The Balance 20 will support two IPsec site-to-site tunnels and three PPTP tunnels. Peplink's documentation says it supports VPN site-to-site tunnels to Peplink, Cisco, and Juniper routers. No other brands are listed as supported. Nevertheless, I had no problem setting up an IPsec site-to-site tunnel to a Netgear SRX5308.
Shown below is a screen shot of my IPsec connection from the Balance 20 to the SRX5308. I found Peplink's VPN configurations pretty straightforward. My guess is an IPsec tunnel could be established with other brands as well.
Interestingly, Balance routers do not support client IPsec tunnels. Thus, the only option for remote client VPN access to a Balance router is via a PPTP tunnel. This approach has pros and cons.
The pro to PPTP tunnels is simplicity. PPTP client software is included in Windows, Mac OS X, iPhones and Android smartphones. PPTP configuration is quite simple. On the Balance 20, all you have to do is enable PPTP and create a user name and password. On the end device, you create a PPTP connection and enter the user name and password.
I had no problem establishing a PPTP connection to the Balance 20 from a Windows 7 and Windows 8 PC, a Mac OSX PC, and an iPhone. Below is a screen shot where I have a Windows PC and an iPhone both connected to the Balance 20 via a PPTP connection.
The con to PPTP tunnels is security. PPTP is considered less secure than IPsec. However, the most secure solution isn't all that valuable if you can't get it to work and IPsec client software can be difficult to configure and may not be available across all platforms.
I tested the Balance 20's VPN performance with iperf using default TCP settings, with a TCP window size of 8KB and no other options. I ran iperf on two PCs, one running 64-bit Windows 7 and the other 64-bit Windows 8 with their software firewall disabled. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
I tested IPsec site-to-site VPN performance between the Balance 20 and the NETGEAR SRX5308, a router I typically use for site-to-site IPsec tunnel testing. I measured IPsec throughput with both 3DES and AES-256 encryption. (Peplink advertises their SpeedFusion feature with AES-256 encryption, so my thought is the Balance routers are optimized for AES encryption. The results seem to support that theory.) I tested PPTP VPN performance using my Windows PCs as described above.
|Peplink Balance 20 VPN Throughput Performance (Mbps)|
|Site to Site IPsec (3DES)||8.68||8.45|
|Site to Site IPsec (AES-256)||14.0||13.1|
Table 4: VPN throughput
I was surprised by the Balance 20's low VPN throughput. Peplink didn't provide VPN ratings for the Balance 20, yet I thought they'd be higher. As you can see in Table 5 comparing multi-WAN VPN routers, the Balance 20's VPN performance for both IPsec and PPTP is lower than all other multi-WAN VPN routers I've tested.
|IPsec Throughput (Mbps)||PPTP Throughput (Mbps)|
|Peplink Balance 20||13.1||14.0||8.45||8.68|
Table 5: VPN throughput comparison
The Balance 20 uses a rule-based firewall with separate inbound and outbound rules. Both directions allow you to specify both source and destination ports and allow / deny as shown in the screenshot below. Inbound rules also allow you to specify the WAN port it applies to.
The Protocol Selection Tool is just Peplink's way of saying you can choose one of 28 pre-defined different traffic types (shown below). Or you can write your own rule setting TCP / UDP / ICMP / IP and ports.
There is no scheduling of firewall rules. Rule priority is established by drag-and-dropping rule positions.. All Balance models also have a enable for intrusion detection and Denial-of-Service blocking. If you want website (domain) blocking, you'll need to step up to the Balance 305 or 380+.
The 20 and most Balance models support three-level priority-based QoS. Priorities are assigned to services as shown below, so apply to all traffic both uplink and downlink.
Setting QoS priority
Predefined applications include several types of video streaming (MMS, RealMedia, RTP, RTSP, Windowsmedia), tunneling traffic (IPsec, PPTP, SSL), and VoIP traffic (SIP, Skype). Custom applications can be created by DSCP values or by protocol and port.
If you again step up to a Balance 305 or 380+, you can divide LAN clients among three groups to apply bandwidth-based QoS rules to.