Outbound policy by destination IP, or domain can't be used if using a firewall behind the Peplink, correct?

Just wanted to confirm with this as these are the results I’m getting but wanted to be 100% sure. If I have a Peplink device like a BR1 with Cable and LTE with PepVPN to FusionHub, and I have an existing Firewall like a Cisco Meraki connected to it, either using NAT, or Drop In Mode, is it possible to set outbound policy with things like “Destination domain *.3cx.ca use PepVPN” and so on? Or traffic from source MAC being a PBX connected to the Meraki to use PepVPN?

I was testing it last night and it doesn’t seem to work, I assume since the BR1 can’t view the specific traffic when it’s coming from another firewall. When I connect a device directly to the BR1 it does work as expected, any 3CX voice traffic would go over PepVPN when using *.3cx.ca for outbound policy, or when using the MAC address of the PBX on premise, but when connected to the Meraki it would just go over the normal outbound policy unless I set the BR1 to send all traffic over PepVPN.

Just wanted to confirm that’s the expected results and that there’s no way to isolate traffic via port, domain, IP, MAC etc to use a specific outbound policy when those devices are connected to a Firewall that’s connected to the BR1, and not to the BR1 directly?


Routing by destination is still possible with a firewall on the inside. If the firewall does a NAT it is the source IP/source MAC address that is no longer seen by the Peplink.

Expected results are you can still determine the destination and protocol with a firewall on the inside.

1 Like

That’s great, it seems to be working now. Guess I just needed to give everything the old reboot after making the outbound policy change as now it does seem to work. I also tried instead of just putting 3cx.ca for domain I put the IP of it as well which might have helped.