Hybrid WAN Best Practices

Introducing Hybrid WAN

The WAN Evolution

In this whitepaper we will show how Peplink’s Hybrid WAN technology can be used to extend and enhance an existing traditional private WAN topology.

What is a Traditional Private WAN?

Hybrid WAN Best Practices

In a traditional WAN environment, each branch office is connected using a single dedicated private network connection that is point to point between the branch and head office sites.

Occasionally this single private line will be backed up by another link (normally a cheaper commodity connection and often from the same ISP as the main link) that acts as a failover connection, but not always – and certainly not without additional cost.

In the diagram to the left we can see the head office local area network has two WAN connections. In red we have a direct to public Internet service, and in blue the connection to the managed WAN providers network, that subsequently provides routing of traffic to the three remote branch offices (A,B,C).

It’s important to note that the branch offices do not have a direct Internet connection at all. Instead they each have a single dedicated link back to the head office location, so all Internet access at the remote sites passes through the head office public Internet link (shown in red).

When we look at the hardware involved to achieve this configuration we might see something like this:

Hardware for Traditional Layer 3 Wide Area Network

At the head office location we have two routers, one for public Internet access and the other for access to the private WAN. At the branch office location, we have a single router that acts as the default gateway for the LAN clients there and sends all traffic back over the private network to the head office.

Example IP Addressing

To explain this type of configuration further here is a diagram showing how the IP addressing might be configured for this type of Layer 3 traditional private WAN.

IP Addressing for Traditional Layer 3 private WAN

The Head office network has a network subnet of, and uses the public Internet access router ( as the default gateway. The public Internet access router has a static route with a supernet of and the private WAN access router ( as the target. In this way, any traffic destined for the remote branch offices reaches the default gateway router and is then forwarded to the private access router, enabling the sites to communicate with head office in a hub and spoke fashion.

What is a Hybrid WAN?

A Hybrid WAN combines private point to point links with public Internet links using encryption to ensure that any traffic sent over the public Internet is secure.

difference between traditional WAN and Hybrid WAN

The end result is a Wide Area Network made up of multiple connections between each location that can be actively used at the same time to improve connection reliability and aggregate bandwidth.

It requires the use of multi-WAN routers at each location that are capable of sending traffic securely over multiple WAN links at the same time from a remote branch office that are then also able to combine the traffic again when it reaches the destination.

Peplink’s SpeedFusion VPN bonding technology is the mechanism for creating Hybrid WANs using multiple private and public links.

high level diagram for Hybrid WAN

SD-WAN – Centrally Managed Hybrid WAN

Software defined wide area networks extend the capabilities of Hybrid WAN’s by adding a central controller that configures, monitors and manages Hybrid WAN networks.

Using the SD-WAN controller we can deploy Hybrid WANs centrally and automatically – dynamically adding and removing remote locations/devices on demand. We can also monitor bandwidth usage at a device and client level and perform additional management tasks such as firmware deployments, configuration management and provide easy remote access.

Especially useful for Hybrid WAN deployments is the central monitoring and notifications made possible using SD-WAN. Individual remote site WAN link failures will be transparent to the users at that location by design, and as such need to be flagged up to the network management team for review. Peplink’s SD-WAN controller is the cloud based InControl 2 service and is fully compatible with all Hybrid WAN deployment topologies described in this whitepaper.

Hybrid WAN Example

If we wanted to use Hybrid WAN technology in our previous example the high level design would look like this:

Hybrid WAN high level design

In this example, the head office network now has three routers. A Peplink Balance device has been added to act as the default gateway for the network. This has the public Internet access router and the private WAN access router connected to its WAN ports.

The remote branch location also has an additional Peplink Balance device. This has the original private WAN router connected to its WAN ports along with new additional public Internet access routers.

The two Balance routers create a single logical VPN connection made up of multiple secure VPN connections between each other across both the public and private networks. Both networks can send and receive traffic at the same time. The benefits to this Hybrid WAN approach are considerable:

  • Additional bandwidth can be added quickly using public Internet links that tend to be cheaper with much higher bandwidth than dedicated private WAN links.
  • Using Peplink’s SD-WAN technology, multiple network technology types (Fiber, DSL, Cellular and even Wi-Fi) can be used at each location and combined to provide resilience.
  • The WAN links at each location do not need to be from the same ISP or managed service provider – allowing for provider diversity.
  • The end result is a more resilient, more agile, higher bandwidth and secure WAN.
  • Hybrid WAN IP Addressing Example

    The diagram below shows the network diagram for an example Hybrid WAN configuration using the topology from the previous traditional WAN example as a starting point

    Hybrid WAN IP Addressing Example

    Head Office Detail

    Hybrid WAN Head Office Detail

    In the head office location a new Balance router is added that acts as the default gateway for the network. On its WAN1 is the existing public Internet access router, on WAN2 it has the existing private WAN access router.

    The private WAN access router (shown in blue) is configured with a new LAN IP in a different range than the head office LAN. The original head office LAN IP range ( is maintained on the LAN of the Balance router to reduce the amount of reconfiguration needed on servers and infrastructure at this location.

    The Balance has an outbound policy added to tell it to route all traffic for the remote private WAN routers (in the remote branch offices) over WAN2. This outbound policy enables traffic to route between the WANs of the remote Balance routers and the one at head office, which in turn enables VPN tunnels to be created over the existing private WAN.

    Remote Branch Offices

    Hybrid WAN Remote Branch Office Detail

    In the remote branch offices a new Peplink Balance router is added to act as the gateway device for the local network and the branch office subnet is changed to be in the 10.12.x.0/24 range.

    Note: Any statically assigned network devices – such as printers, VoIP PBX’s or CCTV cameras will need to be reconfigured to connect on the new subnet.

    On the WAN1 of the Balance router a public Internet connection is added, with the private network access router on WAN2.

    Depending on the model of Balance router used at the remote branch offices up to 13 WAN connections can be used in total which can be a mix of fixed line, cellular and point to point wireless networks connections. Typically we would see a branch location combine existing fiber/cable connectivity from the private WAN with additional public Internet connectivity over fiber or xDSL and LTE cellular from different providers. Additional Internet connectivity can be added on demand to the branch office location and included in the Hybrid WAN.

    With this configuration in place we have the level topology configured as illustrated on the diagram to the right.

    Hybrid WAN high level topology

    How to Configure a Hybrid WAN in Parallel to An Existing Traditional WAN Infrastructure

    Frequently Hybrid WAN solutions are initially considered in an enterprise network as a solution for real immediate business and deployment challenges. This might be for an existing site that has suffered from extended network downtime due to external factors, or for a rapid temporary deployment where the long lead times for installation, rigid contract lengths, and overall expense of traditional private WAN connectivity is not the best fit.

    In these cases it can be desirable to add Hybrid WAN technology alongside existing infrastructure with minimal changes desired to the existing network configuration as a low risk, high speed way to test and trial the technology with easy roll back if required.

    This can be achieved by adding a Peplink Balance router to the head office location alongside the traditional WAN routers. By forwarding the necessary ports for SpeedFusion VPN through the existing public Internet access router, new remote branch office locations can be added that use commodity Internet connections (xDSL, 4G/LTE) at the remote sites and create secure VPN connections back to Balance router located in head office.

    Hybrid WAN alongside traditional private WAN

    With the simple addition of a couple of static routes on the private WAN and public Internet access routers, the new branch office locations added in this way can communicate securely with both the head office LAN devices as well as the remote branch locations on the traditional WAN.

    Best Practices

    Choosing the Right Mix of Internet Connectivity to Improve Hybrid WAN Performance

    The highest performance Hybrid WANs are achievable when connections of similar bandwidth capacity (within 50% of each other) and similar latency characteristics (within 200ms of each other) are combined.

    For example. Combining a DSL at 8Mbps with a Fiber connection at 80Mbps will actually produce a Hybrid WAN connection in the region of 70Mbps due to the bandwidth overhead required to establish a Hybrid WAN connection. (80 – 20% + 8 – 20% = 70.4Mbps). This will however be a Hybrid WAN connection that has resilience and is able to use both WAN links at the same time.


    Does All of Your Branch Office Network Traffic Need to Traverse the WAN?

    Accessing the Public Internet Using Hybrid WAN

    A question that is often overlooked when migrating from traditional to Hybrid WAN infrastructures is whether all network traffic at a branch office needs be routed via the head office location.

    Since Hybrid WANs use public Internet connectivity at the remote branch office locations, there is also the option to send Internet traffic from the remote devices out direct to the Internet using the local connectivity rather than over the secure VPN and out via the public Internet connection at head office.

    This reduces the amount of bandwidth required at the head office location, not only for Internet access but also the bandwidth required between it and the branch offices, which can drastically reduce bandwidth costs across large wide area networks.


    Hybrid WAN technologies can improve branch office connectivity resilience and bandwidth whilst also reducing costs, as well as provide new, more agile ways to deploy and manage branch office connectivity requirements using a mix of Internet connectivity types from diverse service providers.

    Using Peplink SpeedFusion enabled routers, you can choose to bolt Hybrid WAN connectivity onto the side of existing traditional WAN deployments, combine private and public WANs incrementally as required, and ultimately completely replace the traditional enterprise WAN if desired.

    Peplink’s SD-WAN controller in combination with Hybrid WAN provides agile remote site connectivity options with easy central management and monitoring – greatly simplifying both the initial deployment of Hybrid WAN in the enterprise and its subsequent operational management.

    Download PDF Version