VPN setup help

I need some help. Here is the layout.

  1. All locations are on a sd-wan setup so they are all part of one big subnet. Internal of fortinet is
  2. My goal is to use the peplinks as backup internet. Below is my preffered layout but I need to know how to configure.
  3. 1 peplink connected to fortigate as a second wan interface to be used should my main internet go down. I suppose I will set it’s internal interface the same as my main right now.
  4. 3 other peplinks at 3 sites vpn’d to the main peplink.
  5. All location machines connect using same parameters 10…. and GW
  6. So need all peplinks to pass traffic from internals back to main peplink without issue and routing, access, etc will be handles at main peplink with fortinet.

Do you mean as a backup internet connection for the fortinet SD-WAN to use?
In which case the LAN of the Peplink can be anything you like since its on the WAN of the forti - you don’t want the peplink LAN to have the same subnet as the LAN of the fortinet. What connectivity will the Peplink have?

Would these sites just have Peplink SD-WAN or are they on the WAN of a Fortinet at those locations too?

Maybe a quick sketch would clarify it?


I just realized my design wouldnt work because if one location went down it would be useless. I am now changing directions. Maybe you can help. See below.

Use peplink at each location with my current sd-wan connection going to each locations peplink as wan connection.
Use cellualr as backup aty each location with vpn to main offcie fortinet and select cellular as the only one in the wan connection priority field.
Better? This way if any site goes down the cellular link will kick in and vpn back to fortigate for connection and routing.

So main site with 2nd wan connection from peplink cellular.
All other sites using peplink and main device with wan coming form sd-wan (ATT) and vpn setup on cellular connection back to main office fortigate.

Any special settings need to be enabled. Leaving all networks as 10.1… /12 same gateway etc.

So lots of ways to do this actually.
Drop In Mode
The least friction approach is to use drop in mode on the Peplink and drop it in on the WAN of the fortigate. No changes needed to the fortigate but if you add cellular (or more internet connectivity) to the Peplink you now have redundant internet connectivity for your existing SD-WAN. Peter West made a great drop in mode video here.

SpeedFusion as WAN Connectivity
If you want to use SpeedFusion for seamless failover between existing wired WANs and cellular / Starlink, then you need to size the Peplink used for drop in mode so that it can support the right amount of VPN throughput. Then you can build speedfusion VPNs between the Peplinks to create a super reliable SpeedFusion core network then run your fortinet SD-WAN over the top.

Side Loaded SpeedFusion
Another approach is to side load Peplink SD-WAN on the side of your existing fortigate solution to add new Peplink only sites that don’t need the fortigate at all and still sit on the extended layer 2 10.1…/12 subnet. That doesn’t add redundancy for the existing sites with fortigate routers on though.

Mix them all together
You can also combine the approaches above and mix and match L2 and L3 SD-WAN at the same time to the remote Peplink enabled sites.
For example I have deployed VoIP vlans at customer’s MPLS sites where the Peplink is in drop in mode with the Layer 2 MPLS whilst also providing a SpeedFusion enabled layer 3 vlan for VoIP only use.

Suggest you consider all approaches, price up the hardware to do each one (potentially different depending on your remote sites WAN bandwidth(s)) and then work out which way you want to go.

A local Peplink partner would likely add a lot of value to this process…


PLease see the diagram below.
I can’t use peplinks vpn together because it wont allow for redunency per site.
I must do site to HQ site per location as ipsec to have individual redundency.
I must use same subnet because I have software hard coded to desktop IP’s.
I will vpn all peplinks to individual vpn’s on fortinet. I will use main fortinet as vpn from outside vendors.