|Router Security||Surf SOHO Initial Configuration||
Website by |
For a long time, I have recommended the Pepwave Surf SOHO router from Peplink. A long explanation of why, is on the Surf SOHO page. Finding a secure router is only half the problem, it also needs to be configured. In that light, this is a cheat sheet for configuring a new out-of-the-box Surf SOHO to be as secure as possible. It goes hand in hand with my suggestions about securely configuring any new router. I am told that almost all of the configuration described below also works for the Peplink Balance One and I would suspect it also applies to other Peplink Balance models running firmware version 7.something.
|1) Initial Changes||2) IP Addresses||3) Update Firmware|
|4) Managing Two Firmwares||5) VLANs||6) Wi-Fi Settings|
|7) Settings for one SSID||8) DNS||9) Firewall Rules|
|10) Final Things|
If you own a Surf SOHO and want to start from scratch, it can be reset to factory defaults with System -> Configuration -> Restore Factory Settings button. If you can't logon to the router, look for the small reset button on the back of the router. It is, literally, a pinhole and marked with a white circular arrow. Press in the button with a paper clip for at least 10 seconds and the router should reboot to factory fresh state.
Before pressing the reset button, both the status and WiFi lights are green. During the reset and reboot process the lights go through these stages:
You can tell that the router was reset by the Wi-Fi SSID that it broadcasts. The default is PEPWAVE_xxxx where xxxx is the last four characters of the serial number. This should show up in any app or operating system when looking for nearby Wi-Fi networks.
The Surf SOHO includes two copies of its operating system (called firmware). A factory reset, resets both copies of the firmware. The versions of the two installed copies do not change, just their configuration. Each is reverted to a factory fresh state.
New Surf SOHO owners can download the User Manual from Peplink at peplink.com/support/downloads/. There are different downloads for different hardware editions of the Surf SOHO. The first release is known as HW1 (hardware version 1). The second release is known as HW2 and the third release of the hardware is referred to as MK3. If you are dealing with an older, first generation model, note that it can only run firmware version 6. The two later hardware versions can run both versions 7 and 8 of the firmware.
STRATEGY: As I describe on the new router page, I think it is best to make some initial configuration changes to any new router while the new router is off-line (not connected to the Internet). Also, the first few times any new new router goes online, it is safer for it to be sitting behind an existing router. To do this, connect an Ethernet cable from the WAN port of the new router to a LAN port of the existing router.
TERMINOLOGY: WAN refers to the Internet, it stands for Wide Area Network. LAN refers to the network of computing devices in your home/office. It means Local Area Network.
The only requirement for configuring the Surf SOHO is a web browser. Any recent browser should be fine, you may want to disable extensions, just for good luck. You could use a phone or tablet, but a computer is better, both because typing is easier on a keyboard, as opposed to glass, and because the web interface is designed for a large screen. Any computer should work, even a Chromebook. Peplink does offer a mobile app, but initial configuration requires the web interface.
One thing you will need, at least at first, is some patience. There are a lot of steps. And, the web interface has an unusual quirk, sometimes clicking on a SAVE button is not sufficient to actually save the changes you made. An extra step is normally needed: clicking on an Apply Changes button in the black horizontal stripe across the top of the screen.
Two things we do not need to do with a Surf SOHO are disabling WPS and UPnP. No Peplink router supports WPS which is great for security. Likewise, Peplink is the very rare company that disables UPnP out of the box. Likewise, both NAT-PMP and Remote Administration are disabled by default, both of which are good for security.
FUTURE UPDATE: July 2, 2018: Peplink routers can save all the current settings in an external .conf file. The large number of click-here-type-this steps that follow can be too much for some people. With that in mind, a reader of this site suggested that I supply a pre-configured .conf file. He went so far as to verify that the .conf files are not locked down by MAC address or the serial number of the router. I would do this, except that my only spare Surf SOHO is an old version 1, which can only run firmware version 6. If ever get my hands on a new Surf SOHO, I'll do some initial configuring and post a .conf file here.
This was originally written for firmware version 7, the changes in version 8 are not drastic.
CONNECTING TO THE ROUTER
First things first. When the router is powered on, watch the Status LED. It is solid red while the router is starting up and changes to solid green when it has finished booting. FYI: the WiFi LED will be green and blinking when all is well and Wi-Fi is being used.
As with any router, we can connect to the Surf SOHO via Ethernet or Wi-Fi. Most computing devices use DHCP which means they will be assigned an IP address by the router. If you have that rare device with a hard coded IP address (you know who you are), it will need to be changed to something in the 192.168.50.x subnet.
It is best to connect via an Ethernet cable because we will be making changes to the Wi-Fi environment and no one wants to change a tire while the car is moving. Also, an Ethernet connection is usually more reliable than Wi-Fi and does not require a password. Connect to any of the four LAN ports, do not connect to the WAN port. If you are using a laptop computer, turn off the Wi-Fi to insure it communicates only via Ethernet.
At this point the router should be off-line, so verify that nothing is plugged into the WAN port. If the Surf SOHO is on, power it off (pull the plug), wait a bit, then power it on and wait for the status light to turn solid green. Then, I suggest restarting your computer to insure it gets assigned an IP address by the router.
Before doing anything, you might want to check that the Ethernet LAN Ports all work. If one is bad, it is best to know immediately. Don't ask why I make this suggestion. You can skip this and do it later. To test a LAN port, open a command prompt and try to ping the router using this command: "ping 192.168.50.1". This should work fine. Then plug into each of the other three LAN ports and do the same Ping command. Wait 5-10 seconds after plugging into the LAN port before doing the Ping. On a Chromebook, first disable the WiFi. ChromeOS tells you if it has connected to the Ethernet port.
If you are connecting via Wi-Fi go ahead and connect now. Look for an SSID like PEPWAVE_xxxx where xxxx is the last four characters of the router serial number. The network is password protected and the password is the last eight characters of the LAN MAC address. You can find the LAN MAC address on a label on the bottom of the router. A MAC address consists of letters and numbers. Enter any letters in the LAN MAC address in upper case. Any circles are zeros, the letter OH is not valid in a MAC address. The dashes are ignored.
Open your web browser of choice and navigate to http://192.168.50.1. Logon with userid "admin" and password "admin". The journey has begun.
The first things I suggest changing are the router password, the Wi-Fi password(s) and the Wi-Fi SSID(s). Starting with firmware version 8, after this initial logon, the router will force you to change the router password. The default, out-of-the-box password works only once. Unlike everywhere else, the password rules are actually displayed: it must be at least 10 characters long, include an upper case letter, a lower case letter and a number. Special characters are allowed but not required.
INITIAL CHANGES (OFFLINE)
After logging on, go to System -> Admin Security. The screen shot below shows what this might look like after making the changes in this section.
The first thing I suggest changing is the router administrator userid and (if still using firmware 7) the password. As shown above, the userid field is "Admin User Name" and the password field is "Admin Password." You have to enter the password twice.
A userid of your name or the name of your pet would be fine. Better still, come up with something that no one might guess. Write it down on a piece of paper along with the password. Userids are case sensitive so be careful when writing it down that you can tell upper from lower case.
FYI: If you enter an incorrect password too many times, when logging on to the router, it will lock you out for a period of time.
Click the gray SAVE button at the bottom, then the Apply Changes button at the top, then logoff using gray LOGOUT button in the left side vertical column. Log back in with your new userid and new password and go back to System -> Admin Security again.
The Surf SOHO supports two userids. The one we just changed has full access to the router, there is also a read-only user. You may never use the read-only user but, even then, it is best to change the default values. As seen above, the fields are labeled "Read-only User Name", "User Password" and "Confirm User Password". Yes, the password fields are poorly labeled. Write down this userid/password too.
You might want to change the web session timeout. This is the amount of time doing nothing after which the logon to the router gets expires. The default of 4 hours seems a bit much to me, but there is no one right answer. "Authentication by RADIUS" should be off (it defaults to off). Likewise "CLI SSH & Console" should not be checked (by default it is not checked).
The security that the "Security" field refers to is the very web connection to the router that you are now using. It defaults to HTTP but you can change this to HTTPS only (it does not say "only" it just says HTTPS) or both HTTP and HTTPS. The most secure option is HTTPS only and that is what I suggest. Be aware, however, that every HTTPS connection to the router will generate an error message in your web browser. This is, believe it or not, normal. The message varies by browser, but it may warn that the connection is not private or not secure. It may also warn about the certificate because captive-portal.peplink.com is not the same as an IP address. All these errors are bogus. Ironic that the most secure option generates warnings about not being secure.
The "Web Admin Access" field is where you enable or disable Remote Administration. The default setting of "LAN Only" means no Remote Administration and is the secure choice. A value of LAN/WAN enables Remote Administration. That said, this only applies to classic or legacy remote access to the router. It has nothing to do with the Peplink cloud service, InControl2, that also provides remote access to their routers. Access to the InControl2 system is free for the first year when you purchase a Surf SOHO.
The two remote access services differ in that classic remote access is an inny system while InControl2 is an outty system (my terms). Classic remote access requires you to directly connect in to the router, so you must know either its public IP address or use a Dynamic DNS system. This leaves a port open and thus makes the router vulnerable. With InControl2 the router maintains a constant connection out to Peplink so there are no open ports. You logon to the InControl2 website with a userid and password to administer the router.
I suggest changing the "Web Admin Port" to something between 9,000 and 65,000. Using a non-standard port makes the router a bit more secure. But, it is yet another thing for you to remember, so wright it down too on the same piece of paper as the earlier passwords.
Finally, a trivial thing, change the "Router Name" to something that makes sense to you (i.e. MikeysRouter).
Click the gray SAVE button at the bottom of the screen, then Apply Changes at the top.
If you changed either the port number or the HTTP/HTTPS, you will need to change how you access the router. The error message "Unable to reach web admin. Connecting in 30s..." is a hint that something needs to change. Non-standard ports need to be specifically entered in the URL. For example, if you picked port number 9001 and HTTPS, then you need to use
to get to the router. The port number is preceded by a colon, not a period. I suggest writing this down too (or bookmarking it). All that said, you may need to change this yet again, if you decide to assign a different IP address to the router (which I suggest doing).
STATUS -> DEVICE
After logging on, go to Status -> Device and write down the Serial Number. Also note the "Model" and "Hardware Revision" Hardware versions 1 and 2 are labeled as such. Version 3, however is also considered version 1 (last verified with firmware 7.0.2) a poor decision by Peplink. Hardware version 3 identifies itself with "MK3" in the Model field.
The current Firmware version is also shown here. While the router can check for new firmware, I suggest also checking the Peplink website.
PepVPN is an advanced feature that should be ignored for now. The Modem support version can also be ignored initially. The modems it refers to are 4G/LTE devices that plug into the USB port of the router to provide wireless Internet access. This has nothing to do with cable or DSL modems.
The Diagnostic Report is for Peplink, not for you. If their tech support department is working on a problem with your router, they may ask for this. Remote Assistance is also for Peplink tech support. It lets them access your router, again, when working on a problem for you. Hopefully, you will never have to use it.
STATUS -> EVENT LOG
Now click on the Event Log in the left side vertical column. It is your friend. Verify that the checkbox to Auto-Refresh is on (it should be). You should see timestamps on the left and event messages on the right. There should always be some messages as the router logs when it starts up and every time someone logs on to it. Until the router goes on-line and asks the Internet for the current date and time, event log messages will default to January 1st.
NOTE: If you don't see any messages in the Event Log, the problem might be with your ad blocker. I learned the hard way that uBlock Origin breaks this page. Just this one page. Don't know why that is. It is a simple matter, however, to disable uBlock Origin on either the entire router website (192.168.50.1 by default) or on just this one page (192.168.50.1/cgi-bin/MANGA/index.cgi?mode=config&option=utlog). Click on the uBlock Origin icon in the top right corner of the browser window and follow the instructions.
STATUS -> CLIENT LIST
This is also a good time to get your first look at the list of clients attached to the router (Status -> Client List). You can click on the Name column for any device and give it a name that makes sense to you (Susans ipad, LivingRoomPC). There is a lot of information here in a short easily digested format. No doubt the Wi-Fi signal strength will come in handy. Note that the lower the number the better. For example, -38dBm is a very high signal strength while -66dBm is poor but usable. Often the MAC address will not be very interesting, but, you hover over the MAC address, while the router is online, it will pop-up a balloon with the name of the company that made the network adapter.
AP TAB WI-FI
To configure Wi-Fi go to the AP tab (AP is for Access Point). By default you will be at Wireless SSID in the left side vertical column. SSID is nerd talk for the name of a wireless network. There is, by default, a single Wi-Fi network with an SSID of Pepwave_xxxx where xxxx is the last 4 digits of the router serial number.
Click on the default SSID. The screen shot below shows how this might look after making the changes suggested in this section.
Change the name (SSID field) to something that makes sense to you. For more on this see the SSID page. Change the "Security Policy" to WPA2 - Personal. Do not use either of the WPA/WPA2 options. This is a rare setting where the default value is not the most secure option.
The "Shared Key" field is the Wi-Fi password and it needs to be long. How long is debatable, but at least 11 characters and, it is far better, if its 15 characters or even longer. The password does not need to random junk (3kFezcfIUIU3*wqmj), however. As a starting point, use two words and a number (99REDballoonz or route66HIghway). For more see the page on Wi-Fi encryption. The default Wi-Fi password is the last 8 digits of the LAN side MAC address.
IGNORE THESE SETTINGS: You can ignore the VLAN ID (if it even appears) for now. There is more on VLANs below. Broadcast SSID is checked by default and should remain checked. Some articles suggest that not broadcasting the network name is a security feature, but it offers very little security. Even if you wanted to do this, its best to do it later, not initially. The box that says "Always on" on the "Enable" line has no other options, initially. Peplink Wi-Fi networks can be scheduled. For example, you might want to turn off Wi-Fi at night, thinking that a network that does not exist, can't be hacked. There is no need for scheduling initially. If you were using schedules, this is where the assorted schedules would appear, letting you apply one to this wireless network. The Access Control Settings are for MAC address filtering, a security feature that does not provide much security, so it can be left with the default value of "None".
As before, click the SAVE button at the bottom, then the Apply Changes button at the top.
For the time being, a single Wi-Fi network is enough. The Surf SOHO can create many Wi-Fi networks but the others can be created later.
IP ADDRESSES and SUBNETS
The next thing to change is the LAN side network numbering scheme. For more about this, see the IP address page. An IP address consists of four decimal numbers separated by periods. All the devices connected to the router will, at least initially, share the same first three numbers. Those three numbers define a subnet (sub network).
The Surf SOHO defaults to the 192.168.50.x subnet. This means that all devices connected to the router will have a LAN side IP address that starts with 192.168.50. The router itself, as we have already seen in the web browser, is 192.168.50.1. Changing these defaults makes for better security.
A good choice is a network that starts with 10. The next two numbers can be anything between 0 and 253. I suggest not using 0 or 1. Also, do not use 10.0.0.x, 10.0.1.x, 10.1.1.x and 10.10.10.x. Some easy to remember networks would be 10.11.12.x and 10.20.30.x. If you live at 123 Main Street, then maybe use 10.123.123.x.
Another choice that needs to be made is the IP address of the router. Typically, it is assigned the number 1, so on a network where everything is 10.123.123.x the router would be 10.123.123.1. Using any number other than 1 makes things more secure.
The final issue with subnets is how devices get their IP addresses. Most of the time, the router assigns the IP address for a day or so and then the devices call back to the router for a new assignment. Devices thus get dynamic IP addresses and the protocol for this is DHCP (where the D is for Dynamic). Devices can also be configured with their own IP address that never changes and thus not be dependent on the router or DHCP. A device with a never changing IP address is said to have a static IP address. Devices such as a network printer or a NAS (Network Attached Storage) function a bit better with a static IP address.
Putting this all together, we might end up using
10.123.123.x as the subnet
10.123.123.3 for the router
10.123.123.20-250 for dynamically assigned IP address (DHCP)
The remaining IP addresses, 1, 2 , 4 through 19, 251, 252 and 253 can be used by devices with static IP addresses. This scheme allows for up to 230 devices to get dynamic IP addresses. This should be sufficient for most people most of the time.
NOTE: If the router is plugged into a modem, fine. However, a router can be plugged into another router or a gateway (combination modem and router in one box). Specifically, the WAN/Internet port on the new Surf SOHO router would be plugged into a LAN port on the existing router/gateway. This complicates things a bit as the existing router/gateway has its own scheme for LAN side IP addresses. The Surf SOHO should use a different subnet from that of the existing router/gateway device. Since most of them use 192.168.x.x, anything that starts with 10 should be fine. Another potential conflict is Wi-Fi. It is safer, but not mandatory, to disable the Wi-Fi on the existing router/gateway. If you want to keep the pre-existing Wi-Fi network(s), use it/them only as a guest network. Once the new router is working, you can try to dumb-down the box from your ISP to act merely as a modem, a mode of operation normally called bridge mode. Thanks to Zach for bringing this up.
To make these changes, go to the Network tab (shown above). It will default to LAN Network Settings, which is what we want.
In the "IP Address" field, enter the IP address of the router (10.123.123.3 in our example). Do not change the numbers to right of this, the default (255.255.255.0 /24) is just fine.
In the "IP Range" field enter 10.123.123.20 and 10.123.123.250. Again, do not change the third set of numbers from its default value (255.255.255.0 /24).
That's it. Among the defaults that do not need to change are: DHCP Server (enabled), DHCP Server Logging (off), Lease Time (1 day), DNS Servers (checked on), BOOTP (off).
Click the SAVE button at the bottom, then Apply Changes at the top.
As before, when we changed the port number, these changes will cause you to lose contact with the router. It is best at this point to reboot the computer you are using so that it can pick up the new 10.123.123.x subnet and be assigned a new IP address on that subnet. After it restarts, point your web browser to https://10.123.123.3:999 (999 is the port number). At this point, you can bookmark this, it should not change going forward.
With the preliminaries out of the way, this is a good time to update the firmware. Granted, there is a chance that the new router has the latest firmware, but its a pretty small chance.
The Surf SOHO can update its firmware either online or off-line. Off-line is a manual process - you download the new firmware onto the computer connected to the router and then point the router to a .bin file that is the firmware. On-line is more automated, there is no downloading or uploading. However, on-line is only an option if the router detects the availability of new firmware and the track record here is not good. Off-line updates are also called manual updates.
The definitive source for firmware is the Peplink website, specifically the download page at peplink.com/support/downloads. You should always check this page first to learn the latest firmware. As I write this (Jan. 2018) the latest firmware for the first generation Surf SOHO (HW1) is 6.3.5. The latest for both the second (HW2) and third (MK3) generations is 7.0.3.
Firmware updates (both online and off-line) start at System ->Firmware. Click the "Check for Firmware button".
If it finds the latest firmware, you are good to go, the process is self-explanatory. If it does not detect the latest firmware, then download it from the Peplink website. The firmware should be a single file that ends with .bin. Somewhere in the file name will be the version number and a build number.
Another reason to do an off-line/manual firmware update is that you don't want to put the new router online with old firmware, even if it is behind an existing router. If you don't have another router to shield the new one, this is an excellent reason.
A manual update starts with the "Choose File" button. Point it to the .bin file, then click the "Manual Upgrade" button. The file is uploaded to the router, then it is validated by the router. Next, you will see an orange progress bar and be warned that the upgrade may take up to 6 minutes, which is a reasonable approximation. When the process completes, you will be at the login page.
After logging in, look for the new firmware version on the Dashboard page (the Dashboard is the first page you see after logging in). Then, just for fun, go to System -> Reboot where you will see one of the biggest advantages to using a Peplink router. Should the new firmware cause grief, you can easily reboot the router back to the previous firmware. You can also check the Event Log. The message "System: started up" includes the firmware version.
Another great thing about Peplink, is the ability to save the current router settings. In the absolute worst case, where you have to reset the router to factory fresh state, you can then import these saved settings and not have to re-do all the changes on this page. The icing on this cake is that you don't even have to remember this, the router will remind you to save the current settings before updating the firmware. Just great.
At this, point we have not made all that many changes, but still, I suggest saving the current configuration settings just for the practice. You can save the settings at any time from System -> Configuration -> gray Download button. The downloaded file is very small. The name starts with the date in yyyymmdd format and ends with .conf.
MANAGING TWO FIRMWARES
Normally as new firmware is released, you keep upgrading to the latest version with the prior version also installed and serving as a fallback. For example, when firmware 8 was released, it started at 8.0, then came 8.0.1 and 8.0.2. Thus, the normal progression would be:
7.1.2 and 8.0
8.0.1 and 8.0
8.0.1 and 8.0.2
But, you can take more control over this. Supposed you wanted to remain on firmware 7 but still be able to kick the tires on these new firmware versions? This is indeed possible. After first installing 8.0, the two installed versions are 7 and 8. To update from 8.0 to 8.0.1 while still keeping version 7, all you need do is be running firmware version 7. If so, 8.0 will be replaced by 8.0.1 with version 7 still available. Then, do the same thing to upgrade 8.0.1 to 8.0.2, while keeping version 7 installed. Thus, the progression over time of the two installed firmwares would be:
7.1.2 and 8.0
7.1.2 and 8.0.1
7.1.2 and 8.0.2
This is really great.
If the Surf SOHO is currently connected to the Internet, disconnect it now.
This is a great time to create your first VLAN. Detailed instructions are on the VLAN page. That page starts with an introduction to VLANs and network segmentation/isolation. You can think of VLANs as the way Peplink implements Guest networks. Not a great analogy, just a starting point.
If you just want click-here, type-this barest minimum instructions for getting started with VLANs, here you go:
The just-created VLAN (Guest-VLAN, aka number 22) can be assigned to zero, one, two or even more wireless networks. As a start, assign it to a single network/SSID. VLANs and Wi-Fi networks can both be created, deleted, renamed and re-assigned at any time, so whatever you do now can always be changed later.
There are many Wi-Fi settings that are not tied to one specific SSID. To configure these, go to the AP tab, then Settings as shown below (HW2 Firmware 7.0). First, verify that the Country is correct. What you see here varies depending on whether you are using the 1st, 2nd or 3rd generation of the Surf SOHO.
The first two generations (HW1 and HW2) could only use one Wi-Fi band at a time. That is, you had to choose between 2.4GHz and 5GHz. The choice was made by selecting a Protocol of 802.11ng for 2.4GHz or 802.11na for 5GHz.
The 3rd generation (MK3) uses both frequency bands concurrently. By default, its broadcasts each SSID on each frequency band, which should be fine most of the time. If not, here is where you restrict an SSID to a single frequency band.
The first two generations of the Surf SOHO let you chose between their internal antenna or the optional external antennas. This is not an option with the third generation.
On 3rd generation hardware, the "Wi-Fi AP Settings section" is poorly designed. Left left side column controls the 2.4GHz radio, the right side is for 5GHz. For 2.4GHz, a Protocol of 802.11ng means it is using both Wi-Fi N and G. This seems to be the only choice. For 5GHz it always seems to use 802.11ac, the latest and greatest flavor of Wi-Fi.
When it comes to Channel Width, there is no one right answer. Also, Wi-Fi will work no matter what you pick here, it will just work faster with a better choice. Wider channels transmit more data, and thus are faster, but they are also more likely to suffer and cause interference from/by nearby networks. That said, on the 2.4GHz band, the Surf SOHO defaults to using narrow 20MHz wide channels which is pretty much an industry standard and is certainly what you should start with. Only if there are no Wi-Fi networks anywhere nearby should you consider bumping this up to 20/40MHz. Even then, I think the channel width is best left at 20MHz.
On the 5GHz band, the 3rd generation Surf SOHO defaults to using relatively wide 80MHz channels. The first two generations can only use a channel width of 20MHz or 40MHz. As with the other frequency band, wider channels are faster but interfere more with your neighbors which just slows everyone down. In a very crowded area, the safest choice is a narrow 20MHz wide channel. If there is no Wi-Fi anywhere near you, then a wide 80MHz channel width will be faster. Probably, most people should start with a 40 MHz channel width. You may need some trial and error here.
Like any router, you can either let the Surf SOHO dynamically choose a channel or set it to always use one specific channel. On the 2.4GHz band, experts agree that the only channels anyone should use are 1, 6 and 11. All the rest interfere with each other. It is better for everyone involved if two nearby networks both use channel 6 (for example) as opposed to one using 5 and the other using 6. Many routers use these wrong channels.
The Surf SOHO (all generations) offers a third choice. It can automatically choose a channel, but you can restrict its choices to just 1, 6 and 11. To do this, select Auto for the Channel parameter and then click the Edit button. The same feature exists on the 5GHz band, just with different channels. If, for example, you know that a nearby network always uses a specific channel, you can use this to insure that your router will never use that channel, but still let it dynamically choose from the remaining channels.
Wi-Fi experts can click on the white question mark in the blue circle for advanced Wi-Fi options such as the Beacon Rate, Beacon Interval and the RTS Threshold. For the rest of us, there is no need adjust these things.
SETTINGS FOR ONE SSID
To configure an individual Wi-Fi network (SSID) the settings are mostly standard and fairly self-explanatory (see below). In firmware 7.1, you get to the list of networks from the AP tab, then Wireless SSID in the left side vertical column (it should be the default). The list below shows a Surf SOHO with five defined SSIDs (blue-d out for privacy reasons). The router can create up to eight networks. The second network in the list is in very light gray because, although it has been defined, it is disabled.
Clicking on the name of a network, gets you to the screen below. Or, click the gray Add button to create a new network/SSID.
If you have enabled VLANs, then each SSID must either be assigned to a VLAN or assigned to the non-VLAN shared network, which techies call the untagged network or untagged LAN. Rather than use this obscure term, in the example below, the non-VLAN shared network is called MikeysPrivateLAN. There is a drop-down list of the available VLANs which shows both the VLAN name and number.
The standard "Security Policy" is WPA2-Personal. This always uses "Encryption" of AES:CCMP which is the right thing to do. "Shared Key" is nerd lingo for the Wi-Fi password. It is best to use a Wi-Fi password that is at least 14 characters long. For more on this see the WiFi Encryption WPA2 and WPA and WEP page. The Surf SOHO also supports WPA2 - Enterprise networks which are more secure than normal WPA2 networks but also much harder to set up. They are typically used by large companies and not something to deal with at first, if at all. In the screen shot above, showing the 5 networks, two are using WPA2 - Enterprise. The WiFi Encryption page has more on WPA2 - Enterprise networks.
The screen shot above is also an example of scheduling, which is optional. The field labeled "Enable" should really be called "Scheduling". Strikes me as a bug. The "MikeysWifi" network has been assigned a schedule of "OffFrom1to6am" which could be anything, but probably disables the wireless network between 1am and 6am.
You can ignore the Access Control Settings section. This is commonly known as MAC Address Filtering and is usually not worth bothering with. You can also leave the "Broadcast SSID" field checked. Not broadcasting the name of your network(s) is slightly more secure, but usually not worth the trouble.
FYI: If you want to disable Wi-Fi altogether, the interface is different on the latest MK3 hardware version compared to the earlier HW1 and HW2 versions. On the two older versions, go to the AP tab and click on an SSID (network name). There will be an "Enable" checkbox. Right next to this checkbox is a list of schedules, so you could have the Wi-Fi turn off at night automatically. On the MK3 the "Enable" checkbox has been removed. I suppose you could schedule it to only be active for one minute each day and also not to broadcast the SSID and use a very long password. Then too, it should be possible to disable Wi-Fi using InControl2 (I have not checked) and possibly with the Peplink mobile app (again, I have not tried).
A NETWORK FOR THE KIDS
The great thing about being able to create many wireless networks is the flexibility. Perhaps you might have one network for normal family use, one for when a parent is working from home, one for IoT devices, one for Guests and one for children that cuts them off from the Internet at bed time. This section describes how to limit children. The Surf SOHO can not limit children to a certain number of hours, but it can limit their access by time of day.
First, create a wireless network (SSID) just for the children. To schedule the availability of their network, you first create a Schedule (System tab -> Schedule).
When creating the schedule, the Enable checkbox should be on. Give it a name that means something to you, perhaps "KidsSchedule". The name can be anything. I named one network "OffFrom1amto6am". Firmware 7.2 comes with two already-defined schedules. Most likely you will want to create a Custom schedule. You define the schedule by clicking in a bunch of green squares, each square representing 30 minutes. A green square with a check in it means the schedule is ON for those 30 minutes. A gray square with an X in it, means the Schedule is OFF. Turning off the Internet on school days at 9PM but leaving it on until 11PM on weekends is easily done. Save the schedule when you are done.
Next, assign the kids wireless network (SSID) to the schedule. From the AP tab, click on the name of the network. For some reason the scheduling feature is called "Enable". Turn this on by checking the checkbox, then the kids schedule will be an option. Save the changes, when you are done.
When things change in the future, you can change the schedule. Or, if need be, disable the schedule entirely. Or, assign the kids network to a different schedule. Nothing is carved in stone.
If you can get up to speed on VLANs, it would probably be a good idea to segregate the kids into their own VLAN too. For advanced credit :-)
DNS is important. To get up to speed on the concepts, the Test Your DNS page has both a short and a long introduction to the topic.
You do not need to change DNS servers, but it's a good thing to do. I say this because it is preferable to use DNS servers from a professionally run organization rather than from your ISP. Three good choices are Cloudflare (126.96.36.199 and 188.8.131.52), Quad9 (184.108.40.206 and 220.127.116.11) and OpenDNS (18.104.22.168 and 22.214.171.124). Google is a popular choice (126.96.36.199 and 188.8.131.52) but some people feel they know too much about us already.
To configure your router to use one of these companies, start at the Dashboard page, then click on the gray Details button for the WAN (i.e. Internet) connection. Turn off the "Obtain DNS server address automatically" checkbox. Turn on the checkbox for "Use the following DNS server address(es)" and enter the IP addresses of your preferred company. Finally, click the Save and Apply button at the bottom.
By default, devices connected to the Surf SOHO see the router as their DNS servers. That is, they do not see the IP addresses for Cloudflare, Quad9, OpenDNS or Google. In techie terms, the router is acting as a DNS proxy. You see this here: Network tab -> Network Settings -> DNS Proxy Settings -> Enable -> checkbox.
Normally the DNS servers that the router is configured to use are given to devices that connect to the router via DHCP, along with a temporary IP address. However, devices can be manually configured to use whatever DNS servers they want, regardless of what the router is using. So, for example, if parents configure their router to use DNS servers that block porn, the kids can change their computers to use other DNS servers that don't block anything. I have seen a Roku box make its DNS requests to Google's DNS server (184.108.40.206) rather the DNS servers given out by the router.
But, Peplink routers have the ability to seize control of all DNS requests. Regardless of how the kids have configured their computing devices, as long as they connect to the Surf SOHO it sees their DNS requests and it can, optionally, re-route them to the DNS servers the router is configured to use. This forces kids to hack into the neighbors Wi-Fi network for their porn :-) Trust me, Roku devices work fine with any DNS server.
To force everyone to use the DNS servers from the router, the router must first be set up as the DNS proxy (see above). Then, you have to enable DNS forwarding, which is off by default. I know, a poor name. To do this: Advanced tab -> Service forwarding -> DNS Forwarding Setup -> and turn on the checkbox for "Forward Outgoing DNS Requests to Local DNS Proxy". Then click the gray Save button and Apply Changes. There is no need for any of the other types of Service Forwarding.
Another benefit of forcing devices to use the DNS servers in the router is that malicious software sometimes uses DNS requests to phone home to the Command and Control (C2) server. Imposing your DNS servers prevents malware from contacting the DNS servers run by the bad guys.
The bad news is that this over-rides the DNS servers for a VLAN. That is, without this DNS mandate, each VLAN can use different DNS servers. This lets you, for example, create an SSID/VLAN for children that uses family friendly DNS servers. Forcing everyone to use one set of DNS servers means just that, and it applies to all the VLANs too.
Another issue is that DNS is changing, drastically. Old/legacy DNS is in plain text and always uses port 53. New DNS is encrypted and uses either port 443 or 853. New DNS uses one of two new protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Because new DNS requests are encrypted, the router can not see inside them to impose any rules. If the kids can configure a web browser to use new DNS, they get their porn back. As of February 2020, the only operating systems that can use new DNS system-wide are Android 9 and 10. On other systems, some browsers support it and some do not. There is a topic on Encrypted DNS on my DefensiveComputingChecklist.com site.
Having the router serve as the DNS proxy (for old DNS), lets us use DNS to block certain websites. Peplink offers three ways to block websites, each with its pros and cons. You get to the Local DNS records, as shown below, with: Network tab -> Network Settings -> Local DNS Records. To block a particular website (really any computer) just assign it to a special IP address: 127.0.0.1.
The upside of DNS blocking is that access is blocked for all protocols. That is the named computer can be a website, or an FTP site or an email server or anything. No matter what it is, access is blocked. Another type of blocking offered by the router only applies to websites. On the downside, there is no logging of DNS blocking. Also, it is very specific, perhaps too much so. For example, in the screen shot above we see it blocking ad.tagdelivery.com. This does not block ad2.tagdelivery.com or xyz.tagdelivery.com. So, this can lead to whack-a-mole. To see the blocking in action, this might be the result of blocking googleads.g.doubleclick.net.
If there are Windows 10 computers on your network, you might want to block v10.events.data.microsoft.com using DNS. I ran across this while tracking DNS requests made by a Windows 10 computer while it sat idle. This is one of many domains that Windows 10 phones home to while spying on us. More Windows 10 domains you might want to block are here: Enrolling devices in Windows Analytics and Configure Windows diagnostic data in your organization and Windows Analytics connectivity tests.
If you read this September 2019 article, Brave uncovers Google's GDPR workaround you may want to use DNS to block pagead2.googlesyndication.com.
This January 2020 article describes how bad guys create fake web pages at sway.office.com, and since this domain really belongs to Microsoft, it fools both people and defensive software. Perhaps assign sway.office.com to 127.0.0.1 to insure it can never be used on your local network.
Another configuration option, as per SquidBlackList.org might be to force Google safe search with a dns entry for *.google.com that points to 220.127.116.11.
One huge limitation to all blocking in the router (not just DNS blocking) is that both a VPN and Tor are unaffected. In each case, the router never sees the DNS requests, all it sees is encrypted data to the VPN server or to the Tor entry node. Don't tell the kids.
One place where the specificity is an asset, is in blocking the telemetry and ads on a Roku box. There are many articles, such as this one that discuss specific Roku computers that you can block without a noticeable affect. I can vouch for the fact that blocking scribe.logs.roku.com and cooper.logs.roku.com (from here) does not interfere with anything. That article suggests other Roku domains to block such as amoeba.web.roku.com, ads.roku.com and p.ads.roku.com. This also illustrates a downside, the lack of auditing.
Finally, if you want to block Facebook, a good place to start is with: www.facebook.com, web.facebook.com, facebook.com, staticxx.facebook.com, graph.facebook.com, connect.facebook.net, apps.facebook.com and fbshare.me.
As it should, the Surf SOHO defaults to blocking all unsolicited incoming connections. An initial look at the firewall rules is confusing, as the lone default rule looks like it lets everything in, but it does not.
To open a port, again as with any router, you use Port Forwarding (Advanced tab -> Port Forwarding). This requires a static IP address on the LAN side, which is another nice default of the Surf SOHO - devices using DHCP (which is most devices) get assigned the same IP address every time they join they network. You can force this to always be true using the DHCP Reservation feature. Go Network -> Network settings and click on either the untagged LAN or a VLAN. DHCP Reservation is the last field in the DHCP Server section. You specify the MAC address, IP address and a name for the computer. Other than VLAN support, this is standard stuff.
A rare feature that the Surf SOHO offers is logging of port forwarding activity. This is not configured when the port forwarding is defined, instead it requires an inbound firewall rule (Advanced tab -> Access Rules -> Inbound Firewall Rules). Set the destination IP address the same as the Port Forwarding rule, make it an Allow rule and enable Event Logging. If this creates too much data, logging can be restricted by source IP address(s). I have found this to be a great auditing tool for remote access to computers behind the router. It can also tighten up the security of remote access by limiting the source IP network(s).
OUTGOING FIREWALL RULES
To create an outgoing firewall rule, go to Advanced -> Access Rules -> Outbound Firewall Rules. Two places to start with outbound firewall rules are to block Windows file sharing and private IP addresses.
Most IP addresses are used on the public Internet but some are reserved for internal use only. Internal IP addresses will be dropped by the routers that run the Internet. They are only intended for Local Area Networks (LANs). You might think that a router would, on its own, block the internal IP addresses from the Internet, but the Surf SOHO does not. I doubt that any routers do, by default. There are three groups of internal-only IP addresses.
One group are the IP addresses that start with 192.168. To block the router from sending a request for these IP addresses out the WAN/Internet port, create an outbound firewall rule with a Destination of Network, an IP of 192.168.0.0 and a Mask of 255.255.0.0.(/16) as shown above. Make the Action Deny and turn on Event Logging. The rule name can be anything, a good one might be BlockNet192.168.x.x. A screen shot of this is shown below.
Another group of internal-only IP addresses are those that start with10. To block these from leaving the router, create a firewall rule with a Destination of Network, an IP of 10.0.0.0 and a Netmask of 255.0.0.0(/8). Again, the Action should be Deny and I would turn on Event logging. A good rule name might be BlockAll10dots (as shown above).
The last clump start with 172.16 and to block them create a rule with an IP of 172.16.0.0 and a Netmask of 255.240.0.0(/12). In the screen shot above, the rule name is Block172.16.x.x.
I suggest turning on logging for the above rules as I have seen many strange things caught by the rules. Most of them, I can not explain but I feel good having blocked them. With one exception: my cable modem. Modems are computers with a web interface. The modems I have used over the years all used 192.168.100.1 as their internal IP address. Others use 10.0.0.1, 10.1.10.1 or 192.168.0.1. So, do you want to block access to your modem? Sometimes, yes. Sometimes, no. I blogged about this back in 2015, see: Talk to your modem and Using a router to block a modem. If you want your modem blocked, then the rules just discussed, do the job. If however, you want to be able to access a modem, you need to carve out an exception. Assuming the modem is 192.168.100.1, then you need to create an outbound firewall rule with an Action of Allow and a Destination of the single IP address of your modem. The rules are processed top down, so place this rule before the one blocking all IP addresses that start with 192.168.anything. In the screen shot above, the rule for the cable modem is first and set to allow access.
Windows SMB based file sharing is a LAN side thing. It does not belong on the Internet and Outbound Firewall rules can insure that it never leaves your LAN. I am no expert on this and have read differing accounts of the ports involved with Windows file sharing. The full list of suggested ports to block is: UDP ports 137, 138, 139 and 445 and TCP ports 139 and 445. I suggest turning on logging for these rules. For more see SMB Security Best Practices (March 2017) and Vulnerability Note VU#824672 Microsoft Windows automatically executes code specified in shortcut files (Aug 2017). FYI: In 2019, I caught some strange traffic from the Brave browser on UDP port 137 thanks to these rules.
Printers: I mention printers here to suggest that you prevent a network printer from phoning home to insure that it is not spying on you. This first requires giving the printer a fixed IP address which can be done in two ways: either on the printer or in the router. Configuring this in the router is probably better because every printer may not support a fixed IP address and if the network where the printer lives ever changes, it's that much harder to deal with. In firmware 7, you do this in Network tab -> LAN Network Settings -> Untagged Private LAN (or whatever you called it) -> DHCP Reservation. This marries a MAC address to a static (unchanging) IP address. The MAC address of the printer can be obtained from the printer or by displaying the devices connected to the Surf SOHO. Then, you can block that IP address from ever making an outbound connection, with an Outbound Firewall Rule. That said, from time to time you may want to check for updated printer firmware, so the outbound firewall rule will have to be temporarily disabled. In October 2019, I saw a printer-blocking firewall rule prevent a Brother all-in-one from making outbound connections to these IP addresses: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168.
In April 2019, we learned of security flaws in iLnkP2P software found in millions of IoT devices. Long story short, you can defend against this by blocking outbound UDP requests to port 32100. Unlike a consumer router, the Surf SOHO can do this. See Why I like my router by me.
In May 2019, I blogged about incoming probes/attacks on my router (Barbarians at the Gate) and I noticed some bad neighborhoods on the Internet. That is, many attacks came from a couple IP ranges in Russia. So, maybe block all devices on your network from communicating with these IP address. Specifically, block 81.22.45.* (or more aggressively 81.22.*.*) and 185.176.26.* (or 185.176.*.*).
Content blocking is similar to firewall rules, but it based on domain names rather than IP addresses and port numbers. To configure it, go to Advanced -> Content Blocking -> Web blocking -> Customized Domains. Here you can block websites based on their names in a very flexible way (the total opposite of DNS). For example, blocking scorecardresearch.com blocks anything that ends with scorecardresearch.com. That is, it blocks abc.scorecardresearch.com and def.scorecardresearch.com and xyz.scorecardresearch.com. Some domains you might want to block are adnexus.net, amazon-adsystem.com and doubleclick.net.
Perhaps the most powerful aspect of this is that it can block millions of domains at a time by specifying the Top Level Domain (TLD). For example, entering just "cn" blocks every website that ends with ".cn". Goodbye China. Likewise, entering "ru" blocks all Russian websites. Domains ending in "cm" are often malicious and easily blocked. Same for xyz. According to research by Palo Alto networks you might want to block all domains ending in to, ki and nf.
In August 2019, 22 cities/towns in Texas were hit with ransomware. Afterwards, the incident responders offered some Defensive Computing advice, including blocking outbound network traffic to pastebin.com. To do so in Firmware v7: Advanced -> Content Blocking -> Custom. Then enter pastebin.com in the list. Save the change, then Apply Changes.
To use the router to block Windows spying on you, see this Microsoft article Configure Windows diagnostic data in your organization and then you may want to use Content Blocking to block access to vortex-win.data.microsoft.com and telemetry.microsoft.com.
If you are concerned with online tracking, then you could block the domains in this list of tracking domains from Disconnect.me.
This is a good time to change a couple settings for your Internet connection. Go to the Dashboard page (the home page, if you will) and click on the Details button for the WAN (i.e. Internet) connection. It is a good idea to give the router some idea of the speed of your Internet connection. You can measure this at Fast.com or speedtest.net or many other websites. Speeds are normally measured and reported in Mbps (megabits/second). To configure this, look for "Upload Bandwidth" and "Download Bandwidth". Just above this is a "Reply to ICMP Ping" checkbox. It is on by default in firmware 7. You are a bit more hidden on-line if you turn this off (and do not reply to TCP/IP ping requests). Steve Gibson's ShieldsUP! service can be used to test the status of Ping replies. When you are done, click the Save and apply button at the bottom of the window.
UPnP and NAT-PMP are off by default which is the secure option. Still, it would be good to verify this with: Advanced Tab -> Port Forwarding -> UPnP / NAT-PMP Setting.
Another thing to verify is that SNMP is off, which it should be, by default. Do: System -> SNMP and verify that all four checkboxes are off.
Set your time zone with: System -> Time. The default Time Server should be fine. If it needed to be changed, click the gray Save button. When I last checked the router phones home for the time of day every 30 minutes.
Another nice option to enable is DHCP logging. DHCP is the process that gives out IP addresses, DNS servers and other techie data, to devices that connect to the router. The Peplink DHCP service can make an entry in the Event Log every time it hands out an IP address. In my experience this can come in handy. In March 2019, I blogged about how it helped to pinpointed a problem with a network switch. If nothing else, it's a nice audit trail of devices connecting to the router. You enable it with: Network -> Network Settings -> LAN section. Click on each Network/VLAN and in the DHCP Server section turn on the checkbox for DHCP Server Logging.
If you connect to the Internet via cable or DSL, then you should enable the DSL/Cable Optimization feature at Advanced -> Application. These two types of Internet connections are much faster down (to you) than up (away from you). Peplink says "When a DSL/cable circuit's uplink is congested, the download bandwidth will be affected. Users will not be able to download data in full speed until the uplink becomes less congested. The DSL/Cable Optimization can relieve such issue. When it is enabled, the download speed will become less affected by the upload traffic."
Peplink routers can send you emails when things go wrong. The only error I have even been notified about is when the Internet connection fails and when it is restored. The Surf SOHO only supports one Internet connection, so you won't get notified, obviously, until the Internet connection is working again. Higher end Peplink routers support multiple Internet connections, so you get notified of outages in real time. If you are using Peplink's VPN, it also emails about status changes with that, and, if the router is monitoring your monthly bandwidth usage, it will email when you are at 75% and 95% of the limit. The company claims that it will email you about newly available firmware, this has not been my experience.
This is not very important, but unless and until there is a problem with your Internet connection, there is no need to have the Surf SOHO constantly monitor the quality of the connection. As of firmware 8, the default is to monitor the WAN Quality. Monitoring causes the router to send an outbound request to IP address 22.214.171.124, port 443, every six seconds. To disable monitoring: Network tab -> WAN -> WAN Quality Monitoring. The default is Auto. Change it to Custom and do not select any of the available Internet connections. To see the results of any monitoring, go to Status tab -> WAN Quality.
Setup email notification at: System -> Email Notification. It requires the full techie details of an SMTP server and an account on that server. The last time I tried to use Gmail for this, it did not work, don't know why. The Sender email address can be anything you want it to be. There can also be multiple recipients. There is a test facility to send a test message.
Now that you have gone to all the trouble of configuring the router, it is a great time to save the current configuration. You can do this with System Tab -> Configuration -> Download Active Configurations -> gray Download button. This creates a .conf file on whatever computer you are using. The file name starts with the current date in yyyymmdd format.
InControl2 is a Peplink system that offers remote access to their devices. One year of access to InControl2 (aka IC2 for short) is provided for free when you buy a Surf SOHO. After that, it costs $25/year. InControl2 is not required for anything, so you can simply ignore it. Many people do not need it, it makes the most sense for those owning many Peplink devices. But, even if you don't want it or need it, you should nonetheless create an account on the system. Peplink devices have permanent serial numbers and it is best for you to lock your Peplink device to your InControl2 account to prevent someone that learns the serial number of your router from adding it to their account, which could let them access your router.
As of firmware 8.0.2 (and perhaps earlier) you are now warned to sign up with InControl2 with a yellow message on the Dashboard (the main/first page of the web interface).
You can sign up at https://incontrol2.peplink.com. The system is keyed off an email address (any email address) and a password you create. Creating a new InControl2 account requires creating a group. Just make up any group name. Note that when you first logon, the system may not have the correct warranty period, it may take a day or two for the system to update itself. The free year starts when you buy the router, not when you first sign up for InControl2.
During your first year of router ownership, you can try InControl2 and form your own opinion. It makes the most sense when a non-techie person owns a Peplink router that is managed by a techie. But, even then, normal DDNS can be used grant remote access to the router, though it requires manual port forwarding. If you don't want to use InControl2, you can disable it in the router with: System tab -> InControl. For more see: Do I need InControl? and InControl 2 Initial Setup Guide and What is an IC2 subscription and it’s relationship with Warranty Coverage?.
To see the reward for owning a Peplink router, see my April 2019 blog: Why i like my router, where I describe using assorted features in the router to respond to real world security issues.