This page has out of the box setup instructions for a Peplink B One router. The B One comes in three flavors, these instructions are for the B One model without a cellular data modem. As of April 2025, the B One sold for $300 US. For more about the router, see the page here on the B One.

This page is for someone using a Peplink router for the first time. Anyone upgrading from an older Pepwave Surf SOHO router can, with some difficulty, import the settings from the Surf SOHO to the B One. This is also covered on the B One page.

DRAFT DRAFT DRAFT This page is a work in progress DRAFT DRAFT DRAFT DRAFT

TOPICS BELOW
Starting Out,   Gather Basic Information,   Initial Hardware Connections,   Power Up,   First Connection To Router,   The Dashboard,   System Tab,   DNS,   VLANs,   WiFi SSID settings,   WiFi Global settings,   Firmware Updates,  

STARTING OUT   top

TERMINOLOGY: WAN refers to the Internet, it stands for Wide Area Network. LAN refers to the network of computing devices in your home/office. It means Local Area Network. If, for security reasons, you want to make define different groups of the devices in your home/office, each group is a VLAN, or Virtual LAN. The term firmware, refers to the operating system that runs the router.

STRATEGY: As I describe on the setting up a new router page, I think it is best to make initial configuration changes to any new router while the new router is off-line (not connected to the Internet). Also, the first few times any new router goes online, it is safer for it to be sitting behind an existing router. To do this, connect an Ethernet cable from the WAN port of the new router to a LAN port of the existing router. Only when you are sure you have all your ducks in a row with a new router should it be placed directly on the Internet (connected to a modem or gateway). I think this is a much safer approach than the standard recommendation of connecting a router to the Internet first and figuring things out later.

The only requirement for configuring a Peplink router is a web browser. Any recent browser should be fine. You could use a browser on a phone or tablet, but a computer is better, both because typing is easier on a keyboard, as opposed to glass, and because the web interface is designed for a large screen. Any computer should work, even a Chromebook.

NOTE: There are many other ways to communicate with a Peplink router. Like everyone else, Peplink has a mobile app, but the last I looked it was pretty bare bones. They also have a cloud service called InControl 2. When you buy a new Peplink router you get free access to InControl2 for a year, after that, there is a yearly charge. InControl2 makes the most sense for people administering multiple Peplink routers. It is also the only way to migrate settings from an old Pepwave Surf SOHO to a a new B One. InControl 2 is completely optional and off by default. In addition, Peplink has their own remote control service that you can enable to let their techies get into your router. This only comes up if you report a problem to Peplink and their tech support asks you to enable it. Many routers support SNMP communication and Peplink does too. SNMP is off by default. Finally, Peplink offers a CLI (Command Line Interface) to their routers which is over my head.

One big difference between Peplink routers and consumer/ISP routers is that a Peplink router is secure out of the box. Whenever there is a choice, Peplink defaults to the secure option. Take UPnP, for example. The vast majority of routers ship with UPnP enabled by default. But, you are more secure with it off and Peplink has it off by default. Another very common router option with poor security is WPS. Peplink does not support WPS at all.

If you want to get a better feel for the B One than words and still pictures can provide, see Peplink B One Unboxing: High-Speed WiFi 6 Router with Dual WANs! by Peplink reseller West Networks on YouTube. More than just an unboxing, the video also shows using the web interface. Rather than the everyday Ethernet connection to the Internet, they first use a Mifi type device plugged into the USB port to get online, then they use Wi-Fi as WAN. You can ignore anything about SFC Protect or Speed Fusion Connect Protect.

The screen shots on this page are from firmware version 8.5.

GATHER BASIC INFORMATION   top

The first thing to do is to verify the model number and make note of the serial number and LAN side MAC address. All three should be on the cardboard box the router ships in, and also on a sticker on the bottom of the router. They can also be obtained from the router firmware once its up and running.

The B One model without a cellular modem is the B-ONE-T-PRM model. Setup instructions for the two B One models with cellular data modems will be similar but with additional configuration needed.

The sticker also says where the router was made (Taiwan in my case) and the hardware generation. As of April 2025, the only hardware generation is HW1. Peplink has a long history of hardware refreshes for their routers.

Serial numbers, in Peplink land, are needed to register the router with the Peplink cloud service, InControl2. Peplink routers can be used without their cloud service and there is no requirement to register your router with InControl 2. This is one of many things I like about the company. The last 4 characters of the serial number is also used as part of the default Wi-Fi network name (SSID) for the network created by the router when first powered on.

Finally, the sticker on the bottom of the router also shows the 8 character "AP Password". This is the password for the Wi-Fi network created by the router when it is first powered on. You may note, that just above this on the sticker, is the LAN MAC. FYI: the last 8 characters of the LAN MAC, if you ignore the dashes, are the default Wi-Fi password. In and of itself, the LAN MAC address is not all that important.
Note: If there is a circle in your AP Password, it is a zero, not the letter O (as in Oscar). If your eyesight is poor, it might also be the letter D (as in Deer).
Note: Any letters in the default Peplink Wi-Fi password should be entered in upper case, which is how they appear on the box and the sticker.

This is also a good time for planning. The router has a default password but you will be immediately forced to change it. Peplink requires that the router password be at least 10 characters long, and contain at least one lower case letter, one upper case letter and one number. Special characters are not required, not sure if they are allowed, but I would avoid them anyway. You can, optionally, also change the userid used to logon to the router, but that's later.

On the Wi-Fi side, you will also be forced to change the default password. WPA passwords can be from 8 to 63 characters long. I have more on this, but, in brief, pick a password that is at least 13 characters long. Here too, I would avoid special characters. You will also be given the chance to change the network name. There is advice here on choosing a network name (SSID). Bad choices here are not fatal, they can easily be changed later. And, the B One can create 16 different Wi-Fi networks, but that's for later.

It can also be handy to have the User Manual available. Both firmware and manuals for the B One series are available in the Support section of the Peplink website.

• The B One User Manual for firmware 8.5.1
• The B One Data Sheet has assorted specs.
• The main web page for the B One

That said, documentation is one of the worst things about Peplink. For example, they still refer to Pepwave in the User Manual despite that branding having been discontinued when the Surf SOHO was discontinued. The B Ones are Peplink devices. Another example: the B One, like all routers, has a pinhole reset button. The picture in the User Manual shows it on the back, not the front. Worse still, the picture is of a different router. So, take the manual with a grain of salt.

INITIAL HARDWARE CONNECTIONS   top

The first hardware thing that needs to be done out of the box, is to put the electric wire together. The router is quite international, it ships with prongs/adapters for four different countries/regions. The prongs for your country need to be slid onto the AC adapter.

The second thing to do is to screw the two Wi-Fi antennas to the back of the router. The antenna ports are clearly labeled.

The third thing is to get an Ethernet cable. Most routers ship with one, the B One does not. Even if you only use Wi-Fi to communicate with all your devices, an Ethernet cable is needed to connect the router to the box/thingy provided by your Internet Service Provider. This box might be a modem or combination modem/router (aka "gateway"). Ethernet cables vary in their speed, color and length. By and large, the variations are only for techies, any Ethernet cable should be good enough for the maximum 1 gigabit speed of the B One router.

An optional step is to get a surge protector or a UPS to protect the router from electrical disturbances. One surge protector that I can recommend is the Tripp Lite TLM626. It has 6 outlets and in April 2025 sold for about $50 US.

POWER UP   top

Looking at the front of the router, when first powered on, the status light is solid red and the Wi-Fi light is off. After maybe 15 seconds, the status light changes to a much brighter solid red, then another 15 seconds (give or take) and it changes to solid green. A few seconds later the Wi-Fi light turns on and is solid green. A couple times, I was looking at the back of the router when I plugged in the electricity and saw that both LEDs for the WAN2 port came on. They went off after maybe 10 seconds or so. There was, at the time, nothing plugged into any of the Ethernet ports.

If you search for nearby Wi-Fi networks at this point, you should see one named PEPLINK_xxxx, where, as noted above, the last four characters of the network name (SSID) are the last four characters of the router serial number. The Wi-Fi network is protected with WPA2 encryption and is WiFi 5 (aka 802.11ac). You can get the default password for this network in two places, both described above.

FIRST CONNECTION TO ROUTER   top

To use the web interface of the router, the device running the web bowser can either connect via Ethernet to one of the 4 LAN ports, or connect via Wi-Fi. As a rule, Ethernet is a bit easier because initially we will be making changes to the Wi-Fi network(s) created by the router. You don't want to change a tire while the car is running :-)

The first time you connect to the router, you will have to change both the password for getting into the router and the Wi-Fi password. You can (I would) also change the name of the Wi-Fi network.

Open your web browser of choice and navigate to

  https://192.168.50.1

Note that HTTP will also work. Out of the box, the router will automatically change insecure HTTP to secure HTTPS. You can change this behavior later, but I would not.

Your web browser will not be happy, but that is the fault of the browser(s), they all issue scary error messages for no good reason. I tested on Windows 10 in April 2025 and found:

1. Chrome and Brave and Vivaldi complained that "Your connection is not private".
   See a screen shot from Chrome version 129 on Windows 10.
   
   
2. Edge complained that "Your connection isn't private"
   
   
3. Firefox and the Mullvad browser both said "Warning: Potential Security Risk Ahead"
   See a screen shot from Firefox version 137 on Windows 10.

These errors are issued any time you access a device, any device, using an IP address. This is not a Peplink thing, or a router thing. Despite the errors, encryption is being used between the router and your device.

It takes 2 clicks to bypass these warnings. First, in all browsers, click on the Advanced button. Then, to proceed in Chrome based browsers, click on "Proceed to 192.168.50.1 (unsafe)". In Firefox based browsers click on the gray button that says "Accept the Risk and Continue". Whew.

If all goes well, you should see the Peplink router login screen shown below.

The default userid and password is the now classic "admin" and "admin", all lower case. After entering them, you are forced to change the Router password, as shown below. The current password, at this point, is still "admin". See my thoughts about router passwords.

Next, we are forced to make Wi-Fi changes, as shown below. At the least, the Wi-Fi password must be changed. See my thoughts about Wi-Fi passwords.

You can also, if you prefer, change the network name (SSID). I also have thoughts about chlosing a good network name.

If you are using Wi-Fi to talk to the router, you will be disconnected after making these initial Wi-Fi changes. The router does not tell you this, so I just had to :-) Log back into the router using the new Router password.

THE DASHBOARD   top

Next up is the Dashboard page, the main screen for the web interface.

Now that you are in, know that every page has a gray LOGOUT button in the left side vertical column.

The top WAN Connection Status section is where you go when the Internet isn't working. WAN1 and WAN2 are the two WAN Ethernet ports on the back of the router. The "No Cable Detected" status is because I was setting up the new router while off-line. My worst experiences with Peplink routers were when it did not detect a connected cable.

You also see here that an Internet/WAN connection can either be Priority 1, Priority 2 or Disabled. You only need to deal with priorities when the router has two or three concurrent Internet connections.

A typical use for a Wi-Fi as WAN connection is when you take the router to a hotel that offers Wi-Fi but no Ethernet. The B One can connect to the hotel Wi-Fi and protect all your devices from snooping. It might also be used in a RV park that provides Wi-Fi. I once used it when my main ISP failed and I connected another Peplink router to the Wi-Fi hotspot created by a cellphone. Or, if you use ISP1 and your neighbor uses ISP2 and your ISP1 suffers an outage, you might be able to connect to your neighbor's Wi-Fi network using the Wi-Fi as WAN feature.

The Wi-Fi AP section shows all the networks (SSIDs) created by the router. There is only one in this example, but the B One can create up to 16 Wi-Fi networks. This comes in handy both for using VLANs to segment your devices and also to give devices that support WPA3 their own network. The DallasCowboysFan network is being broadcast on both 2.4GHz and 5GHz. You can easily change this in the AP tab.

The tabs are the horizontal black stripe across the top of the screen: Dashboard, SF Connect, Network, Advanced, AP, System and Status. The Status tab will probably be your best friend. You can ignore the SF Connect tab for now and maybe forever.

In the Device Information section, the CPU Load is probably the most useful information. If all is well, it should be fairly low. Expect it to be high for a minute while the router is installing any configuration changes. If the CPU Load is often high, the router might be infected with malware (very unlikely), underpowered for the number of devices connected to it (specs allow for 150) or running the OpenVPN client software.

The Throughput shows how much data is coming into the router and how much is going out. More details on throughput are available in the Status tab, which has a Real-Time usage report that shows throughput for the last 5 minutes or so. Also available there are Hourly, Daily and Monthly bandwidth reports.

The final thing to take note of here is the grayed out Apply Changes in the top right corner. After making most changes there will be a gray SAVE button. Save means just that, it does not mean install or apply or do it. It takes some time to apply configuration changes and because of the way the SAVE and APPLY CHANGES buttons work you can make multiple changes before actually installing them. The down side is that you might forget to Apply/install your changes. If you don't notice the Apple Changes button lit up, the Dashboard page will warn you when there are un-applied (think pending) changes. If you change your mind and do not want to install/apply your pending changes, you can cancel them on the Dashboard page.

SYSTEM TAB   top

Let's start the initial configuration at the System Tab.

One reason to start here is to set your Time Zone. Click on Time in the left side vertical column, then pick your Time Zone from the list. The router has a number of logs and we want the date/time on the logs to be accurate. After changing the time zone, the system will instruct you to both click the Apply Changes button and then re-boot for good luck. To reboot, click on Reboot in the left side vertical column.

Before you reboot (see above), you will notice a HUGE advantage to Peplink routers, the two copies of the firmware. Out of the box, both copies will be the same, but when you update the firmware, the router will keep a copy of the previous version available. If the new firmware is problematic, just re-boot and opt for the prior firmware version. This also lets you play with new firmware without fully committing to it. Try it for a short while, then go back to the prior version. The screen shot above is from a Peplink Balance 20x router.

After the reboot, you will have to log back in to the router. If you have kept the router off-line up till now, the new Time Zone won't really kick in until it goes on-line.

ADMIN SECURITY

The Device Name is not important, you can leave the default or put your name in it.

The Admin User Name and Admin Password is what we just changed.

Unlike other routers, Peplink routers are configured for two distinct users, an Administrator and a read-only user. This is mostly a corporate feature, but if anything goes wrong with the admin user (or perhaps your keyboard) its good to have a read-only userid and password.

The Web Session Timeout is not a big deal, it determines when an inactive logon to the router is timed out and logged off. I like to decrease it from the default of 4 hours to 1 hour.

Ignore the Authentication Method and CLI SSH & Console, the defaults are fine.

The next four fields control access to the very web interface you are now using. The defaults are reasonably secure, but can be made more secure. By default, both HTTP and HTTPS are allowed, but any attempt at using HTTP is re-directed to HTTPS.

The Web Admin Access field is poorly named, it controls remote access to the router from the WAN side. The default of LAN Only means no remote access and is the more secure option. By default, the Web Admin ports can not be changed.

To make this more secure, change the Security field to HTTPS Only and change the Wed Admin Port to something between 3,000 and 62,000 (no commas). This makes your life a bit harder, as does every increase in security. Specifically, in your browser, the below will no longer work

  https://192.168.50.1
  http://192.168.50.1

Instead you will have to use

  https://192.168.50.1:44555

where 44555 is the Web Admin Port. The colon preceding the port number is very much required. The screen shot below shows this more secure configuration.

The bottom section "LAN Connection Access Settings" is another way of securing access to the router itself. By default, any device connected to the LAN side of the router can access the router. If you know the admin or read-only userid/password, you get in. The "Allowed LAN Networks" field (also poorly named) controls access to the router based on VLANs. If you click on "Allow this network only" a drop-down list appears with all the currently defined VLANs (see the screen shot above).

The chosen VLAN (or the untagged LAN) will be the only one allowed access to the web interface of the router. A device in any other VLAN will not even be able to get at the initial logon screen. In the screen shot, only a device on Susans-vlan (number 18) can access the router.

IGNORE FOR NOW

The Schedule tab is where you create schedules that you later assign to either Wi-Fi networks (keep the kids off-line at bedtime) or Firewall rules. This can be skipped for now.

The Email Notification tab is where you configure the router to send you emails when it goes off-line and comes back on-line. Sadly, these are the only events that you can get notified about. This too can be skipped for now.

You can also ignore the Event Log, SNMP, SMS Control and Feature Add-ons. In the Tools section, Ping an Traceroute are network debugging features found on many routers. Wake-on-LAN is just what it sounds like, the ability to wake up a computer from the router. This is mostly a corporate feature meant for desktop computers. WAN Analysis is an Internet performance test that requires two Peplink routers. I have not used it.

HANDLING FIRMWARE

There are three options for fixing configuration mistakes.

As noted above, if you have not yet applied the changes, you can go to the Dashboard page where there will be an option to discard pending changes.

The next option is restore the router settings as of the last time you backed them up. The process is quite simple, finding the file created by your last backup is probably the hardest part.

To make a configuration backup, go to the System tab, then Configuration in the left side vertical column. A screen shot is below.

Click the gray Download button to download a new file on your computer with the current router settings/configuration. The file name will be in this format
yyyymmdd_bonehw1_serialnumber.conf

For example, a backup created on April 22, 2025 would have a name like
20250422_bonehw1_183579C152E2.conf

Should you ever need to restore a configuration backup, click on the Chose File button, then Upload the file to the router. When using this web interface, the burden of saving and finding the configuration backups is on you. If you use Peplink's optional InControl 2 cloud system, then configuration backups can reside in the cloud.

When to make a backup of the configuration settings is up to you. Windows makes Restore Points on its own, but Peplink backups are manual. Certainly if you make it to the end of this web page, you should make a backup. A great thing about Peplink routers is that before you update the firmware (the operating system of the router) it reminds you to make a backup of the current settings. I always appreciate the reminder.

Also shown above is the worst case scenario, where you need to restore the router to Factory Settings. As you can see, there is a button for this. I would suggest making a backup beforehand. Just in case. You never know.

Once you start the Factory Reset, you might as well close out your web browser. You will be disconnected from the router and the web interface no longer reflects what is really happening. The router re-starts as part of the Factory Reset. You can tell when it is ready again either from a solid green Status light or by scanning for nearby Wi-Fi networks. When it is ready, you will see the default PEPLINK_xxxx SSID again.

Note: The screen shot above is cropped. There is a fourth section at the bottom for "Upload Configurations from High Availability Pair". It can be ignored.

Actually, the real worst case is when you can not even logon to the router at all. For that, there is a pinhole sized Reset button on the front of the B One. It does not say "Reset", instead there is a circular white arrow. It is next to the Status and Wi-Fi lights. Press in the pinhole with a paper clip. Keep pressing for at least 10 seconds.

DNS   top

When it comes to security, perhaps the biggest increase in security for the smallest amount of effort, is provided by DNS. There is much information elsewhere on this site about DNS, so I will be brief here.

Computers on the Internet have numbers, not names. That this website appears to you as RouterSecurity.org is a top layer to make things easy for humans. Underneath, the computers on the Internet see this website is a thing at IP address 216.92.136.14. DNS is what translates the names we deal with, to the underlying IP addresses.

Every ISP provides a DNS service for their customers and it is typically your worst choice. Many other companies provide DNS services, often free, some paid.

There are two security aspects to DNS: secure vs. insecure communication and blocking bad stuff vs. not blocking anything.

There are two generations of DNS, the older generation uses insecure communication, the newer generation communicates securely. By default, Peplink still uses the older type of DNS. No doubt, your ISP does too.

Using DNS to block your access to bad stuff is a relatively new thing. The hard part is defining "bad stuff" as we all have different definitions. The most popular things to block, of course, are ads and trackers. Here you can see a screen shot of the Mullvad VPN client software (version 2025.3) for Android. Mullvad customers can block: ads, trackers, malware, gambling, adult content and/or social media. Those that don't like these choices, or don't want to use the Mullvad DNS service at all, can opt to specify their preferred DNS provider using the Custom DNS server option.

No DNS blocking can ever be perfect, but it is better to have some, than none.

Four secure DNS providers are pre-defined in a Peplink router (as of firmware 8.5), but the implementation is lame. Three of the DNS providers: Quad9, Cloudflare and OpenDNS offer multiple services, but Peplink does not show you this. Cloudflare, for example, offers one service that blocks malware, another that blocks both malware and porn and a third service that blocks nothing at all. Peplink only offers Cloudflare as a choice. Which service are you getting? Dunno. Google is the fourth DNS provider pre-defined in the router, but as far as I know they offer no blocking services along with their secure DNS. Makes sense, since advertising and tracking is how Google makes money.

With a little work, you can get both secure DNS and the blocking you want.

To configure DNS, go to the Network tab, then click on WAN in the left side vertical column. Peplink refers to the new secure generation of DNS as "DNS over HTTPS" and you will see, as shown above, that it is disabled by default. Click the pink pencil to bring up a window like that shown below.

First, click on the Enable checkbox.

Then, if all this is too much, for the Server, chose Quad9 as shown above. Then, click on the gray Save button and then the Apply Changes button.

I suggest Quad9 because it is the mostly likely company to offer blocking of bad sites/servers by default. You are done with DNS.

To pick your own level of DNS blocking, opt for the Custom URL on the Server line. This requires both the name of a secure DNS server and its IP addresses. A screen shot of entering this information is further below.

To use Quad9, with their malware blocking, enter a server of
https://dns.quad9.net/dns-query and IP addresses of 9.9.9.9 and 149.112.112.112

To use the Adguard DNS service that blocks ads, tracking and phishing, enter a server of
https://dns.adguard.com/dns-query and IP addresses of 94.140.14.14 and 94.140.15.15

There is more about this sort of thing on the DNS providers page.

All that said, my preferred DNS provider is NextDNS. While DNS blocking can never be perfect, NextDNS lets you easily make adjustments. Something blocked that should not be, you get your own personal Allow List. Something allowed that should be blocked? They have a Block List. They also offer optional logging which can be very valuable. And they support profiles, so that some of your devices can have different Allow/Block lists than other of your devices.

You can use NextDNS without an account, with a free account or with a paid account. I suggest opening a free account. The service is free up to a point. If you make too many DNS requests then you need a paid account. As of May 2025, the limit on free accounts is 300,000 queries/month and the entry level paid account is $20/year. I happily pay for the service.

You can sign up with NextDNS at their website. Or, if you prefer to kick the tires anonymously, they offer free accounts valid for 7 days. To get a free temporary account, click on the blue "Try it now" button on their home page. You should see a web page much like the one below.

To use this account on a Peplink router, write down the two IP addresses of the DNS servers marked in red above (yours will likely be different) and the green DNS-over-HTTPS server name. Your server name will have a different ending, the "e9b3eb" is a NextDNS account number.

The screen shot below shows where you enter this Custom URL information.

There are two options for the NextDNS server name. The one shown above, in this format
https://dns.nextdns.io/xxxxxx/
where xxxxxx represents the NextDNS account number works just fine.

However, NextDNS also lets you identify the specific device making each DNS request. This can come in handy when using their optional logging feature. To identify a Peplink router, use a server name such as
https://dns.nextdns.io/xxxxxx/mikeysb1router
You see an example of this in the screen shot above. Not to put too fine a point on it, but the xxxxx above is really a NextDNS profile ID. If you have just one profile, which everyone does at the beginning, then it can be thought of as an account number.

When you are done with DNS, you should see (Network tab -> WAN) that the new, securely-communicating flavor is enabled, as shown below.

If you care about security, you are never done with DNS.

For NextDNS, if you have an account, I suggest logging in to their website and reviewing the many options in the Security tab. The defaults are probably fine for most people most of the time. Take note of the "Block Newly Registered Domains" option which blocks any domain registered less than 30 days ago. Great feature. I have used NextDNS for years, so I don't know if this is on by default or not. They also block three Top Level Domains (TLDs): ru, cn and ir. This means that you can not visit a website registered in Russia, China or Iran. You can change this, if you prefer. Logging is optional, I like to enable it and retain the logs for one day. No one right answer. As for never being done with DNS, after using NextDNS for a while, log into their website and review the Analytics tab to see how things are going.

VLANs   top

All consumer routers offer a Guest Wi-Fi network/SSID which has a few advantages. For one, you can activate the guest/visitor network when needed, and then turn it off when it's not needed. If you give it a password (you should!), it can be a simpler one than what you normally use for your private Wi-Fi network. But the most important aspect of a Guest Wi-Fi network is that it (normally, but not always) keeps untrusted devices away from your devices.

The downside to a Guest network is that it does not go far enough and that's where professional class routers, like those from Peplink come in.

To begin with, the Peplink B One can create 16 different Wi-Fi networks. So, you can create an SSID for adults and another for children. Creating one for IoT devices is a very popular way to go. If someone works from home their devices can be isolated from everything else by creating a Wi-Fi network just for them. WPA3 is more secure than WPA2 but many devices do not support WPA3. So, maybe create separate WPA2 and WPA3 networks. Pretty much any way that you want to group the devices in your home, you can.

Whereas consumer routers imply that devices on the Guest Wi-Fi network are segregated, with VLANs we have direct control of this. After all, 16 different SSIDs would offer no segmentation or separation if they all funneled devices into the 192.168.50.x subnet.

So, each VLAN is its own subnet. A subnet is what defines the "Local" in Local Area Network (LAN), be it virtual or not. Out of the box, the B One has one subnet 192.168.50.x. Your first VLAN might, for example, use the 192.168.11.x subnet. A second VLAN might use 192.168.22.x.

The topic of IP addresses and subnets has its own page on this site and it is surprisingly popular. Over the span of a decade (2015-2025), it has averaged 152 page views/day. You do not need to understand it all to configure the B One, but it's there is you want to read it.

When you segregate the devices in your home into groups, what you are really doing is assigning a group to a VLAN.

Consider the popular idea of putting IoT devices into their own VLAN/group. These are, as a rule, untrusted and/or poorly secured devices. If one is bad, or gets hacked, it can attack or spy on all the other devices in the VLAN. Peplink routers let you isolate devices in an SSID such that they can not see each other. It creates a very lonely existence for IoT devices as each thinks it is the only device in your home. No matter how malicious it may be, the impact is mostly muted.

If 16 isolated Wi-Fi networks is not enough, then a VLAN can also be assigned to a LAN port. VLANs are not just Wi-Fi things. Someone working from home, who wants to be isolated from all other devices in their home, could not only have their own SSID, they could also have a NAS plugged into a LAN port that is assigned to their personal VLAN. No one else in the house would be able to access their NAS.

If it's not clear, creating a VLAN does nothing, in and of itself. The VLAN does not get used until it is assigned to a Wi-Fi network (SSID) and/or a LAN port. The same VLAN can be assigned to multiple SSIDs or multiple LAN ports.

The topic of VLANs also has its own page on this site, but we have covered enough to start creating them. Note that VLANs and Wi-Fi networks can both be created, deleted, renamed and re-assigned at any time, so whatever you do now can always be changed later.

To create a VLAN, as shown below, start at the Network tab, then Network Settings in left side vertical column (its the default), then look at the LAN section at the top of the page. This shows the existing out-of-the-box LAN which Peplink calls the Untagged LAN. The IP Address/Network column tells us two things: the IP address of the router is 192.168.50.1 (you knew this) and that all the devices on this LAN have IP addresses that start with 192.168.50. We know this from the /24 (if you care, see the IP address and subnet page for more on this).

FYI: You don't need to know this, but the term "Untagged LAN" is technically accurate and not chosen out of the blue. VLANs are created by adding a few bits to every transmitted chunk of data that travels on the network. Chunks with the extra bits are said to be "tagged" and the bits themselves are the VLAN number/ID. When a VLAN aware device sends data to the LAN, it adds these extra tag bits. When a VLAN aware device reads data it looks for the tags.

VLANs are identified with both a name and a number. The number is for the router, the name is for you. This is how websites also work; the name RouterSecurity.org is for you, but to the computers/routers on the Internet, this site is 216.92.136.14. The miserable Peplink documentation does not explain the rules for either the VLAN name (i.e. max length, allowable characters) or the number.

To create a new VLAN, click the gray "New LAN" button to bring up the window below. Yes, the button is poorly labeled.

The IP Address field is the IP address of the router, as seen from this VLAN. Rather than assign it 192.168.11.1, as is customary, I assigned it 192.168.11.6 for reasons that are explained on the IP address and subnet page. The "IP Range" in the example above goes from 192.168.11.7 to 192.168.11.250 which is what defines this VLAN as using the 192.168.11.x subnet. On both these lines, leave the "255.255.255.0 (/24)" unchanged. For now.

The VLAN name can be anything, above I'm just being cute. A better name might be IoTVLAN or GuestVLAN or kids-vlan or whatever makes sense in the context of how you expect to divide the devices in your home. You can change it later. The VLAN ID is what goes into the tag described above. Each VLAN has to have a different number. Don't use zero. I don't know the rules for VLAN IDs and Peplink does not explain it in the User Manual. Keep it under 32 for good luck. The VLAN ID does not have to match the subnet, that's just me being neat.

Turn off the checkbox for Inter-VLAN routing, this is a rare default that is not the secure way to go. Turn on the checkbox for DHCP Server Logging. It's not a big deal, but it might come in handy later. Leave the default of "Assign DNS server automatically". The other settings can be ignored. Click the Save button, then Apply Changes.

When the changes are applied, you should see something like the below.

Note that if you logon to the router using an SSID or Ethernet port assigned to this VLAN, then you can not get at the router's web interface using the 192.168.50.1 IP address that we started with. From this VLAN, the router is 192.168.11.6.

Below is an example of what this display might look like after you create multiple VLANs. This illustrates how each VLAN is its own subnet and how the router gets a different IP address on each VLAN. The VLAN number does not have to match the subnet, its just a bit neater if it does.

As noted earlier, to actually use a VLAN, it needs to be assigned to a LAN port and/or a Wi-Fi network. In the screen shot below, A red X on the far right means the VLAN can be deleted because it is not assigned to anything. A gray X means the VLAN can not be deleted because it is assigned to something.

To assign a VLAN to a LAN port, start at the Network tab -> Port Settings. The last column for each port has an icon of a red pencil writing on a piece of paper. Click on that to edit the properties of the LAN port.

The port name can be anything useful. If a Sony stereo system is plugged into the port, maybe call it "Sony stereo" The drop-down field for "VLAN Networks" should, at this point, show the Untagged LAN and the newly created VLAN. In the screen shot below, you see that VLAN number 11 (aka Mikes first vee LAN) has been assigned to LAN port 2.

The port type of "Trunk" seen above is a VLAN related option and explained elsewhere here on the VLAN page. You can ignore the Port Type if you don't have an Ethernet device playing the VLAN game. Briefly, it controls who adds the VLAN tags to chunks of network data. If the device plugged into the LAN port is not VLAN-aware (think printer), then the router must add tags on incoming data and strip tags on outgoing data. If the device plugged into the LAN port is up to snuff on VLANs (think smart switch), then the router looks for tags on incoming data and adds tags before sending data.

In the next topic, Wi-Fi, you will see where/how to assign an SSID to a VLAN.

WIFI SSID SETTINGS   top

To configure Wi-Fi settings, start at the AP tab -> Wireless SSID (see below). After the required setup during the first boot-up of the router, we have a single SSID using WPA2 over-the-air encryption.

To create a new SSID, click on the gray New SSID button. First though, lets get our feet wet and look at the existing network. Click on the SSID to see the screen below which shows the default values for some of the many configuration options.

Scheduling is a feature in all Peplink routers that lets you schedule when an SSID is available and/or firewall rules. Like VLANs, you first create a schedule and give it a name, then you assign it to an SSID or a firewall rule. If children have their own SSID, then it can be scheduled to turn off at bedtime. Until a customized schedule is created, it defaults to Always On.

To assign the SSID to a VLAN, just click on the drop-down list box to see all your previously-defined VLANs.

SSIDs are broadcast (not hidden) by default and that's fine.

The Security Settings shown here are for WPA2, there is a WPA3 example coming up. The Encryption (AES:CCMP) can not be changed and that's a good thing.

"Shared Key" is the Wi-Fi password (another thing with a sub-optimal label). There is a whole page here on Wi-Fi passwords.

"Management Frame Protection" is a good thing for security but it's optional in WPA2. Leave it OFF for now (the default) because not every Wi-Fi device that supports WPA2, also supports Management Frame Protection. I enabled it once, and a Windows 10 computer could no longer get into the network as the PC was old and the Wi-Fi driver had not been updated to support this. Later, once your router has been functioning for a bit, you can experiment with this and see what, if anyting, breaks.

"Fast Transition" is a performance feature I am not familiar with. Peplink says it activates 802.11r which improves the transition of a portable Wi-Fi device as it moves between access points. Most likely the router counts as an "access point". Until you use an actual access point (Peplink sells their own of course), you can ignore it.

The "Private Pre-Shared Key" was introduced in firmware 8.5 and, frankly, I had not seen until I was making screen shots for this page. Its OFF by default and its purpose is unclear (Peplink documentation never explains the purpose for any feature). On the one hand it seems to allow the use of multiple passwords for a single SSID. On the other hand, it seems to allow the use of multiple VLANs with a single SSID. Either way, it only appears with WPA2 networks, not with WPA3. The online User Manual has a Wireless SSID topic, but I found it to be awful. I searched the Peplink Forum, and only came up with a brief comment about PPSK from July 2024.

There are other Wi-Fi options for an SSID that are not shown above. Further down the page are three sections with additional options: Access Control Settings, Guest Protect and Firewall settings. I am not familiar with the last two.

The Access Control section is a Wi-Fi feature that has been around for decades that lets you control access to an SSID based on the MAC address of the connecting device. I assume you have to know the SSID password before this comes into play, but I have not tested this. This feature gets no respect because a bad guy near your home could listen to over-the-air traffic and learn the MAC addresses of already-connected devices. To me, that is a pretty high bar and the feature should get more respect. The practical problem is that many homes have dozens of Wi-Fi devices making this a bookkeeping nightmare. The good news with VLANs and multiple SSIDs is that you can use MAC-based Access Control on SSIDs with very few devices and not bother doing it on SSIDs with many connected devices. If you don't know the MAC address of a device, the router does. You can see it as the Status tab -> Client List.

At this point, there is not much to say about the default settings for a WPA3 network. As you can see below, there are fewer options than WPA2.

In the two screen shots above the "SSID Settings" section has four settings. Annoyingly, Peplink hides seven other settings by default. To see everything, click on the white question mark in the blue circle at the far end of the black stripe. All eleven settings are shown below.

The "Layer 2 Isolation" checkbox is what controls whether devices connected to the SSID can see and communicate with each other or not. As noted above, a VLAN is a group of devices that are (normally) isolated from other devices connected to the router. This option controls whether devices are isolated from each other within the VLAN is associated with this SSID.

The "Maximum number of clients" is usually a performance thing but it can be a security feature when set on an SSID that is intended for a small number of devices. Set the maximum to the expected number of devices. To really limit things you would need to restricted the SSID to just one Wi-Fi frequency band. More on that coming up.

This is a good time to create some more Wi-Fi networks for yourself.

Below is an example of what this might look like with four SSIDs. The sample shows one WPA2 network, one WPA3 and one that allows either protocol. Not shown is the Enterprise version of Wi-Fi which Peplink supports with either WPA2 or WPA3. Enterprise versions of Wi-Fi assign each user/device their own userid and password. Managing the many userids/passwods requires a RADIUS server. Nuff said.

It also shows an Open network, which is one without a password. To me this is never a good idea. That said, this is an "Enhanced Open" network which is not your grandfather's open network. The enhancement is over-the-air encryption even without a Wi-Fi password. For a public Wi-Fi network, this might make sense, but it never makes sense at home. Also, many devices do not support this and never will. And, technically, Enhanced Open is not part of the WPA3 specification, so a router or Wi-Fi device that supports WPA3, may or may not support an Enhanced Open network. Ugh.

WIFI GLOBAL SETTINGS   top

Additional Wi-Fi settings can be found in the AP tab at "Settings" in the left side vertical column. I will not cover everything here, as these are Wi-Fi performance options and not security related. For more on these settings, see Chapter 22 of the online B One User Manual. If your Wi-Fi performance should be poor, there is a page here on this site about Extending your Wi-Fi range that should help pinpoint Wi-Fi problems.

The first section above controls the Wi-Fi frequency band used by each SSID. Normally, the default of both is fine. One reason to restrict an SSID to only the 5GHz band is to cut down its range to hopefully keep neighbors from seeing it. There is a whole page here on dealing with bad neighbors. Another reason might be that in your particular environment, in one location that you care about, one frequency band performs better than the other. Again, the B One can create 16 SSIDs so you have flexibility.

The Wi-Fi frequency bands are divided into channels. A "band" is a wide range of frequencies, a channel is a narrow range. For example, the 2.4GHz band goes from channel 1 at 2.412 GHz through channel 11 at 2.462 GHz. In between is channel 6 at 2.437 GHz and 7 at 2.442 GHz. Though small, a channel is not a single frequency, and they overlap.

On the 2.4GHz band, a stupid router will chose any channel that is not being used. Because of the overlap between channels, this is a stupid way to go. A router that opts for channel 7, that is near one using channel 6, will screw up things for both routers as they (virtually) step on each others feet. The smart thing to do is only use channels 1, 6 and 11 on the 2.4GHz band because they are far enough apart from each other that they don't overlap. If both routers used channel 6 that would actually be OK, as Wi-Fi is able to share channels in an equitable manner.

You can see in this screen shot from an Android Wi-Fi scanning app, that I took while traveling, that many of the nearby networks did, in fact, use channels 1, 6 or 11. A few networks, however, are centered around channels 3 and 4. TP-Link and Netgear are clear offenders. As I wrote this, I found a TP-Link and a Netgear router, near my home, both using channel 8. Channels 9 and 10 were being used by HP printers.

A consumer router may not offer a choice of channels. The eero app, for example, has nothing about channels. Consumer routers that do offer a choice either let you select a channel to use all the time or you have to cross your fingers and let the router chose the channel. Will it make a good choice? Likely not. How often does it re-evaluate? None of your business.

Peplink, on the other hand, gives you control over all of this.

The first relevant option in the screen shot above is channel width.

For the 2.4 GHz band, you should always use channels that are 20 MHz wide. This is an unofficial standard designed to minimize interference between channels. I live in a very crowded Wi-Fi neighborhood and when set to Auto, the B One used a 20 MHz wide channel. Still, I suggest forcing it to 20MHz. But, wider channels can send more data, so they appear faster, when they are the only Wi-Fi network around. Some stupid, cheap, consumer routers use 40 MHz wide channels, which are, again, bad for everyone. As I wrote this, I found these companies using 40 MHz wide channels near me: Arcadyan, Sagemcom, Netgear, TP-Link, ASUSTek (Asus) and Shenzhen Zhibotong Electronics. Here is a screen shot of this from the excellent WifiInfoView program.

The earlier screen shot from an Android Wi-Fi scanning app, also shows that a couple networks are much wider than the others.

For the 5 GHz band, the choice is not so clear and it depends on whether you live in a crowded Wi-Fi neighborhood or a desert island. Peplink offers: 20 MHz, 40 MHz, 20/40 MHz, 80 MHz (but falling back to 40 for incompatible models) and Auto. In my crowded Wi-Fi neighborhood, when set to Auto, it used an 80 MHz wide channel. Here too, wider is faster but interferes with the neighbors. I have set my 5 GHz channel width to 20 MHz and the speeds are fast enough for me. If I used a wider channel would my speed increase? It depends on my neighbors. There is no one right answer.

As for the choice of channel, the simplest option is to let the router chose. It is likely to make a reasonable choice. You will notice above that the only channels it will chose from, on the 2.4 GHz band are 1, 6 and 11. Not a stupid router. On both frequency bands, you can change the channels that you let it chose from, or pick one to always use.

If you let the router chose a channel, the next section lets you control when it re-evaluates this decision. You won't find that in a consumer router.

The B One offers many more settings than those shown above. I have cropped off sections for Web Administration Settings (on External AP), AP Time Settings (on External AP), Controller Management Settings (on External AP) and AP Controller Settings. These only come into play when using the router with a Peplink Access Point (or 2 or 3 or 4 ...). Still more settings (Beacon Rate, Beacon Interval, DTIM, and RTS Threshold) are hidden behind the white question mark in the blue circle that the red arrow points to. These advanced settings are found on pretty much all Wi-Fi routers and should not need to be changed.

WIFI LOG

While in the AP tab, notice that it has an Event Log in the left side vertical stripe. As seen in this screen shot it shows each time a Wi-Fi device connects and disconnects. For connections it logs the SSID, the frequency band and the type of encryption (WPA2 or WPA3). In the example, you can see that I usually connect to the DallasCowboysFan network on the 5GHz band, but one time my computer used 2.4 GHz instead. The router also logs when it changes the WiFi channel. Another thing to come back to after completing the initial router setup.

FIRMWARE UPDATES   top

Everything up to this point can be done with the router off-line. I would argue that it should be done off-line. While there is still much configuration to be done, this strikes me as a good time to update the firmware.

When the B One was first released, it was running firmware version 8.4.0. After that, came versions 8.4.1, 8.5.0, 8.5.1 and 8.5.2, which is the latest as I write this in May 2025. When to install new firmware is a matter of opinion. My opinion is to avoid the dot zero releases but install the dot ones and dot twos. This is just a rule of thumb, if you are having a problem, exceptions need to be made.

By the way, if you are having a problem, have reported it to Peplink and they find that there is a bug, they will create a new firmware immediately with a bug fix. So, always check the Peplink Forum when you have a problem because someone else might have reported the same problem and there might be a new temporary firmware with the fix.

Needless to say, make a backup of the current router settings before updating the firmware. This does not need to be said, because the router itself will remind you of this beforehand. Not a huge deal, but impressive nonetheless. Instructions for backing up the settings are above in the System Tab section.

There are multiple ways to get and install the latest firmware.

You can keep the router off-line and download the firmware on your own from the Peplink website. Then, at System tab -> Configuration you can upload the firmware file to the router.

Or, you can put the router on-line and have it both check for, and install, the new firmware on its own. The safest way to put the router on-line is to do so behind an existing router. Connect one of the WAN ports on the B One to a LAN port on the existing router. This way the B One is behind whatever firewall is in the existing router. Of course, you could follow the standard instructions and connect it to a modem so that it is directly facing the Internet.

You can also update the firmware using InControl2 but enough is enough for now :-)

Still more to come . . .

DRAFT DRAFT DRAFT This page is a work in progress DRAFT DRAFT DRAFT DRAFT