How to Configure Layer 2 SpeedFusion VPN

SpeedFusion and PepVPN can operate in layer 2 mode, bridging both ends of a VPN to create a single Ethernet LAN. This allows you to extend your local network and easily run applications that are LAN-only or difficult to route, such as:

  • Zeroconf / Bonjour
  • AirPlay
  • AirPrint
  • Windows printer and file sharing network discovery

To use this feature, navigate to Network > Network Settings and select the interface you wish to bridge

Under Network Settings, click the Question mark button to define layer-2 bridging

Click the drop-down menu, and a list of your PepVPN profiles will appear. Select the profile you wish to bridge to

Press the Save button on the bottom, and then the Apply Changes button on the top right hand corner to implement your changes.


Hi, does anyone know how many vlan can be passed through 1 tunel speed fusion?


@Rene_Ovando as many as you like in theory. A L2 Speedfusion/PepVPN tunnel acts as a transparent bridge so the number of VLANs passed over it should be immaterial.


I’m running firmware 7.0.2 on both my balance 20 and BR1 slim.
I have trouble finding the L2 SpeedFusion options under Network > Network Settings.
Am I looking at the wrong place?


Oops, just found the option. It is hidden under the ‘?’ help icon for multi VLAN config.


Hi Peplink team,

Last night, I have successfully deployed a Balance 20 in my customer’s office.
My customer is a builder running his own building company in TownHall Sydney.

I offer him the VPN solution using the BR1 Slim to bridge to his office network. I was able to setup the L2 bridging over PepVPN. Exactly as you guys mentioned, the performance is a big issue when using L2 bridging, since all traffic from the BR1 (over 4G) seems to have tunnelled through to the office network. The broadband infrastructure in Australia in general is still pretty slow especially the uplink speed of ADSL2 which is still widely used our country. The uplink speed of my customer’s broadband is only 0.5Mbps, and therefore the performance of the L2 VPN is pretty pathetic, but usable at least.

I was wondering if the AC mini firmware is capable of setting up VPN over L2? Cos I’m trying to help my customer to bridge the VPN connectivity from his home using the AC mini. Thanks for advice in advance.




I’m currently doing some tests with the L2 functionallity and stumbled onto a problem. I want to forward a trunk of 4 VLAN’s to 2 remote Transit routers. I added VLAN 100 to my balance 1350 bridged it to the pepvpn/sf profile, everything works fine and then I tried to add a 2nd VLAN (101) and bridge it to same pepvpn profile and I get the error that this profile is already bridged to another vlan…

From the tests I’ve done and the comment from Martin I conclude that you can actually send a trunk trough the
L2 VLAN, but only by using it as a dumb unmanaged switch (i.e. creating an access port with the pepvpn vlan and then connect the trunk to it on both sides). This seems a dirty method because I already have the vlan’s accessible trough the regular LAN trunk connected to the balance…
Is this the right conclusion or am I overlooking something (I checked all the question marks for clues ;-))?

I also have a suggestion/feature request for the L2 VPN, is there a possibility to implement IGMPv3 on it?
As a broadcaster we use multicast video quite often and now it’s dangerous to use as the stream is send
to all VPN clients.

Best Regards,



A post was split to a new topic: WAN Jumbo Frame

Hello, I’m new the Peplink environment and I’m having trouble setting a Site to Site VPN using SpeedFusion. I have established the link but I would like the IP range from the base site to be reflected to the remote site. I also want the port forwarding rules that I have set in the base site to be reflected in the remote site. I followed the explanation on setting the Layer 2 protocols but this broke the base router and I have to remove it before the base network was restored.


Hi Steve, welcome to the forum!

Probably best if you start a new thread on here and post a sketch of what you want to do then screenshots of your config and then we can help work out whats going on.


Thanks Martin,
I’m going to have another crack at setting this using the Incontrol interface.


Hello Martin. I had another go in setting this site to site layer2 VPN using Speedfusion. This time I used incontrol as I thought it would be easier. Setting up the VPN was easy but from the remote end the outbound traffic didn’t travel down the VPN it went straight out the WAN connection. The Send all Traffic option could be activated. I was able to ping devices from the remote site to the base site so NAT was working but the IP range from the base site still wasn’t be reflected to the remote site. I do have another question that relates to port forwarding. If I have a server that Has a IP that it bound to the MAC address of the server and this servers requires certain ports to be open. I have set rules in the base router for these and they work as designed. If the server is moved to the remote site, will the IP be the same and will the ports be redirected across the VPN to the remote site.


Hello Steve (@Steve2107),
Thanks for reaching out to us locally here in Australia.
We have been in touch with Chris and look forward to assisting you locally to get the most out of your SpeedFusion options.
Happy to Help,
Marcus :slight_smile:


I get the same problem as Derek on Jan 20, 2018. When I try to supply the PepVPN profile to a 2nd VLAN for L2 treatment, I get the complaint:

“profile_x_y_z” is already binded to another LAN profile

I did not expect this. The traffic to be sent over the PepVPN L2 bridge already arrived to the router over a trunk, with a tag ready to go … the bridge just needs to see it and go 'hey, that frame is tagged with one of the VLANs that’s wanted over the bridge" and queue it for delivery across the PepVPN profile(s) that want to see it.


Assuming Derek is correct (I have yet to prove the configuration) …

I realise that, in some situations, if we are asking the router (or in my case, Device Connector) to behave ‘just like a Layer 2 bridge’, then it is bothersome to require the user to configure the router to ‘know about’ all the VLANs … if we’re not going to route them, why ‘give the router a footprint in the network segment’ by giving it an IP address?

From that point of view, it is certainly ‘easier’ to take a blind eye to what goes over a physical port that’s part of the bridge, and just shovel the packets across without inspecting them.

But that isn’t really enough. I’m with Derek who feels this is a ‘dirty method’. There are at least 2 drawbacks:

  • what if we want the ‘management VLAN’ … in which the router should have an IP address, and therefore an entry in Networks > LAN … to go over the bridge? Now the LAN-side of the device has to use a port for a ‘regular trunk’ and a port for a ‘blind trunk’ … each of which carry the same VLAN :frowning:

  • what if we actually want to apply some policy about which VLANs are allowed over the L2 Bridge? By forcing the LAN port to ‘access’, we lost this ability. :frowning:

  • it’s also annoying that a switchport marked as ‘access’ is actually behaving like a trunk and not stripping VLAN tags? :open_mouth:

It just feels klunky. This isn’t how other routers that embed switches deal with the situation.


Other routers deal with this bridging situation by letting us define the network segment according to its VLAN, but makes it optional whether the router needs an IP address in it.


Hi Alan,

Do we need these configuration to all peplink device or only in the master (HQ site)


M. Irfan

1 Like