You have an older HW version with a single LAN port… latest version has 3 LANs. Not the end of the world, you could use a spare WAN for the remote site traffic but it would restrict you to layer 3 topologies.
To do this you would:
- Connect a spare WAN (eg WAN2) to a new or existing VLAN on your switch stack.
- Set the WAN to IP forwarding (so disable NAT)
- Create an outbound policy rule for traffic from the Watchguard to only use WAN1
- Create an outbound policy rule for all other traffic to be be sent via WAN 2.
- Add a static route to your switch stack / watchguard that sends remote site traffic via the WAN2 IP.
OR you could put a managed switch on the LAN of the B305 to give you the ports you need to make the original plan work.
in answer to your earlier questions:
They could if you wanted. With a Layer 2 PepVPN you are creating a transparent bridge between physical ports at the remote site and/or VLANs at the remote site. If you bridged physical ports, you could then pass multiple VLAN tagged traffic across the Layer2 VPN. Or you could bridge a single VLAN. Whatever works best for you.
Yes. When using Layer2. Although you could bridge a single VLAN over Layer 2 for some devices at a remote site (which would then access the internet via your current watchguard), and let others break out directly to the internet locally (using Layer3).
It depends. You will add latency to the internet traffic, and your current site would need to have enough bandwidth to cope in that internet relay role. The Balance 305 also will need to support enough PepVPN/Speedfusion throughput. The other thing to worry about is multicast broadcast traffic since in L2 that will traverse the VPN also. This can be desirable (for easy network discovery and some special types of traffic / discovery protocols like SONOS) but is often a waste of bandwidth.
Yes. You’ll immediately lose 19% of available bandwidth to VPN overhead and latency will increase which will ultimately affect bandwidth availability also.
Yes, but you can still choose to force internet traffic over the VPN to breakout at your current site via the watchguard. Or not. Layer3 gives you more granular control of where different types of traffic will be routed.
Sure. A device will full speedfusion capability can be much more resilient than one without. You can take advantage of bandwidth bonding & packet level failover for VPN so your VPN sessions stay up even when a WAN link fails. This can make VoIP uninterruptible and keep file transfers and the such going even when WAN links are unreliable. When combined with 4G (either USB dongles or if using the MAX devices embedded modems) you can keep a remote site seamlessly connected to your head office even when the fixed line internet connection fails.
You size Peplink devices by the number of WAN ports, the number of supported remote peers (ie remote sites that you want to connect to), their Speedfusion/PepVPN throughput capability and their standard routing throughput capability. Same with the MAX range of products, but then you can also consider the number of 4G WAN connections too.