HD4 detail for the


(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)


To clarify. CISCO at head office acting as internet breakout for the remote site. Temp requirement for a HD4 at remote site until fiber is in, will then be replaced with a B580. Requirement for a Layer 2 VPN between Head office and remote site to bridge existing Data and VoIP vlans to remote site? Is the primary role of the B580 at the head office just VPN or do you need it to do multi-wan work there too?


OK that makes things easier actually. So one way to do this would be to:

  1. Port forward speedfusion ports from CISCO to B580 at head office (so the WAN of the 580 is effectively in a new DMZ/VLAN) so the remote HD4 can build a tunnel.
  2. Create L2 VPN between the B580 and the HD4. plug the LAN of the B580 into a trunk port on the CISCO (or an attached switch) so that all VLANs are passed to the HD4.
  3. Optionally - Plug a managed switch into the HD4 and breakout the VLANs to access ports if needed.

The other approach is to replicate the VLANs on the B580 and HD4 to match those on the CISCO and then create multiple Layer 2 VLANs between the HD4 and B580 (one for each VLAN). Which then lets you break out the VLANs to specific access ports on the HD4 if required - but means more bandwidth overhead in the multiple L2 VPNs.


I would use different ports for speedfusion data (so change from 4500 to 4501 or something) and forward those.

For VLANs over L2 there are two fundamental approaches:

  1. use a single layer 2 vpn as a transparent bridge point to point so the lan ports on the B580 are virtually bridged to the LAN ports on the HD4. In which case if you plug a B580 lan port into a trunk switch port at the head office that has tagged vlan traffic on it then that tagged vlan traffic will squirt out the LAN ports on the HD4. You could then attach a managed switch to the LAN ports of the HD4 and present the VLANs as access ports if you need to.

The issue with that configuration is a lack of control. A single L2 bridge like that will disable other routing functions on the HD4 (since it is acting as a L2 switch) and the HD4 can not inspect the vlan traffic passing over the bridge so you can’t assign lan ports as access ports and break out the individual VLANs presented at head office on to specific ports on the remote HD4 (although you can assign just specific ports to be used for the overall L2 bridge).

  1. The second approach is to replicate the VLAN configuration on both the B580 and HD4. So create local VLANs on each device (one for data one for voip etc) and create multiple L2 vpn’s between the respective VLANs on each peplink device.

That way since the HD4 is aware of the configured VLANs you can then break those out to individual LAN ports (as access ports) as needed.

The benefit of 1 is that if they add new VLANs at head office on their CISCO those VLANs will be available at the remote site immediately.

The benefit of 2 is that you have full control as to what VLANs are presented to the HD4.


Yes that’s right. Easier that way - less config.

As for split tunnelling - the answer is yes you can load balance internet access direct out via the cellular connections and only use speedfusion VPN for site to site traffic.

What I’m not sure about is do you want to extend the existing VLANs (data and VoIP) from the head office location to the HD4 location (ie Layer 2 bridging so same subnet in both locations with the VPN acting as a transparent bridge / virtual Ethernet cable) or do you want to have separate routed subnets at the HD4 that can route back to the head office location (so layer 3 routed VPN with different address ranges at both locations) or do you want a combination of the two where the VoIP VLAN is bridged between the locations but site to site data is over routed Layer 3 and internet access is direct out to the internet?


OK. Yes you can use a BR1 ENT or HD2 at the head office for a basic L2 site to site VPN.
This is how it would look if you create a L2 VPN between the default untagged LAN on both devices.
Since devices connected to the Data and VoiP VLANs will be encapsulated in the L2 tunnel they can not break out locally. All internet traffic from the remote site will go over the L2 tunnel and out via the CISCO at the head office.

Another approach would be to extend just a single VLAN from the head office over a L2 connection and then have a L3 VPN for site to site traffic.

In that configuration local data traffic on the HD4 (on the subnet) would be able to break out to the internet over the cellular WANs on the HD4, and those devices would also be able to route to the data network at head office on the CISCO (you would need a device with 2 x WAN ports at the head office).

That would look like this:


No need to do this. When you configure the L2 tunnel between the untagged LANs on the two devices it acts like a virtual Ethernet cable is linking the LAN ports between the devices, no additional configuration is needed,

Apart from the usual WAN configuration requirement, and setting up the L2 SF profiles you don’t need to do anything else to the Peplink devices.


Hi Martin,

Sorry to barge-in in this thread, I just have a very similar requirement that I need to implement where tagged traffics of vlans be made available over l2 speedfusion in the branch office. On your approach 1, you mentioned that if lan port of B580 is plugged in a trunk port in a switch with tagged traffic, those tagged vlans will be made available to HD4 as well? Do I need to plugged HD4 lan port to a trunk port on a switch as well?

rough scenarion

Main office: switch trunk port (tagged vlan 88-92) --> lan port B580 hw1 firmware 6.3.4 ======l2 speedfusion===== Branch office: B380 hw5 firmware 6.3.4 lan port <---- switch port “???”


Only if you need VLAN access ports at the other location rather than just the extended trunk.

If you do need access ports, then a managed switch that can present your trunked VLANS is needed (in approach 1 above).


Thank you, Martin! Everything works for me now. Just for the benefit of anyone that might have the same requirement as mine, here are the given:

We have a zonedirector deployed in the main office where 4 different SSIDs are configured under 4 different VLANs (87-90) and I need them to be made available in the remote office as well.

Config before: Main office (Firewall --> tagged vlan92 —> ethX tagged port switch | ethY untagged vlan 92 —> default untagged lan peplink 380) <====L3 SpeedFusion VPN====> Remote office (lan peplink 380 —> L2 managed switch default vlan)

Config AFTER: Main office (Firewall --> tagged vlan92, 87-90 —> ethX tagged port switch | ethY untagged vlan 92, tagged vlan 87-90 —> default untagged lan peplink 380) <====L2 SpeedFusion VPN====> Remote office (lan peplink 380 —> L2 managed switch port default vlan 1, tagged vlan 87-90)

In summary, with our existing (after) setup right now, all workgroup LAN traffic from remote office flows through untagged vlan 92 in the main office. And when they connect to wifi, all their traffic falls through their respective tagged traffic.


First thing to check is that DHCP is definitely disabled since if they are getting a 192.168.50.x address it would suggest that it isn’t at the HD4 end. Maybe re enable DHCP on the hd4 save and apply then disable it again to make sure.


Nope that section is just about how the device gets an IP address (so you can manage it).

With a laptop connected that has got a DHCP IP address, what DHCP server is listed when they run an Ipconfig / all ?


you want the BR1 to have an IP address on the same Layer 2 segment so that you can access it - which I assume is the address you have set.

On the HD4 you can either:

  • Do not override : So it stays as the configured address (making it only accessible by plugging in a device and manually setting the IP of the device to an address in that subnet also.)

  • Static - set the address to something you define - so in the range for example so that when you plug in a device and it gets a DHCP IP address from the upstream DHCP server in that same range you can access the HD4 web ui.

  • By DHCP - the HD4 will pick up an IP address from the same DHCP server the clients use over the L2 VPN.

  • None - when the L2 VPN is up the HD4 web ui will not be accessible


If the BR1 is dishing out IP addressing and DHCP is disabled then its time to log a ticket with Peplink Engineering to take a look.