Point to point from HD4 to Balance 580 when there's an existing Cisco ISR that needs to be kept?


Hi everyone, would love to get some feedback from the community on how to deploy this or if this would be possible. We have a customer that has a head office using a Cisco 4331 ISR today with multiple sites connecting to it over IPSec VPN that they must keep in place. Their WAN is fibre with a /29. Their network is configured as follows:

Data, GW .1
Voice, GW .1
DHCP/DNS on server
Guest wireless (internet access only), GW .1

They have a remote site that is getting fibre internet but we need to use a HD4 with 4 SIMs while the fibre is built out and will then switch it to a Balance 580 as well. We were going to bond the 4 SIM cards using the Balance 580 as the primary site where traffic goes to the Internet. They also have a requirement to do a point to point connection from the remote site back to the head office which I mentioned Peplink could do. They were going to do Layer 2 from the ISP but wanted to see if we can just use the Peplink since we already will have the SpeedFusion tunnel in place.

If I was to deploy a Balance device at their head office in drop in mode, is it possible to do a point to point from the remote site with the HD4, so that this remote site can access all those subnets on the Cisco? I hate integrating with an existing firewall like this but keeping the Cisco is mandatory so would love any feedback on if this is even possible or what extra steps might be required or if this would be overly complicated to do.


To clarify. CISCO at head office acting as internet breakout for the remote site. Temp requirement for a HD4 at remote site until fiber is in, will then be replaced with a B580. Requirement for a Layer 2 VPN between Head office and remote site to bridge existing Data and VoIP vlans to remote site? Is the primary role of the B580 at the head office just VPN or do you need it to do multi-wan work there too?


Hi Martin. No multi WAN on the 580. Normally we use FH to do bondig but since the customer also wanted point to point it seemed to make sense using a Balance at their head office instead. They just can’t remove the Cisco or change it. Thanks!


OK that makes things easier actually. So one way to do this would be to:

  1. Port forward speedfusion ports from CISCO to B580 at head office (so the WAN of the 580 is effectively in a new DMZ/VLAN) so the remote HD4 can build a tunnel.
  2. Create L2 VPN between the B580 and the HD4. plug the LAN of the B580 into a trunk port on the CISCO (or an attached switch) so that all VLANs are passed to the HD4.
  3. Optionally - Plug a managed switch into the HD4 and breakout the VLANs to access ports if needed.

The other approach is to replicate the VLANs on the B580 and HD4 to match those on the CISCO and then create multiple Layer 2 VLANs between the HD4 and B580 (one for each VLAN). Which then lets you break out the VLANs to specific access ports on the HD4 if required - but means more bandwidth overhead in the multiple L2 VPNs.


Thanks Martin this is really helpful. I just have a few follow up questions if you don’t mind, I really appreciate it!

  • When you say port forward speedfusion ports on the Cisco, the customer is already using IPSec to connect to their remote sites, so do you foresee that being an issue if we are forwarding UDP 4500, 500, etc to the Balance if UDP 500 is in use already on their VPN?

  • When you say all VLANs are passed to the HD4, do I need to do any special type of config on the HD4 to enable this or am I manually creating all their VLANs on the HD4 as well. Your last point mentions replicating the VLANs on the HD4 which makes it sound like I’m not doing that in your point #2 suggestion, so just curious how the HD4 knows what the VLANs are.

Lastly, you mention multiple Layer 2 VLANs which lets me break out the VLANs to specific access ports on the HD4 or in point #3 you mention a managed switch to do this. When I’m on the HD4 under ports it shows I can assign VLANs to the LAN ports on it so just wondering why I’d need to do these extra steps vs doing that.

Thanks so much!


I would use different ports for speedfusion data (so change from 4500 to 4501 or something) and forward those.

For VLANs over L2 there are two fundamental approaches:

  1. use a single layer 2 vpn as a transparent bridge point to point so the lan ports on the B580 are virtually bridged to the LAN ports on the HD4. In which case if you plug a B580 lan port into a trunk switch port at the head office that has tagged vlan traffic on it then that tagged vlan traffic will squirt out the LAN ports on the HD4. You could then attach a managed switch to the LAN ports of the HD4 and present the VLANs as access ports if you need to.

The issue with that configuration is a lack of control. A single L2 bridge like that will disable other routing functions on the HD4 (since it is acting as a L2 switch) and the HD4 can not inspect the vlan traffic passing over the bridge so you can’t assign lan ports as access ports and break out the individual VLANs presented at head office on to specific ports on the remote HD4 (although you can assign just specific ports to be used for the overall L2 bridge).

  1. The second approach is to replicate the VLAN configuration on both the B580 and HD4. So create local VLANs on each device (one for data one for voip etc) and create multiple L2 vpn’s between the respective VLANs on each peplink device.

That way since the HD4 is aware of the configured VLANs you can then break those out to individual LAN ports (as access ports) as needed.

The benefit of 1 is that if they add new VLANs at head office on their CISCO those VLANs will be available at the remote site immediately.

The benefit of 2 is that you have full control as to what VLANs are presented to the HD4.


Great thanks so much!


Martin quick question for you if you don’t mind as the customer wants to go ahead with this which is great. We just were wondering a few things:

  1. At their head office, they have a /29 with many free IPs they said. So we could connect the B580 direct to their fibre gateway and assign it a public IP vs doing port forwarding from their Cisco correct? Then still connect the LAN port from the B580 to their Cisco or managed switch to pass the VLANs?

  2. At the remote site with 4 LTE we will bond them back to the B580 to do the L2 tunnel and pass the VLANs to a managed switch connected to the HD4. Are we able to do split tunneling still though, so internet traffic from the HD4 just load balances, with only internal traffic like voice going over the SpeedFusion tunnel with the tagged VLANs? Or does this set up basically disable routing on the HD4 as you mentioned meaning the only way to get internet access via the HD4 would be by sending it all through SpeedFusion and out through their head office?

Thank you so much I REALLY appreciate it, you’re legit the Peplink God. :):sunglasses:


Yes that’s right. Easier that way - less config.

As for split tunnelling - the answer is yes you can load balance internet access direct out via the cellular connections and only use speedfusion VPN for site to site traffic.

What I’m not sure about is do you want to extend the existing VLANs (data and VoIP) from the head office location to the HD4 location (ie Layer 2 bridging so same subnet in both locations with the VPN acting as a transparent bridge / virtual Ethernet cable) or do you want to have separate routed subnets at the HD4 that can route back to the head office location (so layer 3 routed VPN with different address ranges at both locations) or do you want a combination of the two where the VoIP VLAN is bridged between the locations but site to site data is over routed Layer 3 and internet access is direct out to the internet?


Thanks Martin,

The customer basically just wants a long distance ethernet cable between their 2 locations. So when I described your setup, and advised that the HD4 would then connect to a managed switch to handle the VLANs at the remote site, they thought that was perfect and said they already have a managed switch in place and that this is exactly what they want. So yes to the layer 2 bridging you mentioned as the first option.

It’s not a big deal if we can’t split tunnel, I just wasn’t 100% sure as it sounded like the HD4 would lose routing functions this way.

As a quick side, the customer needs this urgently now as it’s only for temporary, and I’m just wondering if using a BR1 ENT or a HD2 at the head office instead of a B580 would work the same or if I should stick to a Balance?

Lan extended vlans site

OK. Yes you can use a BR1 ENT or HD2 at the head office for a basic L2 site to site VPN.
This is how it would look if you create a L2 VPN between the default untagged LAN on both devices.
Since devices connected to the Data and VoiP VLANs will be encapsulated in the L2 tunnel they can not break out locally. All internet traffic from the remote site will go over the L2 tunnel and out via the CISCO at the head office.

Another approach would be to extend just a single VLAN from the head office over a L2 connection and then have a L3 VPN for site to site traffic.

In that configuration local data traffic on the HD4 (on the subnet) would be able to break out to the internet over the cellular WANs on the HD4, and those devices would also be able to route to the data network at head office on the CISCO (you would need a device with 2 x WAN ports at the head office).

That would look like this:


Thanks Martin this is great. I think we’ll do option 1 as I don’t really understand what’s happening in the Layer 3 version and this is just for temp so an easier deployment is best.

Do either devices need any special configuration to make this work? Or am I literally just making the SpeedFusion tunnel between the BR1 and the HD4 and setting the HD4 to send all traffic via SpeedFusion? Connecting the BR1’s LAN to the Cisco Trunk port, and then connecting the HD4 LAN1 to a managed switch at the remote site will automatically allow VLAN tagging to go across the L2 tunnel with no special settings or options needing to be enabled?



No need to do this. When you configure the L2 tunnel between the untagged LANs on the two devices it acts like a virtual Ethernet cable is linking the LAN ports between the devices, no additional configuration is needed,

Apart from the usual WAN configuration requirement, and setting up the L2 SF profiles you don’t need to do anything else to the Peplink devices.


Hi Martin,

Sorry to barge-in in this thread, I just have a very similar requirement that I need to implement where tagged traffics of vlans be made available over l2 speedfusion in the branch office. On your approach 1, you mentioned that if lan port of B580 is plugged in a trunk port in a switch with tagged traffic, those tagged vlans will be made available to HD4 as well? Do I need to plugged HD4 lan port to a trunk port on a switch as well?

rough scenarion

Main office: switch trunk port (tagged vlan 88-92) --> lan port B580 hw1 firmware 6.3.4 ======l2 speedfusion===== Branch office: B380 hw5 firmware 6.3.4 lan port <---- switch port “???”


Only if you need VLAN access ports at the other location rather than just the extended trunk.

If you do need access ports, then a managed switch that can present your trunked VLANS is needed (in approach 1 above).


Thank you, Martin! Everything works for me now. Just for the benefit of anyone that might have the same requirement as mine, here are the given:

We have a zonedirector deployed in the main office where 4 different SSIDs are configured under 4 different VLANs (87-90) and I need them to be made available in the remote office as well.

Config before: Main office (Firewall --> tagged vlan92 —> ethX tagged port switch | ethY untagged vlan 92 —> default untagged lan peplink 380) <====L3 SpeedFusion VPN====> Remote office (lan peplink 380 —> L2 managed switch default vlan)

Config AFTER: Main office (Firewall --> tagged vlan92, 87-90 —> ethX tagged port switch | ethY untagged vlan 92, tagged vlan 87-90 —> default untagged lan peplink 380) <====L2 SpeedFusion VPN====> Remote office (lan peplink 380 —> L2 managed switch port default vlan 1, tagged vlan 87-90)

In summary, with our existing (after) setup right now, all workgroup LAN traffic from remote office flows through untagged vlan 92 in the main office. And when they connect to wifi, all their traffic falls through their respective tagged traffic.