How do I configure Balance 20 to route specific SSID to VPN?

I have a Balance 20 (8.1.0s083 build 4956) that manages 4 APs and I’m trying to figure out how to make it route a specific SSID to the VPN connection.

I have the SSID configured on VLAN 2 with its own subnet (192.168.52.1/24) and I have the “Outbound Policy” configured to send that subnet to the VPN.

However, when I connect to the SSID (on my Iphone), I get a “no internet available” error. I have DHCP configured on VLAN 2 to assign addresses in the 192.168.51.1/24 range, but nothing is assigned.

I can make the VPN routing work for SSID connections on the untagged LAN (192.168.51.1/24), but I cannot get it to work with VLAN SSIDs.

What is the secret to making this work?

You sound like you have done it right to me. outbound policy is the way to do this. Sounds like a DNS issue. can you ping 8.8.8.8 from a device on the 192.168.52.0/24 subnet with the outbound policy rule in place?

No, I cannot ping 8.8.8.8 from the 192.168.52.0/24 subnet.

Are you using default firewall rules (any to any). Could the issue be there? I assume the devices connected via wifi are getting DNS servers and the correct gateway from from the Balance 20?

Using default Firewall Rules, nothing has been changed there. All are “Any to Any”

Paste some Screenshots here of the outbound policy config and the vlan config and we can do a sanity check. Or give me remote access and I’ll take a look.

If a wifi client gets the right default gateway set, and has DNS set then I don’t see why they wouldn’t be able to access the internet over a specific WAN. What sort of connection is it? Anything weird?

Nothing unusual. Have been using Peplink routers for 10 years and have been able to get this work on a Balance One in the past.

I turned on Remote Assistance. What do you need to access?

That looks find. What does your outbound policy look like?

see 2nd msg

Ok so lets prove out the VPN bit. Login to your Fusionhub go SYstem > Tools | Ping and ping the 192.168.52.1 address does it work? If so ping a device on that VLAN segment does that work?

Yes, it works from that direction. I can ping 192.168.52.1 from my FusionHub

OK great so routing is working between the FH and the Balance 20. If you used remote web admin to access the Fusionhub then we can assume it has internet access too.

So go to a client that is connected via wifi and get a full IP network settings dump (ipconfig /all) does that look right?

When I connect to the “AZ VPN” (192.168.52.1/24), the DHCP is not giving me an address in that range. It is giving an address of 192.168.52.100, which is the reserved address in the untagged LAN.

Do I need to set up separate DHCP reservations for VLAN 2?

Your untagged default LAN needs to be different and completely separate to the VLAN IP range. Is it? I assume default is 192.168.50.1/24 and the VLAN is as above 192.168.52.1/24?

Have you set the SSID to use use VLAN 2? If the device is getting an IP from the untagged VLAN then its not connecting into the ‘right’ VLAN.

None of the LAN segments overlap. I’m using 192.168.51.0/24 for the main untagged LAN and 192.168.51.0/24 for VLAN 2.

I tried setting a specific DHCP reservation on VLAN 2 and renewed my lease, but it still gives me the 192.168.51.100 IP in the untagged segment.

image810×676 48.3 KB

OK. Is this a locally created SSID or one pushed by IC2?

If local, do a sanity check on the SSID profile settings that the VLAN is set right because it sounds like it isn’t.

If IC2 do the same thing.

This a local SSID. It’s an old Balance 20 that is out of warranty, so I’m not using IC2.

And when you look at that SSID profile the right VLAN is selected yes? Eg mine here has 4 vlans…