Network - Drop-in Mode
Drop-in Mode is an interesting feature to simplify the transition and installation of the PePLink multi-WAN router into an existing network using a single WAN router. In Drop-in Mode, the PePLink 30 can be inserted between the current single WAN router and LAN without changing network IP addressing, duplicating configurations from another router, or adding the latency of another router hop.
In this mode, the Balance 30 acts as a bridge between the WAN1 interface and the LAN interface, meaning packets between the two interfaces are on the same subnet. However, frames forwarded between the WAN1 and LAN interfaces and back will have their source MAC addresses changed to the PePLink's MAC, meaning an ARP table refresh on all devices may be necessary after inserting the Balance 30 into an existing network.
Figure 7: Drop-in Mode scenario diagram
The illustration in Figure 7, which graphically depicts a situation in which the PePLink could make a network administrator's life easier, is from PePLink's product specifications. It allows for the addition of 1–2 more WAN connections without having to alter or remove the working configurations in the existing WAN connection or firewall.
As you can see, a network with a single WAN connection to ISP A is transitioned to a multi-WAN scenario by installing the Balance 30 between the existing router and firewall, and then adding additional WAN connections to leverage the multi-WAN capability of the Balance 30.
Network Routing and Firewall
With three WAN interfaces, the Balance 30 could be useful as a router between multiple subnets. NAT can be disabled on each WAN interface as necessary, but only after uncovering the IP Forwarding option hidden in a help menu warning that you should "know fully what you're doing."
I successfully tested IP Forwarding mode, using the Balance 30 on a network with multiple other routers. Static routes can be entered in the LAN configuration section, but I was disappointed to find the Balance 30 doesn't support any dynamic routing protocols, even basic RIP.
As a firewall, the Balance 30 can filter both outbound and inbound traffic. As displayed in Figure 8, rules can be defined to allow or deny outbound or inbound traffic based on protocol, source IP and port addresses, and/or destination IP and port addresses. In addition, inbound rules can be created and applied to all WAN interfaces, or to specific WAN interfaces. However, creating time schedules for traffic rules is not supported.
Figure 8: Configuring a firewall rule
For outbound traffic controls such as content filtering, configuration is based on destination IP address. The Balance 30 doesn't support URL-based filters. I tested outbound traffic filtering by creating a simple rule to block traffic to YouTube.com. (Note: I'm not picking on YouTube, but have seen that some workplaces have been restricting YouTube access due to productivity and bandwidth issues.)
I pinged YouTube.com to get their IP address, and since they have multiple servers, set up a simple rule to block all outbound traffic from any LAN user behind the Balance 30 to the /24 subnet including YouTube's IP addresses. Once configured and enabled, browser attempts to YouTube.com would simply hang; no error message or warning was presented notifying the user they are attempting to reach a restricted site. Figure 9 shows my configuration.
