MPLS alternative


#1

Hello
We are looking at the possiblity of replacing our vendor mpls network with our own peplink network

All brance offices (20) get internet and access to vendor application through the slow mpls network

We would like to use bonded dsl/cable etc connectoins at each brance and speedfusion vpn back to the main office where we already have a peplink 380
The routing strategy is that
All brance office internet access. e.g google, hosted email should go through the speedfusion vpn back to headoffice to a http proxy
Vendor application traffic goes over same speedfusion vpn back to headoffice and routed through the vendor mpls network
Domain controller traffic, dns etc , should go back to servers in headoffice

I am not sure if this is the ideal setup or if this is secure, so appreciate some feedback
Also, is a firewall needed at each brance office, or will the peplink be enough
see attached scaled down network diagram

Thanks!


#2

The solution looks good for us. In terms of security, this will be the best approach as most of the traffic will be passing through the head office centralize managed firewall and web proxy over the SpeedFusion VPN. It will also help the company to save cost on replacing the MPLS link and provide link redundancy with the bonded Internet connections as the Internet link is generally cheaper than MPLS link.

Individual firewall at the branches will depends on the branches network size. If the head office firewall is able to handle the load, you might not need a separate firewall at the branches. In fact, the Peplink device is equipped with firewall feature which you can enable at branches level for first level filtering before reaching the head office firewall.

Hope the above helps.


#3

Hello,

The solution (VPN bounding) seems to be OK for me except that I probably put a firewall at each branch site.
Firewall feature inside the peplink is too limited in my point of view. Some vendor (like Fortinet) has also some Wan Acceleration feature inside the box that would allow you to do some traffic acceleration between the branches and the HQ.

Regards,

HA


#4

Thanks for the response guys, our branch office are normally small 1-10 and we have a few over 15
A question about the firewall,
Can it do split tunneling, for example I want to send all internet traffic back to main office firewall/proxy
but certain trusted traffic like hosted email, will be routed to internet locally at brance office

also can peplink perform Speedfusion vpn automatic failover
For example you have office Main office and DR site
Main site goes down they all connection go down
Can you create two speedfusion vpn to DR and Headoffice and if headoffice goes down
it can switch automatically to DR?


#5

The outgoing traffic can be managed by the Outbound Policy. You can configure the Outbound Policy to route the selected traffic to the designated WAN link or VPN connection with just a few clicks.

You can have 2 SpeedFusion VPN to the Main Office and DR site provided they are not having the same IP addressing scheme. If both the Main Office and DR site are having same IP addresses, it will cause routing confusion to the Peplink device.