|Router Security||Surf SOHO Initial Configuration||
Website by |
For a long time, I have recommended the Pepwave Surf SOHO router from Peplink. A long explanation of why, is on the Surf SOHO page. Finding a secure router is only half the problem, it also needs to be configured. In that light, this is a cheat sheet for configuring a new out-of-the-box Surf SOHO to be as secure as possible. It goes hand in hand with my suggestions about securely configuring any new router. I am told that almost all of the configuration described below also works for the Peplink Balance One and I would suspect it also applies to other Peplink Balance models running firmware version 7.something.
|1) Initial Changes||2) IP Adresses|
|3) Update Firmware||4) VLANs|
|5) Wi-Fi Settings||6) More Off-Line Changes|
If you own a Surf SOHO and want to start from scratch, it can be reset to factory defaults with System -> Configuration -> Restore Factory Settings button. If you can't logon to the router, look for a small reset button on the front or back of the router. Press the button with a paper clip for at least 10 seconds and the router should reboot to factory fresh state. You can tell it was reset by the Wi-Fi SSID that it broadcasts. The default is PEPWAVE_xxxx where xxxx is the last four characters of the serial number. This should show up in any app or operating system when looking for nearby Wi-Fi networks.
New Surf SOHO owners can download the User Manual from Peplink at peplink.com/support/downloads/. There are different downloads for different hardware editions of the Surf SOHO. The first release is known as HW1 (hardware version 1). The second release is known as HW2 and the latest third release of the hardware is referred to as MK3. If you are dealing with an older, first generation model, note that it can only run firmware version 6. The two later hardware versions can run the latest version 7 firmware. Peplink seems to have fallen down on the job, however. As of November 2018, the manual for firmware version 7 was last updated in January 2017. Some features are not documented.
STRATEGY: As I describe on the new router page, I think it is best to make some initial configuration changes to any new router while the new router is off-line (not connected to the Internet). Also, the first few times any new new router goes online, it is safer for it to be sitting behind an existing router. To do this, connect an Ethernet cable from the WAN port of the new router to a LAN port of the existing router.
TERMINOLOGY: WAN refers to the Internet, it stands for Wide Area Network. LAN refers to the network of computing devices in your home/office. It means Local Area Network.
The only requirement for configuring the Surf SOHO is a web browser. Any recent browser should be fine, you may want to disable extensions, just for good luck. You could use a phone or tablet, but a computer is better, both because typing is easier on a keyboard, as opposed to glass, and because the web interface is designed for a large screen. Any computer should work, even a Chromebook. Peplink does offer a mobile app, but initial configuration requires the web interface.
One thing you will need, at least at first, is some patience. There are a lot of steps. And, the web interface has an unusual quirk, sometimes clicking on a SAVE button is not sufficient to actually save the changes you made. An extra step is normally needed: clicking on an Apply Changes button in the black horizontal stripe across the top of the screen.
FUTURE UPDATE: July 2, 2018: Peplink routers can save all the current settings in an external .conf file. The large number of click-here-type-this steps that follow can be too much for some people. With that in mind, a reader of this site suggested that I supply a pre-configured .conf file. He went so far as to verify that the .conf files are not locked down by MAC address or the serial number of the router. I would do this, except that my only spare Surf SOHO is an old version 1, which can only run firmware version 6. If ever get my hands on a new Surf SOHO, I'll do some initial configuring and post a .conf file here.
This was written for firmware version 7.
CONNECTING TO THE ROUTER
As with any router, we can connect to the Surf SOHO via Ethernet or Wi-Fi. Most computing devices use DHCP which means they will be assigned an IP address by the router. If you have that rare device with a hard coded IP address (you know who you are), it will need to be changed to something in the 192.168.50.x subnet.
It is best to connect via an Ethernet cable because we will be making changes to the Wi-Fi environment and no one wants to change a tire while the car is moving. Also, an Ethernet connection is usually more reliable than Wi-Fi and does not require a password. Connect to any of the four LAN ports, do not connect to the WAN port. If you are using a laptop computer, turn off the Wi-Fi to insure it communicates only via Ethernet.
To connect via Wi-Fi, look for an SSID like PEPWAVE_xxxx where xxxx is the last four characters of the router serial number. The network is password protected and the password is the last eight characters of the LAN MAC address. You can find the LAN MAC address on a label on the bottom of the router. A MAC address consists of letters and numbers. Enter any letters in the LAN MAC address in upper case.
At this point the router should be off-line, so verify that nothing is plugged into the WAN port. If the Surf SOHO is on, power it off (pull the plug), wait a bit, then power it on and wait a minute to insure it has fully booted. If you are connecting via Wi-Fi go ahead and connect. If you are using Ethernet, it is best to restart the computer to insure it gets assigned an IP address by the router.
Open your web browser of choice and navigate to http://192.168.50.1. Logon with userid "admin" and password "admin". The journey has begun. The first things I suggest changing are the router password, the Wi-Fi password(s) and the Wi-Fi SSID(s).
INITIAL CHANGES (OFFLINE)
After logging on, go to System -> Admin Security. The screen shot below shows what this might look like after making the changes in this section.
The first thing I suggest changing is the router administrator userid and password. As shown above, the userid field is "Admin User Name" and the password field is "Admin Password." You have to enter the password twice.
A userid of your name or the name of your pet would be fine. Better still, come up with something that no one might guess. Write it down on a piece of paper. Userids are case sensitive so be careful when writing it down that you can tell upper from lower case. For good luck, the password should be at least 10 characters long and certainly not something anyone might guess. Two words and a number should be fine (99redballoons, 5goldenrings). Write it down too. Note that if you forget this password in the future, you will have to reset the router to factory settings. Also, if you enter an incorrect password too many times, the router will lock you out for a period of time.
Click the gray SAVE button at the bottom, then the Apply Changes button at the top, then logoff using gray LOGOUT button in the left side vertical column. Log back in with your new userid and new password and go back to System -> Admin Security again.
The Surf SOHO supports two userids. The one we just changed has full access to the router, there is also a read-only user. You may never use the read-only user but, even then, it is best to change the default values. As seen above, the fields are labeled "Read-only User Name", "User Password" and "Confirm User Password". Yes, the password fields are poorly labeled. Write down this userid/password too.
You might want to change the web session timeout. This is the amount of time doing nothing after which the logon to the router gets expires. The default of 4 hours seems a bit much to me, but there is no one right answer. "Authentication by RADIUS" should be off (it defaults to off). Likewise "CLI SSH & Console" should not be checked (by default it is not checked).
The security that the "Security" field refers to is the very web connection to the router that you are now using. It defaults to HTTP but you can change this to HTTPS only (it does not say "only" it just says HTTPS) or both HTTP and HTTPS. The most secure option is HTTPS only and that is what I suggest. Be aware, however, that every HTTPS connection to the router will generate an error message in your web browser. This is, believe it or not, normal. The message varies by browser, but it may warn that the connection is not private or not secure. It may also warn about the certificate because captive-portal.peplink.com is not the same as an IP address. All these errors are bogus. Ironic that the most secure option generates warnings about not being secure.
The "Web Admin Access" field is where you enable or disable Remote Administration. The default setting of "LAN Only" means no Remote Administration and is the secure choice. A value of LAN/WAN enables Remote Administration. That said, this only applies to classic or legacy remote access to the router. It has nothing to do with the Peplink cloud service, InControl2, that also provides remote access to their routers. Access to the InControl2 system is free for the first year when you purchase a Surf SOHO.
The two remote access services differ in that classic remote access is an inny system while InControl2 is an outty system (my terms). Classic remote access requires you to directly connect in to the router, so you must know either its public IP address or use a Dynamic DNS system. This leaves a port open and thus makes the router vulnerable. With InControl2 the router maintains a constant connection out to Peplink so there are no open ports. You logon to the InControl2 website with a userid and password to administer the router.
I suggest changing the "Web Admin Port" to something between 9,000 and 65,000. Using a non-standard port makes the router a bit more secure. But, it is yet another thing for you to remember, so wright it down too on the same piece of paper as the earlier passwords.
Finally, a trivial thing, change the "Router Name" to something that makes sense to you (i.e. MikeysRouter).
Click the gray SAVE button at the bottom of the screen, then Apply Changes at the top.
If you changed either the port number or the HTTP/HTTPS, you will need to change how you access the router. The error message "Unable to reach web admin. Connecting in 30s..." is a hint that something needs to change. Non-standard ports need to be specifically entered in the URL. For example, if you picked port number 9001 and HTTPS, then you need to use
to get to the router. The port number is preceded by a colon, not a period. I suggest writing this down too (or bookmarking it). All that said, you may need to change this yet again, if you decide to assign a different IP address to the router (which I suggest doing).
STATUS -> DEVICE
After logging on, go to Status -> Device and write down the Serial Number. Also note the "Model" and "Hardware Revision" Hardware versions 1 and 2 are labeled as such. Version 3, however is also considered version 1 (last verified with firmware 7.0.2) a poor decision by Peplink. Hardware version 3 identifies itself with "MK3" in the Model field.
The current Firmware version is also shown here. While the router can check for new firmware, I suggest also checking the Peplink website.
PepVPN is an advanced feature that should be ignored for now. The Modem support version can also be ignored initially. The modems it refers to are 4G/LTE devices that plug into the USB port of the router to provide wireless Internet access. This has nothing to do with cable or DSL modems.
The Diagnostic Report is for Peplink, not for you. If their tech support department is working on a problem with your router, they may ask for this. Remote Assistance is also for Peplink tech support. It lets them access your router, again, when working on a problem for you. Hopefully, you will never have to use it.
STATUS -> EVENT LOG
Now click on the Event Log in the left side vertical column. It is your friend. Verify that the checkbox to Auto-Refresh is on (it should be). You should see timestamps on the left and event messages on the right. There should always be some messages as the router logs when it starts up and every time someone logs on to it. Until the router goes on-line and asks the Internet for the current date and time, event log messages will default to January 1st.
NOTE: If you don't see any messages in the Event Log, the problem might be with your ad blocker. I learned the hard way that uBlock Origin breaks this page. Just this one page. Don't know why that is. It is a simple matter, however, to disable uBlock Origin on either the entire router website (192.168.50.1 by default) or on just this one page (192.168.50.1/cgi-bin/MANGA/index.cgi?mode=config&option=utlog). Click on the uBlock Origin icon in the top right corner of the browser window and follow the instructions.
STATUS -> CLIENT LIST
This is also a good time to get your first look at the list of clients attached to the router (Status -> Client List). You can click on the Name column for any device and give it a name that makes sense to you (Susans ipad, LivingRoomPC). There is a lot of information here in a short easily digested format. No doubt the Wi-Fi signal strength will come in handy. Note that the lower the number the better. For example, -38dBm is a very high signal strength while -66dBm is poor but usable. Often the MAC address will not be very interesting, but, you hover over the MAC address, while the router is online, it will pop-up a balloon with the name of the company that made the network adapter.
AP TAB WI-FI
To configure Wi-Fi go to the AP tab (AP is for Access Point). By default you will be at Wireless SSID in the left side vertical column. SSID is nerd talk for the name of a wireless network. There is, by default, a single Wi-Fi network with an SSID of Pepwave_xxxx where xxxx is the last 4 digits of the router serial number.
Click on the default SSID. The screen shot below shows how this might look after making the changes suggested in this section.
Change the name (SSID field) to something that makes sense to you. For more on this see the SSID page. Change the "Security Policy" to WPA2 - Personal. Do not use either of the WPA/WPA2 options. This is a rare setting where the default value is not the most secure option.
The "Shared Key" field is the Wi-Fi password and it needs to be long. How long is debatable, but at least 11 characters and, it is far better, if its 15 characters or even longer. The password does not need to random junk (3kFezcfIUIU3*wqmj), however. As a starting point, use two words and a number (99REDballoonz or route66HIghway). For more see the page on Wi-Fi encryption. The default Wi-Fi password is the last 8 digits of the LAN side MAC address.
IGNORE THESE SETTINGS: You can ignore the VLAN ID (if it even appears). VLANs are an advanced feature that comes later, if at all. Broadcast SSID is checked by default and should remain checked. Some articles suggest that not broadcasting the network name is a security feature, but it offers very little security. Even if you wanted to do this, its best to do it later, not initially. The box that says "Always on" on the "Enable" line has no other options, initially. Peplink Wi-Fi networks can be scheduled. For example, you might want to turn off Wi-Fi at night, thinking that a network that does not exist, can't be hacked. There is no need for scheduling initially. If you were using schedules, this is where the assorted schedules would appear, letting you apply one to this wireless network. The Access Control Settings are for MAC address filtering, a security feature that does not provide much security, so it can be left with the default value of "None".
As before, click the SAVE button at the bottom, then the Apply Changes button at the top.
For the time being, a single Wi-Fi network is enough. The Surf SOHO can create many Wi-Fi networks but the others can be created later.
IP ADDRESSES and SUBNETS
The next thing to change is the LAN side network numbering scheme. For more about this, see the IP address page. An IP address consists of four decimal numbers separated by periods. All the devices connected to the router will, at least initially, share the same first three numbers. Those three numbers define a subnet (sub network).
The Surf SOHO defaults to the 192.168.50.x subnet. This means that all devices connected to the router will have a LAN side IP address that starts with 192.168.50. The router itself, as we have already seen in the web browser, is 192.168.50.1. Changing these defaults makes for better security.
A good choice is a network that starts with 10. The next two numbers can be anything between 0 and 253. I suggest not using 0 or 1. Also, do not use 10.0.0.x, 10.0.1.x, 10.1.1.x and 10.10.10.x. Some easy to remember networks would be 10.11.12.x and 10.20.30.x. If you live at 123 Main Street, then maybe use 10.123.123.x.
Another choice that needs to be made is the IP address of the router. Typically, it is assigned the number 1, so on a network where everything is 10.123.123.x the router would be 10.123.123.1. Using any number other than 1 makes things more secure.
The final issue with subnets is how devices get their IP addresses. Most of the time, the router assigns the IP address for a day or so and then the devices call back to the router for a new assignment. Devices thus get dynamic IP addresses and the protocol for this is DHCP (where the D is for Dynamic). Devices can also be configured with their own IP address that never changes and thus not be dependent on the router or DHCP. A device with a never changing IP address is said to have a static IP address. Devices such as a network printer or a NAS (Network Attached Storage) function a bit better with a static IP address.
Putting this all together, we might end up using
10.123.123.x as the subnet
10.123.123.3 for the router
10.123.123.20-250 for dynamically assigned IP address (DHCP)
The remaining IP addresses, 1, 2 , 4 through 19, 251, 252 and 253 can be used by devices with static IP addresses. This scheme allows for up to 230 devices to get dynamic IP addresses. This should be sufficient for most people most of the time.
NOTE: If the router is plugged into a modem, fine. However, a router can be plugged into another router or a gateway (combination modem and router in one box). Specifically, the WAN/Internet port on the new Surf SOHO router would be plugged into a LAN port on the existing router/gateway. This complicates things a bit as the existing router/gateway has its own scheme for LAN side IP addresses. The Surf SOHO should use a different subnet from that of the existing router/gateway device. Since most of them use 192.168.x.x, anything that starts with 10 should be fine. Another potential conflict is Wi-Fi. It is safer, but not mandatory, to disable the Wi-Fi on the existing router/gateway. If you want to keep the pre-existing Wi-Fi network(s), use it/them only as a guest network. Once the new router is working, you can try to dumb-down the box from your ISP to act merely as a modem, a mode of operation normally called bridge mode. Thanks to Zach for bringing this up.
To make these changes, go to the Network tab (shown above). It will default to LAN Network Settings, which is what we want.
In the "IP Address" field, enter the IP address of the router (10.123.123.3 in our example). Do not change the numbers to right of this, the default (255.255.255.0 /24) is just fine.
In the "IP Range" field enter 10.123.123.20 and 10.123.123.250. Again, do not change the third set of numbers from its default value (255.255.255.0 /24).
That's it. Among the defaults that do not need to change are: DHCP Server (enabled), DHCP Server Logging (off), Lease Time (1 day), DNS Servers (checked on), BOOTP (off).
Click the SAVE button at the bottom, then Apply Changes at the top.
As before, when we changed the port number, these changes will cause you to lose contact with the router. It is best at this point to reboot the computer you are using so that it can pick up the new 10.123.123.x subnet and be assigned a new IP address on that subnet. After it restarts, point your web browser to https://10.123.123.3:999 (999 is the port number). At this point, you can bookmark this, it should not change going forward.
With the preliminaries out of the way, this is a good time to update the firmware. Granted, there is a chance that the new router has the latest firmware, but its a pretty small chance.
The Surf SOHO can update its firmware either online or off-line. Off-line is a manual process - you download the new firmware onto the computer connected to the router and then point the router to a .bin file that is the firmware. On-line is more automated, there is no downloading or uploading. However, on-line is only an option if the router detects the availability of new firmware and the track record here is not good. Off-line updates are also called manual updates.
The definitive source for firmware is the Peplink website, specifically the download page at peplink.com/support/downloads. You should always check this page first to learn the latest firmware. As I write this (Jan. 2018) the latest firmware for the first generation Surf SOHO (HW1) is 6.3.5. The latest for both the second (HW2) and third (MK3) generations is 7.0.3.
Firmware updates (both online and off-line) start at System ->Firmware. Click the "Check for Firmware button".
If it finds the latest firmware, you are good to go, the process is self-explanatory. If it does not detect the latest firmware, then download it from the Peplink website. The firmware should be a single file that ends with .bin. Somewhere in the file name will be the version number and a build number.
Another reason to do an off-line/manual firmware update is that you don't want to put the new router online with old firmware, even if it is behind an existing router. If you don't have another router to shield the new one, this is an excellent reason.
A manual update starts with the "Choose File" button. Point it to the .bin file, then click the "Manual Upgrade" button. The file is uploaded to the router, then it is validated by the router. Next, you will see an orange progress bar and be warned that the upgrade may take up to 6 minutes, which is a reasonable approximation. When the process completes, you will be at the login page.
After logging in, look for the new firmware version on the Dashboard page (the Dashboard is the first page you see after logging in). Then, just for fun, go to System -> Reboot where you will see one of the biggest advantages to using a Peplink router. Should the new firmware cause grief, you can easily reboot the router back to the previous firmware. You can also check the Event Log. The message "System: started up" includes the firmware version.
Another great thing about Peplink, is the ability to save the current router settings. In the absolute worst case, where you have to reset the router to factory fresh state, you can then import these saved settings and not have to re-do all the changes on this page. The icing on this cake is that you don't even have to remember this, the router will remind you to save the current settings before updating the firmware. Just great.
At this, point we have not made all that many changes, but still, I suggest saving the current configuration settings just for the practice. You can save the settings at any time from System -> Configuration -> gray Download button. The downloaded file is very small. The name starts with the date in yyyymmdd format and ends with .conf.
If the Surf SOHO is currently connected to the Internet, disconnect it now.
This is a great time to create your first VLAN. Detailed instructions are on the VLAN page. It starts with an introduction to VLANs and network segmentation/isolation. You can think of VLANs as the way Peplink implements Guest networks. Not a great analogy, just a starting point.
At this point we have a single wireless network. A new VLAN can be assigned to it now, or never. If you want, you can create a second and/or third Wi-Fi network now and assign a VLAN to these new networks. VLANs and Wi-Fi networks can be created and/or assigned at any time, so whatever you do now can always be changed later. That said, this is a good point in the setup process to create your first VLAN, even if it is not assigned to anything, yet.
There are many Wi-Fi settings that are not tied to one specific SSID. To configure these, go to the AP tab, then Settings as shown below (HW2 Firmware 7.0). First, verify that the Country is correct. What you see here varies depending on whether you are using the 1st, 2nd or 3rd generation of the Surf SOHO.
The first two generations (HW1 and HW2) could only use one Wi-Fi band at a time. That is, you had to choose between 2.4GHz and 5GHz. The choice was made by selecting a Protocol of 802.11ng for 2.4GHz or 802.11na for 5GHz.
The 3rd generation (MK3) uses both frequency bands concurrently. By default, its broadcasts each SSID on each frequency band, which should be fine most of the time. If not, here is where you restrict an SSID to a single frequency band.
The first two generations of the Surf SOHO let you chose between their internal antenna or the optional external antennas. This is not an option with the third generation.
On 3rd generation hardware, the "Wi-Fi AP Settings section" is poorly designed. Left left side column controls the 2.4GHz radio, the right side is for 5GHz. For 2.4GHz, a Protocol of 802.11ng means it is using both Wi-Fi N and G. This seems to be the only choice. For 5GHz it always seems to use 802.11ac, the latest and greatest flavor of Wi-Fi.
When it comes to Channel Width, there is no one right answer. Wider channels transmit more data, and thus are faster, but they are also more likely to suffer and cause interference from/by nearby networks. That said, on the 2.4GHz band, the Surf SOHO defaults to using narrow 20MHz wide channels which is pretty much an industry standard and is certainly what you should start with. Only if there are no Wi-Fi networks anywhere nearby should you consider bumping this up to 20/40MHz.
On the 5GHz band, the 3rd generation Surf SOHO defaults to using relatively wide 80MHz channels. The first two generations can only use a channel width of 20MHz or 40MHz. A wide channel is a bad choice for anyone in a crowded Wi-Fi area. Interfering with nearby networks slows everyone down. The safest choice is a narrow 20MHz wide channel. The knee-jerk reaction is that this will be slower than 40MHz or 80MHz, but, if it avoids interfering with your neighbors, it could well be faster. You may need some trial and error here.
Like any router, you can either let the Surf SOHO dynamically choose a channel or set it to always use one specific channel. On the 2.4GHz band, experts agree that the only channels anyone should use are 1, 6 and 11. All the rest interfere with each other. It is better for everyone involved if two nearby networks both use channel 6 (for example) as opposed to one using 5 and the other using 6. Many routers use these wrong channels.
The Surf SOHO (all generations) offers a third choice. It can automatically choose a channel, but you can restrict its choices to just 1, 6 and 11. To do this, select Auto for the Channel parameter and then click the Edit button. The same feature exists on the 5GHz band, just with different channels. If, for example, you know that a nearby network always uses a specific channel, you can use this to insure that your router will never use that channel, but still let it dynamically choose from the remaining channels.
Wi-Fi experts can click on the white question mark in the blue circle for advanced Wi-Fi options such as the Beacon Rate, Beacon Interval and the RTS Threshold.
To configure an individual Wi-Fi network (SSID) the settings are mostly standard and fairly self-explanatory (see below). If you have enabled VLANs, then each SSID must either be assigned to a VLAN or assigned to the non-VLAN shared network, which techies call the untagged network or untagged LAN. In the example below, this is called MikeysPrivateLAN. Also below, is an example of scheduling, the network has been assigned a schedule of "OffFrom1to6am" which could be anything, but probably disables the wireless network between 1am and 6am.
If you want to disable Wi-Fi altogether, the interface is different on the latest MK3 hardware version compared to the earlier HW1 and HW2 versions. On the two older versions, go to the AP tab and click on an SSID (network name). There will be an "Enable" checkbox. Right next to this checkbox is a list of schedules, so you could have the Wi-Fi turn off at night automatically. On the MK3 the "Enable" checkbox has been removed. I suppose you could schedule it to only be active for one minute each day and also not to broadcast the SSID and use a very long password. Then too, it should be possible to disable Wi-Fi using InControl2 (I have not checked) and possibly with the Peplink mobile app (again, I have not tried).
InControl2 is a Peplink system that offers remote access to their devices. InControl2 is not required for anything. One year of access to it is provided for free when you buy a Surf SOHO. Many people do not need it, but even if you don't want it or need it, you should nonetheless create an account on the system. Peplink devices have un-changeable serial numbers and it is best for you to lock your Peplink device to your InControl2 account. This prevents anyone that learns the serial number of your router from adding it to their account, which could let them access your router. During your first year of ownership, you can try InControl2 and form your own opinion. It makes the most sense for those owning many Peplink devices. After setting up InControl2, you can disable it in the router (System tab -> InControl), if you desire. Creating a new InControl2 account requires creating a group. Just make up any group name. From here.
MORE OFFLINE CHANGES