It may very well be considered secure, but in terms of encryption is not unbreakable. I would say 7 in a 1-10 scale. Try to use the highest security possible as IKEv2 and sha256. A certificate is ideal. There is a lot of literature for the perfect VPN. A lot of people argue to go for OpenVPN but others may say that it runs over the same type of encryption of IPSEC so... I use it all the time but hey! I do not handle state secrets :-)
Hi, thank your for this super video! I hvae two questions: 1/ Do I need to have my ISP router as bridge mode to make this configuration work? 2/ In case that I do not need to have the ISP router in bridge mode, then the R605 will work as a secondary router. How to set up the tplink so it takes the same IP range as the ISP router? Is this needed to create a site to site VPN? Do you have any video about this? Also, with this configuration, is all the trafic from the remote network goings throuh the main network? In a nutshell, - I have a remote device that I need to control from my office - I want to connect the remote metwork to my office network so I can see it - I bought 2 R605 Thank you in advance for your help. Best,
Thanks for your comments. 1. Yes bridge mode could be the answer, or you can opt to have your ISP hand you control of your IP address (public) and this would be ideal 2. We do not have a video for that, but basically you can redirect all ports to your router from your ISP's router. With this config, only the traffic destined to your remote network will go through the VPN tunnel. At least you need to have an external IP in one location, and you can start with OpenVPN between the two.
It is most likely due to firewall restrictions blocking everything coming from outside the "local" lan. Check our video: ruclips.net/video/xWu5cIaPLkk/видео.html you may find it usefull. Also check logs on both end routers.
I really loved this tutorial! Can you create a how to video showing how to set up an Omada Managed redundant Inter VLAN setup with redundant connections between 2-3 Switches (or one router and two switches if possible)? If possible, will you show how to do it using a Layer 2 and/or Layer 3 approach? I tried to do it with layer 2 by enabling RSTP on the two switches, but that caused the switches, and the router to loose management and hang on adopting. However, the configuration seemed to work, I just lost management of the router and swithches. I had to remove the redundant connections and factory reset them and then adopt them again to get them back. I'm using two TL-SG2210MP POE switches and an ER7206 Router. I want to set up LAN1 and LAN2 ports on the ER7206 to go to each of the two switches, with a redundant physical line between the two switches. I can then setup two cameras and two wifi access points on each switch for a total of four cameras and four access points. I set up my home and cabin with three wired cameras and two Omada short stacks. I have a control vlan and a dedicated video camera vlan at my cabin and two site2site VPN's sending data to my home. One manages the networking equipment with the controller at home, and the other sends video surveillance data to an NVR at my home. It worked great for six months until I lost the link between the Router and my POE Switch running the cameras and wifi access points. I am guessing my switch needs to be rebooted, but if I had a redundant setup, I may have only lost one switch and been able to maintain connection to another with half or even all my cameras. I'll be going down and snowmobiling in over New Years with a replacement switch (incase the other switch went bad), a few heat pads connected to redundant wifi temperature controllers (to keep the temps above 0 in the weather proof cabinet with the networking equipment), and a web power switch to auto reboot equipment if they lose a ping for more than an hour (long enough to allow for a remote firmware upgrade).
Thanks for your comments we are currently in the process of planning which videos we are going to release this year. Of course your suggestions are important and always very welcome.
Great video. Is there a way to implement a kill switch so that any client will not be able to access the internet if the VPN drops? This is important because for some applications the moment the VPN drops, all devices will access the local internet and show the actual location.
Hello at the moment i have my Comcast business router which has a static IP address after that i have my TP Omada VPN router I been trying so setup an IPSEC VPN ( site to site) but I am not able to do it , what settings do i need to change on the VPN router i have tried setting the Wired network IP to the one of the static IP on the Comcast router but no luck OI have successfully done this on other sites but the differecences there is that I only have one router on the other ones
If your ISPs router is in the middle you can ask them to handle the public IP to yours. That way their router will redirect everything to yours. An alternative is to make them configure the DMZ to your router (private IP)... just thinking... hope it helps
I have 2 vpn routers (er605). I have configured one (at office) as L2TP server. I can connect to it from phone / iPad . I want to route all traffic(including internet access) from one vlan on second router(at home) via my office router. How can I configure this ?
Seems like this has been the problem most are facing for correctly routing internet trafffic from remote locations: learn.microsoft.com/en-us/troubleshoot/windows-server/networking/cannot-connect-to-internet-vpn-server
I am able to create site to site successfully. And I have configured L2P for clients to connect outside the network. However these clients are not able to connect to the remote site which is via a site to site ipsec.
If your "branch to headquarters" works fine leave it like that and then create L2TP server as explained in our other video: ruclips.net/video/l34rB8OBl80/видео.html
Yes. But there are additional configurations that you can create in terms of routing so that wiill not happen in case you need local internet access on B, that does not use the VPN tunnel
Great video, thank you. One question: is it possible using this configuration to have branch office use head office's internet connection instead of it's local one? Thanks.
Yes, it is possible and actually a tot of people struggle to have it working the other way, to force it to use the local ISP's gateway. I have not needed it that way so I have not used it like that, but of course you may find many tutorials for such approach.
hola estimado consulta, en una conexion cliente -lan con protocolo PPTP , en el ordenador me sale un error de encapsulacion GRE .. sabras que debo habilitar o deshabilitar en router ??? agradecido tu aporte referente a este tema
I suppose you could but there wouldn't be any point. However if you wish to secure connections within your organization, sure you can and many people do it in many ways. VPNs could be established internally.
Greetings to you. Do you have an explanation on how to configure the vpn so that the connection is from the URL domain from the phone or computer to the router or modem and not site to site. in any type of router.
Great Video! I am looking at a use case where 100% of the Branch office internet traffic is routed through the Head office router with HO public IP natting. Does this setup force 100% of the branch office internet traffic through head office router with HO public IP natting?
Hi, site to site basically will work based on the routing tables on the router which you can manipulate and change as you see fit. Something very similar may happen with the ovpn files when using OpenVPN. Thanks for watching.
great vid! Just to clarify, do you need the OC200 on both ends or is it optional? Can I set the VPN settings on both ER605 as a standalone without the OC200?
Actually as may have been explained in another of our videos, for VPNs it is much better to use the standalone setup, as we noticed settings are not properly deployed if a power failure takes place and no controller is available. Thanks for watching our videos.
It does require a public IP adress but in the configuration you can link it to a Dynamic CNS service. Other important aspect to note is you can place them behind firewalls and just forward the corresponding ports.
Greetings to you. Do you have an explanation of how to configure ipsec vpn without buying ip address vpn. Using the ip address of the internal system of omada vpn.
Hello! I am setting this for two offices, at the main office i have pubic ip and at the second office the ip is under CGNAT. It works well with Open VPN but i'd like to connect to both sides of the networks as shown in this video. Is this possible? ty
We are currently working on a video for that purpose specifically with an ISP providing dynamic IP, for now our tests have worked even after changing the IP of the initiator. Should better have an option for an FQDN, but is something not even Unifi has on their UDMs)
Yes you can actually test your VPN being them in the same network assigning eachone of them a private IP. A VPN practice many companies put in place (not actually with routers but PCs) to protect important data within their LANs
HI Alan, I have done exactly what you did with 2 X ER7206 at both ends. I am able to access the internet through the ER7206 locally from each device, but no luck connecting between the sites. Only difference is that I have a 4G connection at the branch end. .Does these have to have Static IP addresses provided by ISP? Can I test with Dynamic ISP provided IP addresses until I get Static IP addresses provided? or it does not work with out the static IP address? Are there any other settings I need to configure such as routing on the ER7206s?
Hi, it usually is a matter of routing configuration. Once tunneling is stablished, it does not matter which technology you use, packets will travel the way we tell them to. Take a look at this link thart applies to this too docs.netgate.com/pfsense/en/latest/vpn/ipsec/client-routing.html
Please help me! I can connect to the router, but I cannot reach to anyother device on remote side. is there a firewall policy that i need to set so I can reach the remote subnet?
I did exactly what you did on my 2 routers. they connect to each other, i can ping the routers from both ends but i cannot ping or connect to any device at both ends !!!
Hi, these site to site VPNs relly very much on the routing tables created or updated at the time of connection. Check if the networks specified as local and remote are the ones specified. If you can "see" both routers, it may very well be that the problem. Start in a specific order. For example remote network 192.168.15.1/24 , and local 192.168.16.1/24. Also check that firewalls are properly configured with exceptions of remote LANs or differenrt scopes. Check our video regarding that specific topic: ruclips.net/video/xWu5cIaPLkk/видео.html and hope it helps.
I assume you just need remote access and not the other way around. You might have a plan B with OpenVPN and these same routers ruclips.net/video/1Jju4cK2MWY/видео.html
The manufacturer claims it is possible to stablish up to 16 for OpenVPN and 20 IPsec. Over the years I've learnt to do my own tests, and I have not gotten my hand over more simultaneous connections with these routers so no help on my side regarding this specific question. Please let us know if you find out if it is a fact.
Basically should be the same, as your actual VPN server is gonna be your responder, so you already have a PSK, encryption method, IP, etc. You configure those parameters in your initiator remote ER602. Will be posting a TP Link Initiator to Unifi Server soon
When you say IP address? does that mean the IP address of the ISP modem IP address? How can they listen to one another without a WAN like an ISP modem? So do I need the IP Address of the local modem for each site to create the IPsec?
Hi, when we talk about a remote and local IP addreses it is intended for the public IP address. Normally the ISP will give you a dynamic IP address. You may have to ask for a public fixed IP, or you can ask for a method with them to receive such address like VLAN, PPoE or even configure your ISPs modem as a bridge to your router so you'll have control of all forwarding being done.
Hello, will be all communication going on remote office via head office? I mean, will be internet connection speed on branch dependant on internet speed of headoffice? We want to have on branch local ISP speed which is faster than head office. Thank you
Hello Daniel, the default access we have configured always has worked the way you need it. Internet access at the branch office is local, but once it needs a resource from the remote office, routes it through the tunnel. Has worked great for 5 months every day, with very important services that require 8 AM to 8 PM remote access to terminal server and printers.
Hello, TP Link argues it can manage up to 20 for the er605 and 100 for the 7206 routers. We have not tried it, but we do have several different type of VPNs running some of them with multiple OpenVPN clients and all have worked perfect por over 3 months. Don't think it will change. Thanks for watching our videos.
Have not able to test it, however the common problems we all have with VPNs still remain, like random lack of access to the internet, mostly due to DNS failure to answer locally.
I wouldn't see a reason why not. Basically any router should be able to connect to these er605 as they are deeply configurable. Not all routers can be servers, but they all can be clients. The only limitation youo may have at any point is that it would be a client network and not a site to site interconnection. I would study your particular tplink 4G router a little more. If you can please send us the model you have.
Very buggy equipment! Tech support is very responsive but I have found 3 major bugs. They have issued me a beta firmware to fix one but the remaining stumped over others. Just be aware IPsec VPN will not work with certain LAN subnets. The software has very little debugging and logging.
Thanks for sharing your experience that is exactly the objective of our channel. In our part for not so many clients, it has worked very well through IPsec and OpenVPN clients. Like I said is not a very demanding or high speed traffic. Hope you solve your problems.
@TechnologyMoments The latest issue is no connectivity over IPsec LANs with different second octets. IPsec SA shows connected, but local LAN can not ping remote LAN. Waiting on a fix from TP-LINK. This will be the third bug and firmware update.
![[Training] How to configuration Load balance and VPN Router](/img/1.gif)
Loud and clear, thanks!
Isn't L2TP/IPSec very insecure these days? I've read somewhere that the encryption can easily be broken?
It may very well be considered secure, but in terms of encryption is not unbreakable. I would say 7 in a 1-10 scale. Try to use the highest security possible as IKEv2 and sha256. A certificate is ideal. There is a lot of literature for the perfect VPN. A lot of people argue to go for OpenVPN but others may say that it runs over the same type of encryption of IPSEC so... I use it all the time but hey! I do not handle state secrets :-)
Thanks for a good presentation on this topic.
Thanks! Great video! Could you please create with port forwarding with this Site to Site VPN? TIA.🙏
Hi, thank your for this super video!
I hvae two questions:
1/ Do I need to have my ISP router as bridge mode to make this configuration work?
2/ In case that I do not need to have the ISP router in bridge mode, then the R605 will work as a secondary router. How to set up the tplink so it takes the same IP range as the ISP router? Is this needed to create a site to site VPN?
Do you have any video about this?
Also, with this configuration, is all the trafic from the remote network goings throuh the main network?
In a nutshell,
- I have a remote device that I need to control from my office
- I want to connect the remote metwork to my office network so I can see it
- I bought 2 R605
Thank you in advance for your help.
Best,
Thanks for your comments. 1. Yes bridge mode could be the answer, or you can opt to have your ISP hand you control of your IP address (public) and this would be ideal 2. We do not have a video for that, but basically you can redirect all ports to your router from your ISP's router. With this config, only the traffic destined to your remote network will go through the VPN tunnel. At least you need to have an external IP in one location, and you can start with OpenVPN between the two.
Man that was great video... THANK YOU
I was able to create the tunnel and both routers show the active tunnel but I cannot ping anthing on either side. Any advice?
It is most likely due to firewall restrictions blocking everything coming from outside the "local" lan. Check our video: ruclips.net/video/xWu5cIaPLkk/видео.html you may find it usefull. Also check logs on both end routers.
I really loved this tutorial! Can you create a how to video showing how to set up an Omada Managed redundant Inter VLAN setup with redundant connections between 2-3 Switches (or one router and two switches if possible)? If possible, will you show how to do it using a Layer 2 and/or Layer 3 approach? I tried to do it with layer 2 by enabling RSTP on the two switches, but that caused the switches, and the router to loose management and hang on adopting. However, the configuration seemed to work, I just lost management of the router and swithches. I had to remove the redundant connections and factory reset them and then adopt them again to get them back. I'm using two TL-SG2210MP POE switches and an ER7206 Router. I want to set up LAN1 and LAN2 ports on the ER7206 to go to each of the two switches, with a redundant physical line between the two switches. I can then setup two cameras and two wifi access points on each switch for a total of four cameras and four access points.
I set up my home and cabin with three wired cameras and two Omada short stacks. I have a control vlan and a dedicated video camera vlan at my cabin and two site2site VPN's sending data to my home. One manages the networking equipment with the controller at home, and the other sends video surveillance data to an NVR at my home. It worked great for six months until I lost the link between the Router and my POE Switch running the cameras and wifi access points. I am guessing my switch needs to be rebooted, but if I had a redundant setup, I may have only lost one switch and been able to maintain connection to another with half or even all my cameras. I'll be going down and snowmobiling in over New Years with a replacement switch (incase the other switch went bad), a few heat pads connected to redundant wifi temperature controllers (to keep the temps above 0 in the weather proof cabinet with the networking equipment), and a web power switch to auto reboot equipment if they lose a ping for more than an hour (long enough to allow for a remote firmware upgrade).
Thanks for your comments we are currently in the process of planning which videos we are going to release this year. Of course your suggestions are important and always very welcome.
Great video. Is there a way to implement a kill switch so that any client will not be able to access the internet if the VPN drops?
This is important because for some applications the moment the VPN drops, all devices will access the local internet and show the actual location.
I would assign static DNS so they will use the one on "the other side". :-)
Hello at the moment i have my Comcast business router which has a static IP address after that i have my TP Omada VPN router I been trying so setup an IPSEC VPN ( site to site) but I am not able to do it , what settings do i need to change on the VPN router i have tried setting the Wired network IP to the one of the static IP on the Comcast router but no luck
OI have successfully done this on other sites but the differecences there is that I only have one router on the other ones
If your ISPs router is in the middle you can ask them to handle the public IP to yours. That way their router will redirect everything to yours. An alternative is to make them configure the DMZ to your router (private IP)... just thinking... hope it helps
I have 2 vpn routers (er605). I have configured one (at office) as L2TP server. I can connect to it from phone / iPad . I want to route all traffic(including internet access) from one vlan on second router(at home) via my office router. How can I configure this ?
Seems like this has been the problem most are facing for correctly routing internet trafffic from remote locations: learn.microsoft.com/en-us/troubleshoot/windows-server/networking/cannot-connect-to-internet-vpn-server
Never mind. windows was blocking all ping requests. everything is working fine. :)
I am able to create site to site successfully. And I have configured L2P for clients to connect outside the network. However these clients are not able to connect to the remote site which is via a site to site ipsec.
If your "branch to headquarters" works fine leave it like that and then create L2TP server as explained in our other video: ruclips.net/video/l34rB8OBl80/видео.html
Hello, but if I made this configuration
The router B thats connect to router A, will be geolocate with Router A public IP address?
Yes. But there are additional configurations that you can create in terms of routing so that wiill not happen in case you need local internet access on B, that does not use the VPN tunnel
Great video, thank you. One question: is it possible using this configuration to have branch office use head office's internet connection instead of it's local one? Thanks.
Yes, it is possible and actually a tot of people struggle to have it working the other way, to force it to use the local ISP's gateway. I have not needed it that way so I have not used it like that, but of course you may find many tutorials for such approach.
hola estimado consulta, en una conexion cliente -lan con protocolo PPTP , en el ordenador me sale un error de encapsulacion GRE .. sabras que debo habilitar o deshabilitar en router ??? agradecido tu aporte referente a este tema
Hola es muy probable que tu firewall esté bloqueando el protocolo IP 47, que utiliza el puerto 1723.
Greetings to you. I have a simple question: is it possible to create a vpn network with the same head office device? And not with a branch office
I suppose you could but there wouldn't be any point. However if you wish to secure connections within your organization, sure you can and many people do it in many ways. VPNs could be established internally.
Greetings to you. Do you have an explanation on how to configure the vpn so that the connection is from the URL domain from the phone or computer to the router or modem and not site to site. in any type of router.
Great Video! I am looking at a use case where 100% of the Branch office internet traffic is routed through the Head office router with HO public IP natting. Does this setup force 100% of the branch office internet traffic through head office router with HO public IP natting?
Hi, site to site basically will work based on the routing tables on the router which you can manipulate and change as you see fit. Something very similar may happen with the ovpn files when using OpenVPN. Thanks for watching.
great vid! Just to clarify, do you need the OC200 on both ends or is it optional? Can I set the VPN settings on both ER605 as a standalone without the OC200?
Actually as may have been explained in another of our videos, for VPNs it is much better to use the standalone setup, as we noticed settings are not properly deployed if a power failure takes place and no controller is available. Thanks for watching our videos.
@@TechnologyMoments ah cool! I found the other video that you mentioned. Thanks a lot for the reply!
It required static public IP for each Head office and Branch or it can be configured dynamic IP like broadband connection?
It does require a public IP adress but in the configuration you can link it to a Dynamic CNS service. Other important aspect to note is you can place them behind firewalls and just forward the corresponding ports.
Greetings to you. Do you have an explanation of how to configure ipsec vpn without buying ip address vpn. Using the ip address of the internal system of omada vpn.
Not us but there may be some guides out there. Check how to connect to FQDNs customer.cradlepoint.com/s/article/How-to-configure-OpenVPN-using-FQDN
Hello! I am setting this for two offices, at the main office i have pubic ip and at the second office the ip is under CGNAT. It works well with Open VPN but i'd like to connect to both sides of the networks as shown in this video. Is this possible? ty
We are currently working on a video for that purpose specifically with an ISP providing dynamic IP, for now our tests have worked even after changing the IP of the initiator. Should better have an option for an FQDN, but is something not even Unifi has on their UDMs)
Hello! Is it possible to test this without leaving 1 site? Like, have the 2 omada routers plugged into the same ISP modem (same global IP address)
Yes you can actually test your VPN being them in the same network assigning eachone of them a private IP. A VPN practice many companies put in place (not actually with routers but PCs) to protect important data within their LANs
HI Alan, I have done exactly what you did with 2 X ER7206 at both ends. I am able to access the internet through the ER7206 locally from each device, but no luck connecting between the sites. Only difference is that I have a 4G connection at the branch end. .Does these have to have Static IP addresses provided by ISP? Can I test with Dynamic ISP provided IP addresses until I get Static IP addresses provided? or it does not work with out the static IP address? Are there any other settings I need to configure such as routing on the ER7206s?
Hi, it usually is a matter of routing configuration. Once tunneling is stablished, it does not matter which technology you use, packets will travel the way we tell them to. Take a look at this link thart applies to this too docs.netgate.com/pfsense/en/latest/vpn/ipsec/client-routing.html
Please help me! I can connect to the router, but I cannot reach to anyother device on remote side. is there a firewall policy that i need to set so I can reach the remote subnet?
Glad you were able to solve it.
I did exactly what you did on my 2 routers. they connect to each other, i can ping the routers from both ends but i cannot ping or connect to any device at both ends !!!
Hi, these site to site VPNs relly very much on the routing tables created or updated at the time of connection. Check if the networks specified as local and remote are the ones specified. If you can "see" both routers, it may very well be that the problem. Start in a specific order. For example remote network 192.168.15.1/24 , and local 192.168.16.1/24. Also check that firewalls are properly configured with exceptions of remote LANs or differenrt scopes. Check our video regarding that specific topic: ruclips.net/video/xWu5cIaPLkk/видео.html and hope it helps.
all our andriod devices now not longer accept L2TP or PPTP since Android 13 update.. So how to overcome this ?
I assume you just need remote access and not the other way around. You might have a plan B with OpenVPN and these same routers ruclips.net/video/1Jju4cK2MWY/видео.html
is it possible to set up 3 or 4 "site to site" vpns in series? if yes, does it use rip routing or static route? thank you.
The manufacturer claims it is possible to stablish up to 16 for OpenVPN and 20 IPsec. Over the years I've learnt to do my own tests, and I have not gotten my hand over more simultaneous connections with these routers so no help on my side regarding this specific question. Please let us know if you find out if it is a fact.
How can I find the local and remote subnet? Thank you!
Sure, you can see at 01:59 that either at creating your VPN or later on at it's configuration the local and remote subnet.
hello, i have a l2tp vpn server, but i want to connect this router to the vpn server. which tutorial should i look? this didint help me: ;(
Basically should be the same, as your actual VPN server is gonna be your responder, so you already have a PSK, encryption method, IP, etc. You configure those parameters in your initiator remote ER602. Will be posting a TP Link Initiator to Unifi Server soon
When you say IP address? does that mean the IP address of the ISP modem IP address? How can they listen to one another without a WAN like an ISP modem? So do I need the IP Address of the local modem for each site to create the IPsec?
Hi, when we talk about a remote and local IP addreses it is intended for the public IP address. Normally the ISP will give you a dynamic IP address. You may have to ask for a public fixed IP, or you can ask for a method with them to receive such address like VLAN, PPoE or even configure your ISPs modem as a bridge to your router so you'll have control of all forwarding being done.
@@TechnologyMoments Hello! thank you. Also why cant ping or log into other equipment on different Vlans? Is there additional steps I need to do?
Hello, will be all communication going on remote office via head office? I mean, will be internet connection speed on branch dependant on internet speed of headoffice? We want to have on branch local ISP speed which is faster than head office. Thank you
Hello Daniel, the default access we have configured always has worked the way you need it. Internet access at the branch office is local, but once it needs a resource from the remote office, routes it through the tunnel. Has worked great for 5 months every day, with very important services that require 8 AM to 8 PM remote access to terminal server and printers.
@@TechnologyMoments Thank you very much, everything works fine! Excellent video!
Is it possible to create 1 Head and multiple Branches connect at the same time to it?
Hello, TP Link argues it can manage up to 20 for the er605 and 100 for the 7206 routers. We have not tried it, but we do have several different type of VPNs running some of them with multiple OpenVPN clients and all have worked perfect por over 3 months. Don't think it will change. Thanks for watching our videos.
Does mDNS (AutoDiscovery / Bonjour) work on a site to site VPN using the ER605 ? Thanks :)
Have not able to test it, however the common problems we all have with VPNs still remain, like random lack of access to the internet, mostly due to DNS failure to answer locally.
I want to create client to site vpn and at the site have tplink4g router connected with ER605. Can i do that?
I wouldn't see a reason why not. Basically any router should be able to connect to these er605 as they are deeply configurable. Not all routers can be servers, but they all can be clients. The only limitation youo may have at any point is that it would be a client network and not a site to site interconnection. I would study your particular tplink 4G router a little more. If you can please send us the model you have.
@@TechnologyMoments Archer Mr600 4g . On this router i config with free dynamic dns but have no luck even browse with ddns domain.
Very buggy equipment! Tech support is very responsive but I have found 3 major bugs. They have issued me a beta firmware to fix one but the remaining stumped over others. Just be aware IPsec VPN will not work with certain LAN subnets. The software has very little debugging and logging.
Thanks for sharing your experience that is exactly the objective of our channel. In our part for not so many clients, it has worked very well through IPsec and OpenVPN clients. Like I said is not a very demanding or high speed traffic. Hope you solve your problems.
@TechnologyMoments The latest issue is no connectivity over IPsec LANs with different second octets. IPsec SA shows connected, but local LAN can not ping remote LAN. Waiting on a fix from TP-LINK. This will be the third bug and firmware update.