Issues using Balance as DHCP + VPN Router

I have a Peplink Balance 710 acting as both DHCP and LT2P VPN router for our office.

Our default untagged VLAN is used by our servers, and VLAN 16 is used by our normal workstations.

VPN only works if I enable DHCP on the untagged VLAN. This allows outsiders to VPN into our network, but it also causes workstations that are supposed to be on VLAN 16 to accidentally get an IP on the untagged VLAN subnet, which breaks their internet access.

I’m trying to find a workaround. I was going to simply make the DHCP IP range for the untagged VLAN just large enough for the VPN clients to all fit at once, and create a reservation for each one, but VPN clients do not pass MAC address information, so there is no way to make a reservation for them. Redoing the whole network’s VLAN setup to workaround the issue would be extremely involved right now.

Does anyone know if there’s a way to:

A) Create a reservation by the VPN client’s hostname or otherwise find a way to pass it’s MAC address to the Peplink?


B) Allow the Peplink to place VPN clients on a VLAN besides the untagged VLAN (Peplink says the Balance is currently limited to only putting VPN clients on the untagged VLAN)


C) Explain to the DHCP server portion of the Balance that it should be advertising the untagged DHCP server to VPN clients only?

You are correct, L2TP/IPSec client only connected to Untagged Vlan. You can’t reserve IP for the L2TP/IPSec client since L2TP/IPSec adapter doesn’t have MAC address.

Question on client in Vlan 16 getting IP from Untagged Vlan:-

  1. Balance 710 is connected to a managed switch? If so, have you configure trunk on the switch port that connected to Balance 710? User in Vlan 16 shouldn’t get IP from Untagged Vlan.

  2. If there is an AP connected to the switch, please ensure trunk is configured on the switch port and AP.

  3. What is the Native/Untagged Vlan ID on the switch?

Hi, the 710 is connected to a managed switch. I’m not an expert in switch configurations though; I’m looking to bring in a network technician to make sure the VLAN tagging is all correct and proper, but in the meantime I was asking to see if any other workaround exists.

I had asked Peplink and no one could see a workaround but I was posting here in case someone in the community might have an idea or know a trick to fix things.

There is no workaround without checking on the switch. I suspect the switch is not properly configured. Suspected problem as below:-

  1. Trunk was not configured on the switch port that connected to Balance 710. Hence, packet will not properly tag. Balance 710 will treats this as untagged Vlan.

  2. Client connected to Native (Untagged) Vlan of switch. This is due to Vlan ID not properly configured on the switch port that connected to client. Therefore, Balance 710 will treat client was connected from Untagged Vlan.