PepVPN link working now broken

Hello world, hope everyone is safe.

I purchased a slightly used newer hardware Balance 20 (3 WAN ports) and connected it to my good old Pepwave SOHO MK via PepVPN. I was so happy for a week when the PepVPN tunnel was working and my locations were all on one big network. Then about a week later the tunnel went down and I was unable to bring it back up again. I tried changing ports, with or without shared secret, DDNS and actual IPs, and even tried backup WAN incase ISP was playing tricks. Router ID has same name as PepVPN name (did not test changing these). No success.

Temporarily back to remote users VPN server. :frowning:

Pepwave SOHO - 8.0.2 build 1480
Pepwave Balance 20 - 8.0.2 build 3667

Hi! Welcome to the forum!

What do you see as the status for the speedfusion profile on both devices? Whats in the event logs?
Whats changed? New internet connections?

1 Like

Hi, I think I see the problem. New firmware introduced local service firewall rules which I disabled by default without noticing these rules included the PepVPN handshake and ports.

Since we’re on the topic, can someone point me to a little more information on these service rules?

Thx!

Hi,
The local services firewall allow you to block access to the ports used by local services, such as the speedfusion handshake and data ports, DNS server and Web Admin Access.
You can also allow access to these ports from certain IP addresses only. Or force the local services to use a certain WAN connection only…

1 Like

Why are there separate options for PepVPN handshake and data port? If I am trying to establish tunnels wouldn’t I need to duplicate firewall entries?

There are separate options because the handshake and data for SpeedFusion and PepVPN use 2 different ports (respectively TCP 32015 and UDP 4500 by default).

Thanks Erik!

Tangentially a little off-topic, but for services that use several non-consecutive ports like PepVPN above, is there a way to enter them in a single firewall rule delimited by comma or semicolon or whatever so I dont need to enter several rules each with a single port for a single service?

No, you are limited to “any port”, “single ports” or a “portrange”.
image
You can create “grouped networks” to group several ip address and use these as source or destination in your firewall rules, but that doesn’t apply to ports.

1 Like