Please give me feedback on this diagram I made. I had my network of multiple vLANs all going through my peplink, and it was doing site 2 site VPN to 3 other locations. The traffic from the internal network with no layer 3 switching on the peplink put considerable load on the peplink, and when you did bandwidth tests; it was already 30-40% cpu tapped out with internal routing between VLANS. I then tried to widen my subnets as much as possible and flatten those networks down. Which helped alot… but I wonder if this idea works?
Routing all traffic through layer 2 and layer 3 switches, then up to a PFsense (or pick your firewall)… then give that firewall a static route out to all the remote networks to that PEPLINK on the vLAN 1 data network.
Then tell the Peplink, any vLANS or other subnets routed behind the PFsense as a next hop.
Would this be a viable solution or am I going about this wrong? Should I be looking at drop-in mode only and static route down from there?
L3 separation should certainly help performance, moving the inter-vlan routing into your switch is probably best assuming it has features to sufficiently isolate traffic between the VLANs, depending on the model of Peplink and how much traffic you are looking at simply offloading that task from the Peplink might buy you enough performance to not require the extra firewall?
I’d possibly suggest a slightly different approach would be to build some dedicated link nets between the core and firewall and the core and Peplink and just do all the routing on the core switch.
You could also bring up OSPF / BGP between all the components for dynamic routing, point a default route from the core towards your pfSense and some static routes from the core towards the Peplink for any VPN connected traffic.
How well that works might depend on the features of the UniFi L3 switch - particularly for making sure VLANs are isolated from each other as required.
1 Like
The ‘right’ way to do this is a Peplink device upgrade. B2500 would sort out performance issues.
However if you can’t upgrade, your plan makes sense to me. Keep the Peplink doing its job of site to site VPN, give it all the ISP connections (port forwarding speedfusion ports from the firewall to it), and then static routes or OSPF on the LAN to share the routes between the firewall and the Peplink.
