I have two Balance 20’s in two separate buildings connected by a wireless bridge, each with it’s own internet connection. Currently I have this all on a single subnet, one building with static IP’s and the other DHCP. If one connection goes down it’s a small amount of work to redirect one of the buildings. Is there a way to set this up in the routers so that it is done automatically?
Thanks
Mike
Yes you can do this with a layer 2 PepVPN across the p2p wifi link.
However a side effect of the configuration is that since the LAB clients can only have a single gateway, site B will send all of its internet traffic over the wifi link and then out to the internet on Site A’s internet connection. So the internet connection at Site B would only be used by PepVPN traffic in the event the wifi link fails.
If the P2P wifi link were to fail, the L2 PepVPN can automatically rebuild on over the internet connectivity, so you would have resilience in the site to site connectivity.
Much better configuration would be separate subnets at each site and layer3 VPN between them. That way each site can route traffic to the other site over VPN and each site uses their own internet connection for direct internet access. if a WAN link were to fail the site to site L3 link would still stay up.
What is driving the requirement for the L2 bridge? What are you trying to achieve?
We have servers at each location that run client software. Some clients have to connect to the servers at the remote locations and I had a real problem with latency using the PepVPN over the internet.
I agree that option two would be the best choice, as long as I don’t have a latency problem.
Using Martin’s second diagram, you could program the PepVPN to use priority on the WAN2 wifi. You wouldn’t have internet latency because client-server traffic is not on the internet unless the wifi link goes down.
I can’t get the PepVPN to go past starting. I can ping the remote IP from either building. WAN 2 is showing failed DNS test on both routers. Any ideas?
Thanks
If you are using the Layer 3 option, both devices need to have different network addresses - could that be the cause?
Steve
Hi Steve,
Not in the same subnet?
Do you mean it can’t be on the same subnet?
WAN2 is the private point to point link yes? In which case the DNS healthcheck for WAN2 won’t work - since if the P2P link is directly connecting WAN2 on site A to WANn2 on site b then there is no DNS in place on that network segment.
I would normally set a static IP on both WAN 2 ports on either router and then use the ping healthcheck so that site A pings the static IP on site B to check the link is up (and vice versa).
I did that and I could ping the WAN port at the opposite site from each site. Should I turn off the health check? I’m going to wait until the one internet service is back up so that I don’t have to drive back and forth to get this done. LOL I just shut down the DHCP on that end and redirected through the wireless link.I really appreciate your help!
Mike
Ok great. So if ping workds then the ping heaalthcheck will work and thats the one to use. I would use a healthcheck for this since you want to know if the link fails for whatever reason.
Once the tunnel is up you need to decide on Layer 3 (routed different subnets) or Layer 2 (single bridged extended subnet) over the PepVPN tunnel. The default is L3 so traffic will be able to route between site A and Site B so long as the main subnet at each site are different.
For layer 2 do a search on here or in the manual for the guide, but you would log into the web ui on site B go to network settings and there is a hidden link behind a blue question mark icon that enables you to configure Layer2.
I switched the networks to different subnets and created the second WAN connection with a working tunnel, but something is wrong with the network translation because sites like MSN are taking too long to respond. Everything works fine if I disable WAN2
Site #1 WAN #1
DHCP IP Address 162.253.45.193 Subnet Mask 255.255.255.0 Default Gateway 162.253.45.1
DNS Servers 207.191.192.137 207.191.192.140
WAN #2
IP Address 192.168.1.3 Subnet Mask 255.255.255.0 Default Gateway 192.168.1.1
DNS Servers 192.168.1.2
Site #2 WAN #1
IP Address 204.12.190.8 Subnet Mask 255.255.248.0 Default Gateway 204.12.184.1
DNS Servers 209.244.0.3 209.244.0.4
WAN #2
IP Address 192.168.1.2 Subnet Mask 255.255.255.0 Default Gateway 192.168.1.1
DNS Servers 192.168.1.3
Local Site 1 10.14.30.0 255.255.255.0 10.14.30.1 Site 2 10.14.20.0 255.255.255.0 10.14.20.1
Thanks, Mike
Its most likely because your WAN2 link at either location can not currently allow traffic to route to the internet.
The easiest way to fix this is to set an outbound policy (priority based) on both balance 20s for general internet access (source any : destination any) to use WAN1 first and then the VPN connection.
That way clients at both sites will favour their own local internet connection for internet access but still be able to route traffic to the LAN at the other site over VPN (for server / device access), and if the WAN link fails, they will then send internet traffic over the VPN connection too (so use the remote sites WAN for internet access).
Really appreciate your help Martin!!! Seems to be working good now!!!
Hi Martin, I follow this guide an everything is now working perfect, but I have one problem, how do I can access to the wireless links portal?, because the use of static ip in wan I dont know how do I can access now to modify the parameters of this link, if I put the static ip stablished in the wan I redirect to Peplink router portal instead of the link portal.
@JUAN_PABLO_YA_EZ_CHAPITAL
What is this link? My guess is your need a outbound policy to enforce access to this to a specific wan.
@MartinLangmaid Fantastic dialog and support on this thread!
What If their was a mandatory requirement for L2 between the buildings.
Assume:
Managed switch on each side.
Direct fiber or wireless link connecting each switch.
Option #1
Could you do it with a LAG, or STP? Leg two or second port would be the L2/access mode port of the tunnel.
Option #2
Establish a LAN speedfusion using private LAN ip’s , is this possible?
Option #3
Side b has a redundant dhcp server or some static routes to use itself as the gateway incase of primary internet failing.
I still agree L3 as you diagram is the best approach.