SpeedFusion and PepVPN can operate in layer 2 mode, bridging both ends of a VPN to create a single Ethernet LAN. This allows you to extend your local network and easily run applications that are LAN-only or difficult to route, such as:
Zeroconf / Bonjour
AirPlay
AirPrint
Windows printer and file sharing network discovery
To use this feature, navigate to Network > Network Settings and select the interface you wish to bridge
@Rene_Ovando as many as you like in theory. A L2 Speedfusion/PepVPN tunnel acts as a transparent bridge so the number of VLANs passed over it should be immaterial.
Iām running firmware 7.0.2 on both my balance 20 and BR1 slim.
I have trouble finding the L2 SpeedFusion options under Network > Network Settings.
Am I looking at the wrong place?
Last night, I have successfully deployed a Balance 20 in my customerās office.
My customer is a builder running his own building company in TownHall Sydney.
I offer him the VPN solution using the BR1 Slim to bridge to his office network. I was able to setup the L2 bridging over PepVPN. Exactly as you guys mentioned, the performance is a big issue when using L2 bridging, since all traffic from the BR1 (over 4G) seems to have tunnelled through to the office network. The broadband infrastructure in Australia in general is still pretty slow especially the uplink speed of ADSL2 which is still widely used our country. The uplink speed of my customerās broadband is only 0.5Mbps, and therefore the performance of the L2 VPN is pretty pathetic, but usable at least.
I was wondering if the AC mini firmware is capable of setting up VPN over L2? Cos Iām trying to help my customer to bridge the VPN connectivity from his home using the AC mini. Thanks for advice in advance.
Iām currently doing some tests with the L2 functionallity and stumbled onto a problem. I want to forward a trunk of 4 VLANās to 2 remote Transit routers. I added VLAN 100 to my balance 1350 bridged it to the pepvpn/sf profile, everything works fine and then I tried to add a 2nd VLAN (101) and bridge it to same pepvpn profile and I get the error that this profile is already bridged to another vlanā¦
From the tests Iāve done and the comment from Martin I conclude that you can actually send a trunk trough the
L2 VLAN, but only by using it as a dumb unmanaged switch (i.e. creating an access port with the pepvpn vlan and then connect the trunk to it on both sides). This seems a dirty method because I already have the vlanās accessible trough the regular LAN trunk connected to the balanceā¦
Is this the right conclusion or am I overlooking something (I checked all the question marks for clues ;-))?
I also have a suggestion/feature request for the L2 VPN, is there a possibility to implement IGMPv3 on it?
As a broadcaster we use multicast video quite often and now itās dangerous to use as the stream is send
to all VPN clients.
Hello, Iām new the Peplink environment and Iām having trouble setting a Site to Site VPN using SpeedFusion. I have established the link but I would like the IP range from the base site to be reflected to the remote site. I also want the port forwarding rules that I have set in the base site to be reflected in the remote site. I followed the explanation on setting the Layer 2 protocols but this broke the base router and I have to remove it before the base network was restored.
Probably best if you start a new thread on here and post a sketch of what you want to do then screenshots of your config and then we can help work out whats going on.
Hello Martin. I had another go in setting this site to site layer2 VPN using Speedfusion. This time I used incontrol as I thought it would be easier. Setting up the VPN was easy but from the remote end the outbound traffic didnāt travel down the VPN it went straight out the WAN connection. The Send all Traffic option could be activated. I was able to ping devices from the remote site to the base site so NAT was working but the IP range from the base site still wasnāt be reflected to the remote site. I do have another question that relates to port forwarding. If I have a server that Has a IP that it bound to the MAC address of the server and this servers requires certain ports to be open. I have set rules in the base router for these and they work as designed. If the server is moved to the remote site, will the IP be the same and will the ports be redirected across the VPN to the remote site.
Hello Steve (@Steve2107),
Thanks for reaching out to us locally here in Australia.
We have been in touch with Chris and look forward to assisting you locally to get the most out of your SpeedFusion options.
Happy to Help,
Marcus
I get the same problem as Derek on Jan 20, 2018. When I try to supply the PepVPN profile to a 2nd VLAN for L2 treatment, I get the complaint:
āprofile_x_y_zā is already binded to another LAN profile
I did not expect this. The traffic to be sent over the PepVPN L2 bridge already arrived to the router over a trunk, with a tag ready to go ā¦ the bridge just needs to see it and go 'hey, that frame is tagged with one of the VLANs thatās wanted over the bridge" and queue it for delivery across the PepVPN profile(s) that want to see it.
Assuming Derek is correct (I have yet to prove the configuration) ā¦
I realise that, in some situations, if we are asking the router (or in my case, Device Connector) to behave ājust like a Layer 2 bridgeā, then it is bothersome to require the user to configure the router to āknow aboutā all the VLANs ā¦ if weāre not going to route them, why āgive the router a footprint in the network segmentā by giving it an IP address?
From that point of view, it is certainly āeasierā to take a blind eye to what goes over a physical port thatās part of the bridge, and just shovel the packets across without inspecting them.
But that isnāt really enough. Iām with Derek who feels this is a ādirty methodā. There are at least 2 drawbacks:
what if we want the āmanagement VLANā ā¦ in which the router should have an IP address, and therefore an entry in Networks > LAN ā¦ to go over the bridge? Now the LAN-side of the device has to use a port for a āregular trunkā and a port for a āblind trunkā ā¦ each of which carry the same VLAN
what if we actually want to apply some policy about which VLANs are allowed over the L2 Bridge? By forcing the LAN port to āaccessā, we lost this ability.
itās also annoying that a switchport marked as āaccessā is actually behaving like a trunk and not stripping VLAN tags?
It just feels klunky. This isnāt how other routers that embed switches deal with the situation.
Other routers deal with this bridging situation by letting us define the network segment according to its VLAN, but makes it optional whether the router needs an IP address in it.
