New installation questions


#1

I am exploring the possibility of installing a PepLink 310 for an office with 2 WAN circuits. We have 2 IPSEC VPN tunnels on our firewalls I would like to continue using because or firewall provides for detailed polices to manage access. I see the Peplink only will pass through 1 VPN tunnel in the services IPSEC Passthrough. We are only interested in balancing our Internet traffic wit the Peplink. Would leaving my firewalls (HA) with public addresses and allowing the VPN tunnels from the firewall directly and then forwarding my Internet traffic to the Peplink for balancing over the 2 circuits be a viable configuration? How will the Peplink detect the VPN traffic on the links when it calculates utilization.

Also playing around with the live demo on the website I did not see anywhere I could control the balancing algorithm used or how the circuit bandwidth/capacity is defined?

Thank you,

Brian


#2

The Balance 310 can be deployed as drop-in mode and your firewall configuration does not need to change. IPsec passthrough will keep your VPNs on the primary WAN. No port forwarding is necessary as the Balance becomes a bridge for the drop-in mode WAN.

Outbound policy rules are used to control load balancing, and they are under the network tab. The circuit bandwidth/capacity is defined in each WAN interface.


#3

Ron,

Thank you for responding I looked at the IPSEC pass through feature but it feature but it only support a tunnel on 1 WAN link. I have 2 tunnels one on each circuit. Looking at he link about Drop in mode I have some questions.

Is the IP address of the LAN port the same IP as WAN1?
Does the Firewall need to be directly connected to the Peplink? How would it work with redundant firewalls?
In drop in mode does WAN1 need to be configured for IPsec NAT-T or do I only need to do that on my WAN2 connection?

Thank you,
Brian


#4

Hi Brian,

Here are the answers to your questions:

  1. Is the IP address of the LAN port the same IP as WAN1?
    Yes

  2. Does the Firewall need to be directly connected to the Peplink? How would it work with redundant firewalls?
    Yes. The outside interfaces of the HA pair would be connected to the Balance LAN port using a switch.

  3. In drop in mode does WAN1 need to be configured for IPsec NAT-T or do I only need to do that on my WAN2 connection?
    You can disable IPsec NAT-T and control UDP 500 and UDP 4500 traffic with outbound policy rules instead. WAN2 can port forward to your firewall on the primary side, or you can use NAT mappings to your firewall if there are multiple IP addresses on WAN2. It is possible to have an IPsec VPN on each WAN as you will be doing a NAT from WAN2 to the primary WAN.