PepVPN and outbound policies


#1

Is there a way to “balance” traffic across a VPN and a non-vpn? Example - I want half of my port 80 http traffic to go out WAN1 and the other half to go out a PepVPN on WAN2. The only algorithms that include the tunnel in the list of WAN links are Priority (which doesn’t balance) and Enforced (also not balanced)

Thanks


#2

You can get quite granular with this configuration by identifying the source or destination using these two algorithms. Multiple outbound policy rules would be needed for your scenario.


#3

Yeah, I was hoping to keep it abstract.

The reason I ask is because I am playing with my multi-router configuration and the secondary router will only populate the active sessions (transit) if the traffic comes across as VPN. I have a direct connection (wan to wan) between a Balance One and a balance 30.

I can live without the client list, but seeing the active sessions going through the router is important to me. It is super weird seeing the throughput numbers on the dashboard indicating traffic going through, but nothing in the active sessions. I don’t fully understand why the vpn is required for these sessions to show up in this table.

My goal is to use both routers on my network. I want one WAN on each for outbound traffic that is accessible to my Lans and VLans. I have tried all kinds of different layouts and the current one is the most performant. I basically want the Balance30 to act as a bridge to my second internet connection without requiring double NAT. Wan to LAN doesn’t work as expected with IP Forwarding due to the B30 not allowing an ALL trunk (traffic can go out tagged, but isn’t recognized on the way back). LAN to LAN won’t allow me to use outbound policies. Wan to wan with a direct connect, IP forwarding, and PepVPN allows me to see the active sessions, but then I can’t properly balance traffic across the links. Aaaargh. Two pices of hardware sharing the load has to better than a single device - it just has to.

I am also concerned that since it is not in the active sessions table - the firewall is being bypassed. I had an issue where 169.254 addresses were making it out to the internet, I tried to block it on the source router- didn’t work. I tried to block it at the destination router - didn’t work. I tried to block it at the destination router WAN - didn’t work. I had to force the traffic through the vpn to get the firewalls to block it. I ended up building a VLan for 169.254, since the devices spewing this crap can’t do VLan tagging) and excluded that VLan from my trunk ports. That seems to work best as it is dropped before it ever traverses the first router. What am I missing here? Why is a non-encrypted vpn required to get these sessions to show up in active sessions?


#4

@jmjones, can you open ticket for us to take closer look? We need to understand more on your design and setup then only can advise further. Please provide the serial number and turn on Remote Assistance on both units.

Thanks.


#5

I have since gone to a wan to LAN setup. It isn’t hard to replicate. Hook two Balance routers up wan to wan. Put an internet connection on each router and balance traffic through all the wan links. Make sure that you use ipforwarding on the wan connector and open the firewall on the jumper. I made a small /30 network for the jumper between WANs.

For what it is worth, I do think there is something with the default gateway having two different Mac addresses. I have seen improvement since separating my WAN links to separate routers. It may be caused by gratuitous ARP packets on one of the links. I will run my setup like it is for a bit and see how it works. I did finally figure out all of my issues with the routing protocols between wan and LAN, so I don’t need any static routes.


#6

@jmjones

Replicating the setup is easy but getting actual view, actual traffics flow and the LAN clients setup is difficult. Possible to provide us the Peplink RA access using support ticket so that we can direct investigate the issue ?


#7

I have since moved toward a wan to LAN setup. I assume that the client list is only for local LANS to WAN, but at least all of the connections show in the active sessions and the performance graphs are accurate.