SpeedFusion VPN: Remote VLAN cannot reach server-side VLAN (172.22.x to 172.20.x)

General
,
1

I am having trouble accessing a server-side VLAN from a remote client over a SpeedFusion VPN. I am not using InControl. Full configuration details are below.

Goal
Allow hosts on the remote VLAN 321 (172.22.0.0/24) to access all 172.20.x.x networks on the server side (Homebase). This does not work today.

What works

  • Hosts on VLAN 321 (172.22.0.0/24) and the untagged LAN (10.43.0.0/24) can reach:

    • Homebase VLAN 1 (10.28.42.0/24)
    • Homebase VLAN 99 (10.28.99.0/24)

  • SpeedFusion is up and stable. Under Status > SpeedFusion VPN, the tunnel is connected and all VLANs appear.

Notes

  • I previously had firewall rules restricting some 192.168.x.0/24 traffic, but all of those rules are now disabled.
  • The only remaining custom rule is an outbound policy on the BR1 that forces VLAN 331 (192.168.32.0/24) into the VPN.
  • That rule should not affect VLAN 321 (172.22.0.0/24), yet VLAN 321 still cannot reach any 172.20.x.x network on Homebase.

Any suggestions on what I may be missing?

Server configuration (Peplink B One – “Homebase”)

LAN and VLANs

  • Untagged LAN (VLAN 1): 10.28.42.0/24
  • VLAN 21: 172.20.0.0/24
  • VLAN 22: 172.20.1.0/24
  • VLAN 23: 172.20.2.0/24
  • VLAN 31: 192.168.31.0/24
  • VLAN 51: 172.20.51.0/24
  • VLAN 99: 10.28.99.0/24

All VLANs use x.x.x.1 as the gateway on the device.

SpeedFusion VPN

  • Single profile between Homebase and BR1
  • Encryption OFF
  • Authentication: Remote ID + pre-shared key
  • NAT disabled
  • Remote IP blank
  • Cost 10
  • Data port Auto
  • No bandwidth limit
  • Packet fragmentation Always

Firewall

  • Outbound: default allow all
  • Inbound: default allow all
  • Internal: default allow all

Remote configuration (Pepwave MAX BR1 MK2 – “BR1”)

LAN and VLANs

  • Untagged LAN: 10.43.0.0/24
  • VLAN 321: 172.22.0.0/24
  • VLAN 331: 192.168.32.0/24

All VLANs use x.x.x.1 as the gateway on the device.

SpeedFusion VPN

  • Single profile between BR1 and Homebase
  • Encryption OFF
  • Authentication: Remote ID + pre-shared key
  • NAT disabled
  • Remote host via dynamic DNS
  • Cost 10
  • Data port Auto
  • No bandwidth limit
  • WAN smoothing OFF
  • Forward error correction OFF
  • Receive buffer 0 ms
  • Packet fragmentation Always

Firewall

  • Outbound: default allow all
  • Inbound: default allow all from any WAN
  • Internal: default allow all
  • IDS/DoS: disabled
  • Local services: default allow all

Outbound policy

  • One custom rule forces VLAN 331 (192.168.32.0/24) into the SpeedFusion tunnel
  • Priority-based
  • SpeedFusion set as highest priority
  • All WAN interfaces excluded
  • Drop traffic if VPN is unavailable
  • Do not terminate sessions on recovery
2

Hello, @scarleton

All vlans have the option Inter-vlan routing enabled?

3

Yes. we know that the host is set because it can get to two different vlans on the server (homebase). I also know that the target VLAN 21 (172.20.0.0/24) is set because, while I see it in the Peplink that way, when I remote into a machine on LAN 99 (10.28.99.0/24) on the server, I can ping machines on the target VLAN 21.

4

Hi…
Please… can you share?
BR1 MK2 software version?
B ONE software version?
Status > Speedfusion?

Thank you…

5

sure:

Model: Peplink B One
Product Code: B-ONE-T-PRM
Hardware Revision: 1
Firmware: 8.5.3 build 6030
SpeedFusion VPN Version: 9.2.4

Model: Pepwave MAX BR1 MK2
Product Code: MAX-BR1-MK2-LTEA-W
Hardware Revision: 3
Firmware: 8.3.0 build 5121
SpeedFusion VPN Version: 9.2.0

6

Thank about the version information…

So… you have a L2 managed switch between the Peplink device and your network… All vlan are trunked (vlan tag) ?

7

Just figured it out! Turns out I had a One-to-One NAT setup (don’t recall why) on the server for 172.20.0.0/24. Just killed it and all is good!

I also have a BR1 Pro 5G in my RV. I have my Windows AD on 172.20.0.0/24 and I think I was trying to get things setup so that when I authentic on the campers (172.22.0.0/24) network, it would automatically find the AD at homebase.

8

nice…

Maybe an old configuration…