How to bypass PEPVPN

I have a remote site that requires layer 2 tunnel to the main office. But we have other people on the shared lan that we do not want to have access to the Tunnel to the main office. Is this possible? Does PEPVPN route all traffic or can some local traffic access the internet through a load balance connection bypassing the PepVpn

1 Like

Network → Firewall → Access Rules → Internal Network Firewall rules. You can add hosts there you don’t want to access the PepVPN subnets on the other end of the tunnel. That will keep them from accessing anything in the main office. You can define the hosts individually or by subnet. So you can be selective on what hosts you don’t want to access the office over the tunnel or you can just outright block the entire subnet those hosts are located on from accessing the tunnel.

If it’s related to internet traffic then:
on outbound policies enable expert mode under the ? icon.
Then set an outbound policy at the top with a source ip of the address that you want and do an enforced policy to the desired WAN.
If it’s related to internal traffic lan-lan then as @Biggen suggested

No you can’t stop them from sending their traffic over the tunnel as the Peplink routers at either end don’t ‘see’ traffic inside of the encapsulated tunnel until they need to route it (from VLAN to VLAN or LAN to WAN). However if you want to block internet access at the main site then you can:

  1. Setup firewall rules on the WAN that block specific source IPs / MACs of the devices at the remote site (or that allow the IPs/MACs at the main site)
  2. Create a captive portal that all internet traffic passes through and whitelist all MAC addresses at the main site.

If the remote site is ‘trusted’ ie you’re not dealing with a room full of hackers who will try and get internet access over the tunnel no matter what. Then an approach would be set the default gateway to the IP of the remote Peplink rather than the IP of the Peplink in the main office. If you are using DHCP, in theory you could enable DHCP on both Peplinks and set the remote one to use the local IP as the gateway. This should work because the local DHCP server will respond faster than the more distant one at the other end of the tunnel. Although I have never tested it.

@MartinLangmaid brings up a great point I forgot that layer2 doesn’t go through the firewall.
On the people that you don’t want to have access to the main office, but are on the same shared lan ,can you put those people on their own vlan either physically or via a seperate wifi SSID? Once you isolate them on a different ip range , then you could easily block them with firewall rules