How to Configure Layer 2 SpeedFusion VPN

Knowledgebase Tips and Tricks
1

SpeedFusion and PepVPN can operate in layer 2 mode, bridging both ends of a VPN to create a single Ethernet LAN. This allows you to extend your local network and easily run applications that are LAN-only or difficult to route, such as:

  • Zeroconf / Bonjour
  • AirPlay
  • AirPrint
  • Windows printer and file sharing network discovery

To use this feature, navigate to Network > Network Settings and select the interface you wish to bridge

1016Ɨ196 25.3 KB

Under Network Settings, click the Question mark button to define layer-2 bridging

999Ɨ129 15.4 KB

Click the drop-down menu, and a list of your PepVPN profiles will appear. Select the profile you wish to bridge to

812Ɨ187 19.9 KB

Press the Save button on the bottom, and then the Apply Changes button on the top right hand corner to implement your changes.

3 Likes
2

Hi, does anyone know how many vlan can be passed through 1 tunel speed fusion?

2 Likes
3

@Rene_Ovando as many as you like in theory. A L2 Speedfusion/PepVPN tunnel acts as a transparent bridge so the number of VLANs passed over it should be immaterial.

5 Likes
4

Iā€™m running firmware 7.0.2 on both my balance 20 and BR1 slim.
I have trouble finding the L2 SpeedFusion options under Network > Network Settings.
Am I looking at the wrong place?

2 Likes
5

Oops, just found the option. It is hidden under the ā€˜?ā€™ help icon for multi VLAN config.

4 Likes
6

Hi Peplink team,

Last night, I have successfully deployed a Balance 20 in my customerā€™s office.
My customer is a builder running his own building company in TownHall Sydney.

I offer him the VPN solution using the BR1 Slim to bridge to his office network. I was able to setup the L2 bridging over PepVPN. Exactly as you guys mentioned, the performance is a big issue when using L2 bridging, since all traffic from the BR1 (over 4G) seems to have tunnelled through to the office network. The broadband infrastructure in Australia in general is still pretty slow especially the uplink speed of ADSL2 which is still widely used our country. The uplink speed of my customerā€™s broadband is only 0.5Mbps, and therefore the performance of the L2 VPN is pretty pathetic, but usable at least.

I was wondering if the AC mini firmware is capable of setting up VPN over L2? Cos Iā€™m trying to help my customer to bridge the VPN connectivity from his home using the AC mini. Thanks for advice in advance.

regards,
Martin

2 Likes
7

Hello,

Iā€™m currently doing some tests with the L2 functionallity and stumbled onto a problem. I want to forward a trunk of 4 VLANā€™s to 2 remote Transit routers. I added VLAN 100 to my balance 1350 bridged it to the pepvpn/sf profile, everything works fine and then I tried to add a 2nd VLAN (101) and bridge it to same pepvpn profile and I get the error that this profile is already bridged to another vlanā€¦

From the tests Iā€™ve done and the comment from Martin I conclude that you can actually send a trunk trough the
L2 VLAN, but only by using it as a dumb unmanaged switch (i.e. creating an access port with the pepvpn vlan and then connect the trunk to it on both sides). This seems a dirty method because I already have the vlanā€™s accessible trough the regular LAN trunk connected to the balanceā€¦
Is this the right conclusion or am I overlooking something (I checked all the question marks for clues ;-))?

I also have a suggestion/feature request for the L2 VPN, is there a possibility to implement IGMPv3 on it?
As a broadcaster we use multicast video quite often and now itā€™s dangerous to use as the stream is send
to all VPN clients.

Best Regards,

Derek

2 Likes
8

A post was split to a new topic: WAN Jumbo Frame

9

Hello, Iā€™m new the Peplink environment and Iā€™m having trouble setting a Site to Site VPN using SpeedFusion. I have established the link but I would like the IP range from the base site to be reflected to the remote site. I also want the port forwarding rules that I have set in the base site to be reflected in the remote site. I followed the explanation on setting the Layer 2 protocols but this broke the base router and I have to remove it before the base network was restored.

3 Likes
10

Hi Steve, welcome to the forum!

Probably best if you start a new thread on here and post a sketch of what you want to do then screenshots of your config and then we can help work out whats going on.

3 Likes
11

Thanks Martin,
Iā€™m going to have another crack at setting this using the Incontrol interface.

2 Likes
12

Hello Martin. I had another go in setting this site to site layer2 VPN using Speedfusion. This time I used incontrol as I thought it would be easier. Setting up the VPN was easy but from the remote end the outbound traffic didnā€™t travel down the VPN it went straight out the WAN connection. The Send all Traffic option could be activated. I was able to ping devices from the remote site to the base site so NAT was working but the IP range from the base site still wasnā€™t be reflected to the remote site. I do have another question that relates to port forwarding. If I have a server that Has a IP that it bound to the MAC address of the server and this servers requires certain ports to be open. I have set rules in the base router for these and they work as designed. If the server is moved to the remote site, will the IP be the same and will the ports be redirected across the VPN to the remote site.

2 Likes
13

Hello Steve (@Steve2107),
Thanks for reaching out to us locally here in Australia.
We have been in touch with Chris and look forward to assisting you locally to get the most out of your SpeedFusion options.
Happy to Help,
Marcus :slight_smile:

2 Likes
14

I get the same problem as Derek on Jan 20, 2018. When I try to supply the PepVPN profile to a 2nd VLAN for L2 treatment, I get the complaint:

ā€œprofile_x_y_zā€ is already binded to another LAN profile

I did not expect this. The traffic to be sent over the PepVPN L2 bridge already arrived to the router over a trunk, with a tag ready to go ā€¦ the bridge just needs to see it and go 'hey, that frame is tagged with one of the VLANs thatā€™s wanted over the bridge" and queue it for delivery across the PepVPN profile(s) that want to see it.

2 Likes
15

Assuming Derek is correct (I have yet to prove the configuration) ā€¦

I realise that, in some situations, if we are asking the router (or in my case, Device Connector) to behave ā€˜just like a Layer 2 bridgeā€™, then it is bothersome to require the user to configure the router to ā€˜know aboutā€™ all the VLANs ā€¦ if weā€™re not going to route them, why ā€˜give the router a footprint in the network segmentā€™ by giving it an IP address?

From that point of view, it is certainly ā€˜easierā€™ to take a blind eye to what goes over a physical port thatā€™s part of the bridge, and just shovel the packets across without inspecting them.

But that isnā€™t really enough. Iā€™m with Derek who feels this is a ā€˜dirty methodā€™. There are at least 2 drawbacks:

  • what if we want the ā€˜management VLANā€™ ā€¦ in which the router should have an IP address, and therefore an entry in Networks > LAN ā€¦ to go over the bridge? Now the LAN-side of the device has to use a port for a ā€˜regular trunkā€™ and a port for a ā€˜blind trunkā€™ ā€¦ each of which carry the same VLAN :frowning:

  • what if we actually want to apply some policy about which VLANs are allowed over the L2 Bridge? By forcing the LAN port to ā€˜accessā€™, we lost this ability. :frowning:

  • itā€™s also annoying that a switchport marked as ā€˜accessā€™ is actually behaving like a trunk and not stripping VLAN tags? :open_mouth:

It just feels klunky. This isnā€™t how other routers that embed switches deal with the situation.

2 Likes
16

Other routers deal with this bridging situation by letting us define the network segment according to its VLAN, but makes it optional whether the router needs an IP address in it.

2 Likes
17

Hi Alan,

Do we need these configuration to all peplink device or only in the master (HQ site)

Thanks,

M. Irfan

1 Like