NAT and IP Forwarding not working correctly

We have a Peplink 380 router running firmware 6.2.1 with a slightly unusual setup.

The router has a single WAN connection with a single publicly routable IP.

Behind it are two networks:
privately routable intended to be used via VPN, on an untagged VLAN
publically routable /29 subnet, on a tagged VLAN

Obviously we want the /29 subnet to work as normal, so the WAN interface is set to IP Forwarding routing mode. This allows traffic out from IPs on the /29 subnet as normal.

The issue is that any clients on the untagged VLAN cannot route traffic out to the internet. I’ve tried adding a rule under NAT Mappings to NAT all traffic from, but this doesn’t seem to do anything at all. Even with a rule in place here (either as IP Range, IP Network or a single IP) there is no effect and clients on the internal VLAN cannot access the Internet.

Are we doing something wrong here?

In this scenario the private would route to the internet via the public IP but not get a NAT. Since private IPs cannot be routed over the internet the packets are dropped by your provider. IP Forwarding would not be normal or correct for this application.

The correct way to configure this would be to use NAT mode and they will get out to the internet. If there are inbound sessions, inbound service rules or a NAT mapping would be required.

1 Like

I am still quite new to the Peplink Balances.

I have the same setup as this and have not been able to get the vlan of private ips to route on the Wan connection.

The Wan connection is IP forwarded as I have a /28 on another another vlan.

Is there a way to have a server with a public ip on a vlan?


where does the publically routable /29 subnet come from? Is it the same ISP that the router on your WAN 1 connects to?

I suspect you have a single ISP and they have assigned you the /29 public IPs. In which case you need to put your ISP router into bridge mode which will assign your WAN1 on the balance with one IP from the range. You can then add the rest of the range as additional IPs on WAN1. Then you can do 1:1 NAT between each IP on the WAN and the server in the LAN segment - so NAT enabled on WAN1.

1 Like

thanks… I sent you a private message as well.

The /28 comes from the ISP with /30 for a bridge ip. Im trying to just replace the existing setup which has a vlan that has the public ip’s. Right now the servers have public ip’s assigned to them. It works right now having the public ip’s come in on the wan as its is set to ip forward. Problem is the private vlans cant access the internet.
Ive tried oubound policy with nat map, many -to-one nat…

If it cant work what would be a prefered way to set it up… assuming I still wanted servers with public ip’s


Ok I read that again really slow…

Are you saying to:

  1. Put the WAN in NAT
  2. Add the additional IP’s on the WAN
  3. Set the Vlan with the same IP’s
  4. Add a NAT rule for each ip on the WAN ?


I know we have discussed this via PM but I wanted to dump my answer here too for others that come this way and read this post.

Ok, there are a couple of ways to make this work depending on your requirements.

One way is to have the Peplink in your DC as your perimeter routing device for your entire cloud. To do this you would:

  1. Change the IP addressing of the servers with public IP addressing to a private range in their own VLAN on the LAN of the Peplink.
  2. Add those original public Ips to WAN1 on your Peplink - Set WAN1 to NAT mode.
  3. Add 1;1 NAT rules for each public IP to the respective new private IP in their VLAN

Challenges with this method is that you have now introduced NAT on the traffic to and from the servers that were originally assigned the public IP addressing and some applications (like VoIP) don’t like working over NAT - so it might take some additional application level configuration.

Another way to do this is to use two WANs active on the Peplink. Each with their own dedicated Public IP.
WAN1 would be set as IP forwarding so that the servers in their own VLAN behind it with their routable public IPs will continue to work as expected. WAN2 would be NAT and you’d add an outbound rule for all traffic from your VLANs with servers that have private IPs set to use WAN2 for outbound traffic.

The final method would be to go 100& virtual for firewall/routing/Speedfusion. Set up a pair of virtual firewall appliances in HA spread across your virtual hosts, install a Fusionhub appliance behind the virtual firewall pair on one of your hosts and enable live migration.

Personally, when there has been a heavy investment in private virtual host infrastructure (HA, shared storage etc) I always prefer to go down the Virtual Appliance path as the virtual devices can take advantage of the inbuilt HA capabilities of the hosting platform.

1 Like