Forgive me if this is posted in the wrong category, forum newbie here. I have a fleet of Peplink MAX BR1 LTE-US (180+) in vehicles with static IP addresses on a LTE connection from the same carrier. I have been asked to setup a VPN connection to allow access to the corporate network. Basically they want split tunneling where personal devices connect to a visible SSID for Internet access such as maps, etc. and corp devices connected via LAN and hidden SSID route over the SpeedFusion VPN to the Fusion Hub for access to the corp servers. I have downloaded the Fusion Hub VM for my environment and received the license file from my reseller. I am not sure how to set up the MAX BR1 to direct the corp device traffic to the speed fusion VPN while allowing the personal devices to simply browse the internet. Can someone steer me in the right direction? Thanks in advance!
Hi Rob,
- create a VLAN for your corporate devices
- create a SSID “corp” for your corporate devices
- create a SSID “internet” for internet breakout locally on the untagged net
- create an outbound policy (source: corp VLAN) and force it to use PepVPN
- create firewall roule for the untagged net to deny corporate access
for corp. devices connected via cable set the LAN-Port to acces / corp VLAN.
Thanks ue-it! This is great. I am new to Peplink and working my way through the documentation but am thankful for forum contributors like yourself that help with applicable suggestions like the above.
While discussing this with one of the server admins, he indicated that the application the field needs access to is restricted to a single IP/hostname. Is it possible to simply steer a particular IP/hostname over the SF VPN versus all of the corp traffic? The server admin was concerned if I send all corp devices to admin that we will have an impact on the internet connection there since all traffic on corp devices will be routed out their connection versus the cellular WAN connection they use today.
Thanks again for your help and patience.
Go back to step 4.
Outbound Policies can be defined on source address and port, destination address and port. Just set the destination address to your single host address (and port).
Step 5:
Configure an internal Firewall rule to deny all corporate traffic. Allow only traffic to your application server.
Thanks again ue-it. I am working my way through all of this but hit a bit of a road block. In our MAX BR1 units i dont see the granularity you mention in the outbound ruleset. Below is what I see
If I put my host and port in the rule, I dont see an optoin to weight the VPN over the cellular, WAN, etc. What did I miss?
Switch your Algorithm to Priority, choose your source network, add the destination application server and port, under priority drag the pepvpn to the top position.