Outbound policies and multiple tunnels


We recently got a MAX-HD4 and a Balance 380. We’re planning to use the unit to stream media to our studio using a Speedfusion VPN. I’ve set up the tunnel and all is working fine. Because of different requirements for different traffic (for example streaming vs. remote desktop) I tried the new sub-tunnel feature. The 2 tunnels establish fine. But it looks like Outbound policies on the HD4 as well on the 380 only take the source address into consideration, when selecting one of the 2 sub-tunnels.
I’m running firmware version 8.0.0. Is this a bug?

Best regards,

Do you mind to share how you confirm this? :thinking:

1 Like


The setup I tested with on the HD4 is as follows:
2 tunnels configured:

Just for testing: one outbound policy rule:

When I generate traffic to an IP-address in the range, traffic is routed through tunnel 1 instead of tunnel 2 as specified in the policy.
Internet traffic is routed through WAN 1 in this case.

When I change the outbound policy rule to this:

Traffic for the range is still routed through tunnel 1.
Internet traffic in this case is routed through tunnel 2, as expected.

Note that the range is defined as a static route in the BP-380. It looks like the static routes for traffic to be routed through the tunnel override outbound policy rules.

Best regards,

@lanman, I need more info.

  1. May I know how you confirm/check the LAN to LAN traffic (from to is routed wrongly? Possible to provide the screenshot?

  2. May I know these two subnets - and is belong to which device?

  3. Please share the screenshot of Outbound Policies (Network > Outbound Policy) for Balance 380 and HD4.

  4. Have you created sub-tunnel in both Balance 380 and HD4?

1 Like


The setup is as follows:

Outbound policie on the 380:

PepVPN status as shown on the HD4:

I have created the sub-tunnels on both devices. I can get traffic through the second sub-tunnel from the HD4. But only if I specify “any” as destination in the outbound policy on the HD4. In that case all traffic not destined for one of the subnets behind the 380 (as configured in the static routes of the 380) are routed through sub-tunnel 2 (traffic to the internet).

I can see from the status page that both tunnels are connected and working. It is just that traffic to local subnets on either side of the tunnel are always routed through the default sub-tunnel (1), regardless of outbound policy rules.

Note that in my previous post I used, which is just a subnet of the /22 LAN.
Does not make a difference.

Thanks for your help.


@lanman, thanks for the diagram. I have a better understanding now. I suspect something is missing in your outbound policies. Can you provide a similar screenshot from Balance 380 and HD4? I wish to check the sequence of your outbound policies.

If you wish to check how the traffic routes through the sub-tunnels, please check at Status > Active Sessions > Search.

1 Like

The screenshot you provided shed some light! I didn’t realize that I could drag the rules above the gray “PepVPN/OSPF/BGP/RIPv2” line.
How are these rules evaluated?

It is working as expected! Always learning something new.
Thanks for the help!


:clap::clap::clap: Glad to hear that!

1 Like