InControl2 VLAN Definition

I have a Peplink system with a Balance One at my house (acting as the hub) and a MAX BR1 Pro 5G as my remote unit when I travel. I’ve set up several VLANs, all defined centrally in InControl2. Both routers share the exact same VLAN configurations, including identical IP ranges.

For example, I have a VLAN 21 (192.168.21.0/24) where servers reside at my house. When I connect to VLAN 21 from the remote BR1, I can’t access the servers on the Balance One, which I assume is because the routers don’t know how to route the traffic correctly between the sites.

Looking ahead, I might expand this setup to include more remote routers (e.g., giving some to my adult kids so they can access my NAS). What’s the best way to configure this in InControl2 to ensure seamless connectivity between VLANs across all routers?

Hi…

Did you tried to use layer-2 bridging based VPN ?

1 Like

Marcelo,

I have not tried layer-2 bridging based VPN. Didn’t know it was a thing until you mentioned it. It looks like these are the correct settings, is that correct?

The more I research Layer 2 bridging, the more it seems like a solution that works well when it’s functional but is prone to issues and can make troubleshooting more complex. My main goal is to seamlessly move laptops, phones, and tablets between environments without requiring any reconfiguration. I’d like to have the same SSID at both locations, with everything centrally configured. Upon further thought, there’s no real need for remote sites to communicate with each other—they only need to connect to the hub. I’m open to suggestions for a better architecture that meets these needs.

Focusing on two objectives, here’s what we do.

Objectives:

  • Seamless movement of mobile devices. (In our case: At least one SSID with the same attachment protocol (password) works across all locations. I move my laptop from the coast to the mountains, i don’t have to do anything in order to connect.)
  • Uniform access to shared/global services. (In our case: centrally located file servers, firewalls and mail servers are seamlessly accessible from all locations, as I take my laptop with me from one location to another. Also (6) below).

Architecture;
0) Each location/router has a distinct LAN IP-address space (192.168.1.0/24, 192.168.2.0/24 etc). Establish locally on each router.

  1. All locations have the same SSID available (and possibly others). That SSID ties to the local unnamed LAN (i.e., untagged), providing local clients with globally distinct IP addresses. Establish with IC2.
  2. Tie the routers all together with SpeedFusion (we use a hub architecture). Establish with IC2.
  3. Define a DNS Proxy profile to be adopted by all the routers (for the local name space, e.g., a name->local IP address mapping for a NAS such as “bigserver.mydomain A 192.168.11.5”.). Establish with IC2.

Tweaks:
4) If you have used local VLANs on the node routers then remember to tweak the settings for Network Advertising to ensure that there are no overlaps of VLAN advertised address spaces from one node to another. E.g., limit advertisement to only share the untagged LAN.
5) If you want stable access to shared resources (such as a centrally located NAS) then provide those with fixed (local) IP addresses, such as with bigserver.mydomain above.
6) Use VLANs to establish breakout-points (or other routing options) across all locations. E.g., we have a VLAN named GDPR, with a corresponding SSID. Equipment attached to that particular SSID gets a VLAN IP address identifying them as subject to GDPR, and all traffic with those devices is routed to enter the internet at a node in Europe, routed through a particular SpeedFusion connection). Established with IC2 (a combination of SpeedFusion definitions, global VLAN definitions, and global outbound policy profiles). Since it is the same address space across all locations, be sure not to advertise it (overlapping address spaces would result in routing conflicts for SpeedFusion).

With that set-up your remote devices can access your (central) NAS using its IP address (via lookup in your proxy DNS, if you prefer names to addresses) and other services (e.g., SMB://bigserver.mydomain). This is all level 3 stuff.

I am sure there are optimizations available, but this basic set-up has worked well for our community organization (25 routers, 2-400 clients ranging from basic sensors and critter-cams through laptops to central servers).

Cheers,

Z

2 Likes

Thank you for the detailed reply! I generally understand what you’re saying, but I’d like to provide some additional information and ask for clarifications. First, let me explain my VLAN setup:

  • Default (0): This VLAN is for network infrastructure like routers and managed switches. I’d prefer not to use this as the default VLAN to make it easier to lock down (a Cisco admin friend of mine follows this practice, but I’m unsure how to implement it in the Peplink ecosystem).
  • Main VLAN (21): This is where I primarily operate. The NAS and other servers are here, and only devices needing access to the NAS connect to this VLAN.
  • Work VLAN: This is an isolated VLAN, ideally more restricted than the Guest VLAN. It’s separate so I can tweak its performance independently.
  • Guest VLAN: This is the VLAN for friends and guests.
  • IoT VLANs:
    1. One VLAN for IoT devices that only communicate with cloud servers (I try to avoid cloud dependency but have a few devices like this).
    2. Another VLAN for IoT devices that can be controlled from the Main VLAN (21).

I only need the two IoT VLANs at the hub, but I need everything else on all routers. Initially, I was under the impression that with InControl2, I could configure the VLANs centrally for all devices. However, it seems like InControl2 assigns the same IP address ranges to all routers, causing conflicts. If that’s the case, what’s the point of using InControl2’s central VLAN configuration? This has left me scratching my head.

The second issue is related to DNS. It seems inefficient for the remote router to send all DNS requests to the DNS server at the hub. How does this work exactly? Does the DNS proxy recognize when a request is unrelated to the local domain and send it straight to the internet? Or does every request route through the hub, even when unnecessary?

Any insights you can provide would be greatly appreciated!

Let’s do a variant of the previous setup - but the principle is the same:

First establish the distinct LANs for each router, be it untagged or not:
E.g.,

Router1 (management):
SSID:
LAN: 192.168.11.0/24
Tag: 1

Router2 (management):
SSID:
LAN: 192.168.12.0/24
Tag: 1

Then
For all the global VLANs and SSIDs, define the VLANs and SSID in IC2, with the every router having the same VLANs, the same SSIDs and the same mappings of SSID to VLAN, with the untagged LAN being the one differentiator (being distinct for each router).

E.g.,:

SSID: “Main”
VLAN: 192.168.21.0/24
Tag: 21

SSID: “Work”
VLAN: 192.168.22.0/24
Tag:22

SSID: “Guests”
VLAN: 192.168.122.0/24
Tag:122

etc.
All established globally in IC2, identical for all routers.

Then
Create profiles in IC2 (LAN Network settings for the group), one profile for each router.

  1. Define one IC2 tag per router (e.g. “Router1”, Router2" above) and use that in the “General” tab, “Device Selection”.
  2. For each tag, create a rule (mapping) in the “Virtual Network Mapping” tab, with a globally distinct “virtual network” address space and the VLAN network name being whichever you want to map out.

E.g.,
Rule 1:
Tag: “Router1”
VLAN Network Name: “Main”
virtual network: 192.168.201.0/24

Rule 2:
Tag: “Router2”
VLAN Network Name: “Main”
virtual network: 192.168.202.0/24

Etc.

That all resolves the routing conflicts, since all shared address spaces are now either unique to the router or a mapping to a unique space for an otherwise conflicting VLAN.

It doesn’t :slight_smile:

IC2 LAN profiles to the rescue again:
Create a profile (say “localDNS”), open the “DNS Proxy” tab, and add the DNS records to your taste (e.g., the in-system names and addresses for your NAS servers). Check “Managed” and “Enable” and “DNS Caching”.
IC2 will distribute the DNS records to the routers, and they become local to each router, the first lookup-table prior to going outside for a DNS lookup.

That should do it. I think.

A caveat, though, I have not employed this particular architecture beyond a simple test, so you may need to explore it further (and share the experience thereof, please).

Have fin!

Z

.

2 Likes

Question: SpeedFusion VPN Auto-Assigned NAT Range Conflicts

I have a SpeedFusion VPN setup between two routers: HubRouter and RemoteRouter1. Here’s my configuration:

  • I created a VLAN named Main with the following settings in VLAN Networks:
    • IP: 172.16.0.1/24
  • In LAN Network Setting Profiles, I mapped the VLAN to a unique virtual network for each router:
    • HubRouter: Mapped Main to 192.168.200.0/24.
    • RemoteRouter1: Mapped Main to 192.168.201.0/24.

Observations

After applying these settings, here’s what I see in the Network tab for each router:

  • HubRouter:

    • Main VLAN: 172.16.0.0/24
    • One-to-one NAT: Main (172.16.0.0/24) <--> 192.168.200.0/24
  • RemoteRouter1:

    • Main VLAN: 10.0.85.1/24
    • One-to-one NAT: Main (10.0.85.0/24) <--> 192.168.201.0/24

This makes sense as a NAT mechanism to handle routing conflicts between routers. However, I’m unclear where the 10.0.85.0/24 range is coming from. Additionally, the HubRouter received the real VLAN IP (172.16.0.0/24), not the virtual address (192.168.200.0/24), which I find interesting.


Questions

  1. Where is 10.0.85.0/24 coming from?

    • Is this a default NAT range assigned by SpeedFusion or InControl2?
  2. What happens if I already use 10.0.85.0/24 for another VLAN?

    • Would this cause conflicts, and how can I avoid such conflicts?
  3. How do I explicitly configure the NAT range for SpeedFusion?

    • Is there a way to define custom NAT subnets to avoid overlaps with existing VLANs?
  4. Why does the HubRouter use the real VLAN IP (172.16.0.0/24) rather than the virtual address (192.168.200.0/24)?

    • Is this expected behavior, or does it indicate a configuration difference between the Hub and Remote routers?
  5. How can I redirect traffic for certain SSIDs on remote routers to the HubRouter?

    • I reset RemoteRouter1 as part of this rework, and IC2 pushed down all settings. However, I need some SSIDs on all remote routers to redirect 100% of their traffic to the HubRouter. These SSIDs will not exist on the HubRouter. Is there a way to configure this in IC2?

Thanks in advance for any guidance!

(P.S. ChatGPT is GREAT for formatting questions to make them easy to read and understand)