Peplink Balance 20X Lan Networking/Routing

Product Discussion
1

Hello Everyone!

Hopefully this is a straightforward question and someone has a solution. On the Peplink Balance 20X I’m testing/deploying I can’t access the management network (web portal) I’ve created from a different subnet, I have to use the tagged vlan on the same subnet to access the device, not a big deal in practice but I was wondering if that was by design or if a setting may have been missed somewhere.

Both Subnets are part of the same /16
Management IP range example X.X.A.X/24
Other Tagged subnet example X.X.B.X/24

We’ve attached the Peplink to the core L3 switch, trunked the connection, and have access to the internet when we cut the line from the main ISP, that works fine. The weirdness occurs when trying to log into the peplink for administration.

Peplink management (untagged vlan) is in the same Subnet as the switches X.X.A.X
Other peplink Interface (tagged vlan) is in a different subnet X.X.B.X

From the peplink management interface X.X.A.X IP I can ping My test Machine in the X.X.B.X subnet and can confirm both from the peplink and wireshark ping packets make the full trip perfectly. The problem is I can’t do the same in reverse. Which is why I’m thinking something in the peplink itself is blocking this/needs to be changed. Looking at the packets from the machine back to the peplink, the pings get to the peplink and are then dropped.

Again this is not a super big deal, just wondering if anyone knows what exactly this could be caused by.

TLDR: Subnet A to Subnet A interface works, Subnet B to Subnet B interface works. Peplink in A to Machine in B works, but not when the machine initiates. The incoming connection seems to be getting blocked/dropped/denied. Inter-Vlan Routing is on for the tagged subnet on the peplink, and when traceroute is ran both connections take the path to the core L3 switch. Everything looks fine, but the peplink seems to be actively denying the request unless it is on the same subnet. This is the only device on the network that does this, routing between these two subnets is working correctly everywhere else, again leading me to something on the peplink. If more info is required, if this is too vague, or if someone has any suggestions please let me know.

I’ve tried static routes on the peplink, firewall rules on the peplink (including an any any), and factory resetting to make sure some other setting wasn’t clicked before this project came over to me. I appreciate any and all suggestions.

2

Did you enable inter-vlan routing on the untagged lan as well as the tagged lan? That should be all you need as far as routing is concerned. I imagine this is your issue – ping does not require symmetric routing to function – a one way route will behave the way you describe. I don’t know if the static routes would trump the lack of inter-vlan routing option – I imagine under the covers they create a bridge interface for that traffic. Without this option – the bridge probably doesn’t get built. The static routes, I believe, are for “non-peplink managed” lan routes - i.e. a second router/network.

The default “internal firewall” rules should work, but if you changed these rules – make sure the traffic you are generating is allowed to pass through.

The other place to check is in the System->Admin Security page – make sure that you have selected the appropriate LAN(s) as “allowed to access”.

But, I did find something a bit odd while verifying the stuff I am mentioning above…
If you go to the System->Ping utility page.

Select the LAN as the network and then put the IP of the tagged lan default gateway. You can also do the opposite - Tagged LAN as the network and try to ping the IP of the untagged lan default gateway.

Neither of them work – weird, right? It gets even stranger still…

If you take a client machine on the LAN (untagged) - you can ping the gateway of the tagged lan - but, it won’t show up in the Event Log->Firewall log. Same is true for a client on the tagged LAN that pings the default gateway of the untagged LAN.

My guess is that these “Internal to the Peplink Device” addresses are treated “special”. This is most likely another suggestion that they are using bridges “behind the scenes” for their vlan implementation. If you think about it – it makes sense to do it this way – the traffic never really goes on a wire – it is all “loopback-esque” traffic for the Peplink device – it is both gateway devices. I think it is either a bridge created between the VLan and the untagged LAN -OR- there is a special “hidden” firewall section for “Internal-Internal Traffic”.

Unless they tell us – we can’t know for sure. I am betting it is either the inter-vlan setting on the untagged lan OR the Admin Security setting for only the untagged lan being able to access the admin portal. I am curious what you ultimately find – good luck sir.

3

I appreciate the reply so first of all thank you for taking the time!

Things tried/Verified

  1. Inter-Vlan routing is on for all of the vlans both tagged and untagged.
    2.The firewall rule I tried was an explicit allow Vlan A to talk to Vlan B and the reverse, I removed that as it had no impact on the issue whatsoever and the default is any any.
  2. On the security page it is set to “any LAN” which i’m assuming is any configured LAN configured on the peplink itself.

I’ve pretty much got this thing set as any any for testing right now as you should for any device to make sure you’re not gonna have an issue on your side before you even get started. This issue is a weird one mostly because I have another one of these peplinks on a different site and through static routing I can get whatever remote subnet I want to talk to whatever LAN interface is needed. I’m currently going from my test machine in the example to the management interface on the remote site. For some reason it is like the peplink gets confused when you’re trying to access a different LAN when coming from the same local site. That may be by design, and if so that’s fine, just outside of the norm for network devices. On my end the peplink is configured like a switch, same subnet same IP ranges. The test machine can get to switches fine, but the peplink denies it. In my opinion it has to be the peplink, but where… and why?

Again the peplink can ping the test machine, and in wireshark I get normal traffic. But in the reverse the test machine sends the ping and gets no reply. Peplink has to be blocking it somewhere. This isn’t a super big deal more of a curiosity, it isn’t hard to access the admin config from the IP on the local LAN, also the InControl remote web admin works. Just weird, and I’m sure you know how it goes, now I really want to find the solution because it is an odd one. It doesn’t act link you’d think it would, like most other network equipment does. At least in this case.

If I figure out something I’ll for sure post it to let you know. I appreciate the suggestions!

4

It may have something to do with the captive portal. Perhaps the captive portal being enabled prevents the web admin from being accessible?

good luck in your adventure. It sounds like either a quirk, a bug, or a feature.