fusionhub for security and filtering purposes…

1 Like

Hi Martin, sure, that will be an option instead of behavior change.


Hi guys, when will this ‘include inter-site traffic’ be implemented?

Hi Kenny,

we also stuck with this problem. FH with 8.1.3 stucks at updating Routes when Route all traffic to LAN is enabled.
Looks like the same issue.
Do you have a timeline?

With an FW newer than 8.1.0 the option to route a /0 network is also missing. Is there a trick to get a /0 network routed to a firewall?


Lending some support to this request. We have a customer running into this exact issue and having all remote site to remote site route back through the firewall is not ideal and going to require additional management on the firewall as well as require the firewall to process more traffic than is needed or desired. This would be a great feature to add to the FusionHub platform!

I don’t see this after Route all traffic to LAN is enabled. May be you can open a ticket for us to check?

You can create 2 static routes - and These are equivalent to the default route.

This can be done without enabling “Route PepVPN traffic to LAN”. If internet traffic needs to go through the firewall, you may configure and in Static Route.

1 Like