Multiple untagged subnets

I am entering this as a new topic, although I have put this one in before.
I just installed 22 watchguard firewalls for a customer instead of the 22 Max BR1 units I WANTED to sell him, solely because he has three untagged networks at each location, and I was certainly not going to ask him to change everything just so switch to out service.
I am going to be very, very blunt here. This is not really a request…This is a demand. Peplink is the only router I know of that does not allow multiple untagged networks. Any $25 home router does it. Sonicwall, Cisco, linksys, juniper, watchgaurd, dlink, netgear…I defy you to find ANY other router/firewall that does not allow you to create multiple untagged subnets!

I assure you that you are losing a LOT of sales due to this simple limitation! If you are setting up a new location you can use vlans, but hen retrofitting a customer who has multiple subnets now it is just not an option to change their network numbering. For one thing, there ARE devices that do not do vlans.


You can have as many access ports as you’d like (well … as many as you have LAN ports :smile:). Just configure the port type and VLAN in Network > LAN > Port Settings.

For instance, say you create three VLANs in Network > LAN > Network Settings as such:

Navigate to Network > LAN > Port Settings and configure ports 1, 2 & 3 to untag network traffic by selecting Access as the Port Type. Next select the VLAN you would like to have untagged at that port by selecting it from the drop down list in the VLAN column.

In the above image three VLANs are each untagging the designated frames at egress for each port.

You could just as easily change LAN Port 3 to Trunk/Security VLAN for it to carry 802.1q tags unchanged (ie. tagged). Or you could you change it to Access/Guest VLAN and have two ports untagging traffic for the Guest VLAN.

For what it’s worth, “Untagged LAN” is the name of the default VLAN. It’s somewhat similar to Native VLAN in Cisco-speak. Though you can’t remove the LAN, you change the name, subnet and VLAN ID to suit your needs. It’s also possible to simply ignore it altogether in your network design. It just depends how you design your network and the network project requirements.

Yes BUT I primarily use max BR1, which has two LAN ports. So not much help if I need 3 untagged networks. Also, it requires multiple connections from the peplink to the network switch.
So, yes…this is a possible work around in some cases, but not in others. If you could select multiple vlans on one port that would work, but you can only select one.

I don’t understand. If you untag multiple networks on the same interface, how would the attached devices know which frame is meant for them? Untagging is done at egress and is typically done at the desired end device – though you could slap an unmanaged switch on the interface and have all the attached devices in the same VLAN.

Select Trunk instead of Access and Any. This will allow all VLAN traffic to traverse the link. If you would like to prune the trunk to just a subset of VLANs, you can do so on the other end of the trunk (assuming the connected switch supports pruning).

So - the big picture you are missing here is we have NO control over the existing customer networking gear. And in many cases…neither does the customer. We are not their IT company, just their IP phone company. When we can, we run the phones on separate cabling. When we have to share we run into these issues. Especially if the customer has HP Procurve switches and they are NOT set to do VLAN. Which means that they eat any tagged traffic.

As to the question of “how would a device know what is meant for them?” By the IP address of course. Again…it has ALWAYS been possible to run multiple untagged subnets on one physical network. There is no problem with this…unless you have a peplink router! Anything from a $50,000 high end Cisco to a $29 d-link home router will let you do this. The switches do not care (layer 2, layer 3…no matter). Technically, the devices “see” all traffic, but so what? They ignore what is not addressed to them.

I am pushing for this again. I just wasted four hours fighting to get some phones moved from one untagged network to another, because I was unable to have the pepwave connect to both.
Now Peplink has new devices with one LAN port, so even the poor option of doing port based vlan and connecting both ports to the same switch is not available.

I just do not understand what the problem is with doing this! Virtually every other router allows you to create as many untagged networks as you want on the same physical interface

I don’t think I have ever seen a customer router configured with multiple untagged subnets presented on the same access port. Can’t think of a good reason to do so either. What’s the topology / use case that requires it? Why do they have it configured that way?

1 Like

I am raising this yet again. one of my channel partners is about to install 8 watchguard firewalls when he would prefer to use Balance 710s. But because the customer has four or five untagged networks (plus a bunch of VLANs) at each location, we cannot use peplink equipment. Not unless we want to use say five LAN ports into a dumb switch then from that to the customers switches.

Again - EVERY other router available allows you to create as many untagged networks on one interface as you want. Why would I want to do that? I do not. I think it is stupid. But this is already in place, with literally hundreds of devices with static IPs in place. The customer is not going to redo their entire network to suit Peplink, so Peplink loses $40,000 in sales and the customer is getting what I think is an inferior product.
The only thing you cannot do (obviously) is have a DHCP server on more than one untagged network. The other questions I have seen asked in this thread baffle me. such as " If you untag multiple networks on the same interface, how would the attached devices know which frame is meant for them? ". Answer, by the IP address of course! How do you think a device knows what is meant for them on a vlan?
So far (and including this one) we have installed about $80,000 worth of Cisco and Watchguard firewalls ONLY because of this limitation.

1 Like

“Select Trunk instead of Access and Any. This will allow all VLAN traffic to traverse the link. If you would like to prune the trunk to just a subset of VLANs, you can do so on the other end of the trunk (assuming the connected switch supports pruning).”

This is a problem because A) no other vendor I’m aware of has this curious restriction and B) this requires the use of a managed switch on each interface to “prune” the VLANs passing the trunk, which the Peplink device should be capable (itself) of handling. It needlessly complicates a network infrastructure in many cases where a large VLAN deployment and organization is not already in place. It’s an issue for me as a home/SOHO user and I could imagine in a commercial setting this would be absolutely maddening - enough to disqualify the Peplink product(s) from consideration, absolutely. And before you say “just set the port as access and use a dumb switch on each port…” — again, needless complexity and device chaining. adding dumb switches where they really aren’t needed increases latency across the network, as just one example. (And that’s before we even get to the possible security implications beyond that!)

Our deep thanks to @jmpfas for his persistence to communicate the need (and pain) to us. This is well understood and our team will look into it.


And raising this one yet again - I have a new customer for our phone service. 42 locations. All have existing cradlepoint routers for cellular backup.
They are prepared to let me replace the cradlepoints with pepwaves, but they currently have multiple untagged networks at each location.
So - we either add this ability (like ALL other routers) or I have to leave these cradlepoints in place and put my phones behind them.
This is over $21,000 for just the pepwaves that will not be sold if we do not get this feature! Seriously, what is the problem here? virtually every other router allows this!

1 Like

This feature is already in our roadmap and we are working on it, I am checking if it will happen in coming 7.1.1 firmware, will keep you posted here.


John, we also hope this could happen sooner. This feature looks trivial at surface but this turns out to be more complicated in implementation because of our SD-WAN architecture, outbound policy engine and such. It’s taking us more time but as Noel has pointed out, it’s definitely being worked on.

1 Like

Was this ever implemented?
For now the only work around will be plugging in multiple cables from router to switch?
We have multiple /24 blocks, since we are taking over an existing network but we want to start moving over to a single network, in the mean time we need both up,


Not sure whether your request is the same as the feature request here but i can confirm the feature have been implemented since firmware 7.1.1.

7.1.1 release notes:

1 Like

this is great yes this is what i was looking for,
now i have a new issue , will open a new discussion

Yes and no.
Yes: You can have multiple untagged subnets on a single interface
No: There are some odd restrictions.
In OSPF/RIP you can only choose to adevertise or not advertise all of the subnets. i.e. it is bing controlled at the interface level instead of the subnet level. Very annoying. I have had a request in to change to for some time.
Engineering DID correct a similar error on one-to-one NAT. You used to only be able to select all subnets (which made no sense at all). Now you can select the individual subnets.
So - it works, but one little gotcha.

Question: I’m not well experienced with multiple subnets and VLANs. Our LAN was (254 addresses). I was running out of addresses so we changed it to, which gives us 508 addresses. The DHCP server is -, so we have 254 available DHCP, and another 254 for static devices.

The flaw in all this is remote access. For whatever reason the Peplink L2TP remote access server can’t deal with this subnet arrangement. You can connect but you can’t communicate with LAN devices. If you change the LAN back to /24 the remote access works fine.

The discussion above about multiple untagged subnets makes me wonder if I would be better off with two separate subnets and Assuming I check the box for inter VLAN routing, would this function identically to my current /23 setup? I haven’t tested it but I assume the remote access would work fine, and be able to access both subnets?

Is the setup the same as creating a VLAN, but don’t put a number in the VLAN ID box?

@Don, just to confirm the LAN devices with static IP also changed the Subnet when you do the testing ?

1 Like

Yes the LAN devices with static IP also changed Subnet. In fact the LAN devices acquired their address by DHCP from the Balance 380. Those devices have DHCP reservations in the range.