PepVPN behind 2 firewalls routing issues

Not sure what I have set wrong. We are currently using palo alto firewalls at both sites and were using a builtin VPN, but it was having some issues so we decided to try using 2 peplink balence 20s and the PepVPN. We still want to use the Palo Alto firewalls for everything except the VPN. I put the 1st peplink behind the firewall and plugged the wan 1 into our network, I assigned it a static IP and got connected to the network. I put the remote peplink behind the remote palo alto firewall and plugged wan 1 into the netowork, gave it a static IP and connected to that network. I forwarded ports 32015 and 4500 from the firewalls to the peplinks and set up a PepVPN profile with the Public IPs of the firewalls. I got a PepVPN to establish. I just cant seem to route any trafic through them. I would appreciate any help.

First thing to check is that traffic can actual pass over the PepVPN. Login to the web ui of one of the Peplinks and from there ping the LAN IP of the remote peplink.

Assuming you can ping the remote LAN IP from the balance itself, the next most likely suspect is the local routing configuration between the palo alto and the balance.

What default gateway set on the LAN device you are using to test with? With a laptop or PC connected directly to the balance LAN and with default settings you should get a DHCP address assigned. What default gateway do you get? Is it the IP of the palo alto or the balance? It of course needs to be the balance if you want traffic to find a route to the remote site. Can you ping from that device to the remote balance LAN IP (which should be ina different subnet than the local balance LAN).

In situations like these, where there is a 3rd party firewall / default gateway in place and the balance is only being used for site to site VPN traffic, my favoured configuration is single legged - so the balance at each site only has a single WAN connection active. Which looks like this:

  1. Set a static IP on the WAN1 of the balance (for this example we’ll pretend your palto alto is on and set the WAN1 balance IP to
  2. Change the WAN1 mode from NAT to IP forwarding.
  3. In OSPF settings on both balance routers advertise the WAN1 subnet to PepVPN peers (so that the remote site(s) knows about it)
  4. On your Palo Alto set a static route for the remote subnet (eg with the WAN IP of the balance as the next hop (so in this case). Repeat at remote site.
  5. Set the LAN subnet ranges on the balance routers to be unique from each other and from your main site IP ranges. (eg in this case & I do this so that I can plug a laptop into the LAN of the Balance when testing - nothing needs to be connected to the LAN of either balance under normal operation as all traffic comes in via the WAN1 port(s).

BTW. A useful place to check the status of the PepVPN (and what networks are being advertised over it) is in the status → SpeedFusion / PepVPN page on the device UI.

1 Like

Ok, I almost have it working, just want to double check some settings. Your diagram is perfect, using it as reference, I set the Balances WAN1 IP as static IP of with its gateway as the regular network gateway and the networks DNS. I turned on IP forwarding (the option bellow it to apply NAT on remote … is checked). Repeated on remote balance. I set the OSPF to advertise the WAN1 subnet, not sure if i set this right? I set the Palo Alto static route to send the remote subnet to WAN1 IP. And set the LAN subnets to be unique from each other and main subnet. When I plug my PC into the LAN port it gives me an IP within this range and a gateway as the LANs IP that i set. The tunnel is established, I plugged in my PC to LAN and I can ping the remote balance and the remote subnet devices. Now the part that isn’t working … I cant connect to any of the remote devices either using https or rdp. I am thinking it has to do with the Palo Alto routing but I wanted to make sure all the other settings were right. Find some screenshots below.

Almost there!
Its the route advertisement you need to change not the OSPF interfaces you can leave that as just PepVPN (although if you’re feeling keen you can use OSPF to advertise the routes to your paloalto - so you don’t need to set the default routes there manually, if you want to configure it on that but I don’t know enough about the PA box to advise how).

Then in the network advertising field where its currently set to default (—) that means All LAN/VLAN networks will be advertised when no network advertising is chosen. In your case you want the WAN networks to be advertised across the VPN as those are the ones we’re interested in, so you need to set that to WAN1.

1 Like

Ok, a couple more questions. First, is the checkbox under IP forwarding that states “Apply NAT on Remote PepVPN peers’ outgoing Internet traffic remote PepVPN peer(s) may route their outgoing Internet traffic to this unit. When this checkbox is checked their traffic will be NAT’d before forwarding out of this WAN. Leave this checkbox checked if you are not sure.” Supposed to be checked?
So I think I have an issue with the static routing on my firewall. From the Peplinks UI on normal network I can ping from wan1 connection to remote Peplink, to devices on the remote subnet, and to local subnet. I am also able to ping and traceroute from PepVPN connection to remote Peplink, to devices on the remote subnet, and to local subnet. However I am unable https or RDP or acsess remote subnet. But when I hook up a PC to the LAN on primary Peplink I am able to https and RDP into remote subnet, but i can’t assess local subnet. Any Idea? I think it is either my firewalls static route or the port forwarding I have set up. I have a static route set up to forward anything for remote subnet to WAN1 IP. Any help would be appreciated.

Turn this off. You don’t want traffic that comes over the PepVPN to be natted.

1 Like