Need help on the feasibility of my project with multiple VLAN



We have a Balance 2500 core network router with Max HD2, HD4 Mini HD2 remote router for ways to live broadband video surveillance.

We must accommodate other services on our Balance 2500 and we want to split the other services of ours.

For this, we think pass with the VLAN implementation of services.
We must also put us in a dedicated VLAN to make “completely separate” all Max router dating back to the 2500 balance based on user services.

We have a diagram corresponding to what we want.
1 - Is it possible with Peplink products?
2 - What do you think? Is this the right approach?
3 - How to get to this need properly and make 100% functional?

thank you

Dessin for forum peplink.pdf (472 KB)


Hi Fred,

This can be achieve by doing steps below on Outbound Firewall Rule:-

Remote Max devices

  • Deny --> Untag vlan

  • Deny --> Vlan 100

  • Deny --> Untag vlan

  • Deny --> Vlan 100

  • Deny --> Untag vlan

  • Deny --> Vlan 100

  • Deny --> Untag vlan

  • Deny --> Vlan 100

Remote location which access Untag and Vlan 100

  • Deny --> Vlan 200

  • Deny --> Vlan 200

  • Deny --> Vlan 200

  • Deny --> Vlan 200


  • Deny Vlan 200 -->
  • Deny Vlan 200 -->
  • Deny Vlan 200 -->
  • Deny Vlan 200 -->
  • Deny Untag Vlan -->
  • Deny Untag Vlan -->
  • Deny Untag Vlan -->
  • Deny Untag Vlan -->
  • Deny Vlan 100 -->
  • Deny Vlan 100 -->
  • Deny Vlan 100 -->
  • Deny Vlan 100 -->
  • Deny Untag Vlan --> Vlan 200
  • Deny Vlan 100 --> Vlan 200
  • Deny Vlan 200 --> Untag Vlan
  • Deny Vlan 200 --> Vlan 100



I just look in the rules of the firewall.
I can not find the “VLAN”.
So I can not nominate a VLAN in the rules but only networks or IP addresses.

Do I have to then specify the network addresses of each VLAN?

thank you


Hi Fred,

Sorry for confusing. The reason I used “Vlan” to represent network address is to help you to have better understanding on the proposed rules. Actually:-

Vlan 100 =
Vlan 200 =



I have try Vlan configuration.

Is it possible in Balance 2500 by logging into the a PPTP connection to access devices in all VLAN and not only in untagged lan ?

Because we need to work with all the devices in the multiple VLAN mode from a remote PPTP access.

And we do not find how to do this step.



Hi TK Liew,

I applied migration firmare 6.1.2 to 6.2 on all products we have.
Furthermore, I opened another threat on problems emerged since this upgrade on the Balance 2500.
But apart from problems discussed, I did a first test between one VLAN with our Balance 2500 and a HD4 router.
I followed the procedure that indicates Peplink for firmware 6.2.

On the Balance 2500, so I create a VLAN with a network.
On the HD4, I created the same VLAN but I kept the HD4 network settings.
In summary, the Balance 2500 and the HD4, I get on each unit:

_ A network Untag
-Balance 2500: Untag
-HD4: Untag
_ A network in VLAN 200:
-Balance 2500: V200
-HD4: V200

I specify in I checked the box: Inter-Vlan routing.

I can connect to the Balance 2500 with his untag address or with his vlan address.
I realized this by connecting me to the Peplink Balance 2500 with PPTP VPN- my IP adress obtaining a DHCP address from the lan side of untag and also from a computer on the local lan Balance 2500 (always untag)

But I can not connect to the router Max HD4 nor Untag with its IP address or with the IP address of Vlan.

I did not apply any rules in the firewall.

All is the default rule : Allow.

I can only connect to the Router HD4 by its WAN IP address.

But that’s not what I’m looking.
I need to administer at the request all my devices regardless of their location.
And there it is not possible.

Is there a technical solution with my Peplink products?


Hi Fred,

Can I suggest to use Untag Vlan for Management purpose and PPTP users?

Firewall blocking just between Tag Vlans. Therefore you can access devices in all Tag Vlans, remote SpeedFusion networks from Untag Vlan.

IP Reservation for PPTP client

Hi TK Liew,

I understand your vision having as basis the untag VLAN for management and PPTP users.

My problem is as follows:

I have only one Balance 2500.

On this unit I have to accommodate several separate users.

Each user must have access to their Peplink router as an administrator for operational reasons.

They should all have access via PPTP type or other VPN to their respective Peplink router.

I can not properly divide each group.

The only solution I see is to have a balance 2500 or 1350 Balance for each group, to separately manage each group and offer them a PPTP VPN or other access to their remote Peplink router from outside of our networks via the Internet.

But that’s not feasible financially and logistically.

That’s why I try to accommodate them on our Balance 2500 without any users can see others while having allow access from the Internet and local but limited to each group.

The risk let the untag vlan on each Peplink for administration is to open the discovery see an interaction between groups.
In addition, the PPTP access is global.

It is not easy …


Hi Fred,

Beside separate users by group and PPTP, may I know any other features you are looking for?