|Router Security||Pepwave Surf SOHO Router||
Website by |
In 2013, I couldn't take the security flaws in router firmware any more and went looking for a low end business class router hoping to find professionally done firmware without paying a huge price.
The first company I considered was Peplink. I had run across them in 2011 while looking for a multi-WAN router. That seems to be their specialty. At the time (2011) I bought their cheapest multi-WAN router (a Balance 20 for $300 without WiFi) and it had performed great for those couple years.
By 2013, the Balance 20 was no longer the cheapest Peplink router, the company had introduced the Pepwave Surf SOHO which offered WiFi at roughly half the price of a Balance 20 but could only talk to one ISP at a time. I gambled on it in 2013, liked the security, and have used it ever since.
I do not recommend the Surf SOHO for its speed, features or price. Rather, for professionally written, reasonably secure firmware without the slew of security problems that affect consumer routers. In terms of speed and sexy features, it's nothing to write home about (see the Downsides section below).
I recommend Peplink, even though they do not focus on security. In fact, for a long time their Wi-Fi routers did not even offer stand-alone WPA2. The most secure option was a combination WPA/WPA2. You could not restrict access to just WPA2. While this has now changed, it shows that their focus is not on security. But, it doesn't have to be. That's how bad consumer routers are.
Peplink is not a big name in routers. At a conference in the summer of 2015, I asked someone who had just given a presentation about routers what he thought of Peplink - and he had never heard of the company. This is a security feature in and of itself. Since Peplink routers are not used by millions of people, bad guys are probably not focused on finding their flaws.
A business oriented router includes a different set of features than consumer models.
For example, the Surf SOHO is capable of site to site VPN connections, something few consumers understand. It does this with PepVPN, which only connects to other Peplink devices (better security). I have used this enable file sharing for a company with employees in different locations, and, to make file backups easier. Files can be copied from one location to another exactly the same way they are copied from one folder to another. The site-to-site VPN does not have to run 24x7 and it can be configured such that only one end can initiate the connection. Thus, if you use it for connecting to your parents to backup their files, you can insure that only your Peplink router initiates the connection, never theirs.
As a business class device, the Surf SOHO does not support WPS, which is great for security. WPS was the feature that turned me away from consumer routers in the first place.
Peplink actively maintains the firmware in their routers. Unlike consumer routers, they do not walk away from their older routers, thus requiring customers to buy a new router to get bug fixes. And, unlike higher end UTMs, there is no yearly fee to use their software/firmware. At one point, I had to pay to upgrade the Balance 20 router mentioned above from firmware version 5 to version 6, but that policy has since changed. And, Peplink at the time was still supporting version 5 of their firmware with bug fixes, I wanted a feature that was only offered in version 6.
When you buy a consumer router, you are buying the hardware. Router manufacturers aim to get the software (that is, firmware) as cheaply as possible. When you buy a Peplink router, you are buying the software. That's what they stake their claim on, its what they build their reputation on. They are not unique, this is common in business class routers. Peplink just happens to offer this in the Surf SOHO at a remarkably low price.
Also, the user interface on some business class routers is meant for networking experts, and anyone else would have a hard time dealing with it. Ubiquity is a great example of this. This is not true with Peplink/Pepwave, their user interface is just as easy for a non-techie to deal with as that on a consumer router.
On the security side, the Peplink firmware does a great job of locking down both local and remote administration as described on the Security Checklist page. Also, you can change the userid for administering the router. Many (most?) routers only let you change the password, not the userid.
And, Peplink has a GREAT feature: multiple firmwares. The router maintains two copies of the firmware, which takes almost all the risk out of both making configuration changes and upgrading the firmware. If something goes wrong, you can reboot the router to fall back to the way things were before the change. This feature alone is enough to recommend their product line.
The Peplink firmware is also very good at monitoring the network. Perhaps most importantly it has a detailed display of the currently connected devices. You can assign friendly names to devices (i.e. Harveys iPad) to make it easier to identify them. For wireless devices the router shows the signal strength of the connection, a rare feature. You can drill down on any particular device and see all of its connections to the Internet. I have used this feature to verify that a VPN is doing what it is supposed to be doing, funneling all data to a single VPN server. If the Internet feels slow, the router displays the current bandwidth used by each device and also has many history reports of bandwidth per device.
Peplink offers unusually good technical support at the support forums on their website. The forums are are populated by people that understand the technology and intelligently respond to questions. This thread is an excellent example. The company had originally marketed their Balance One router as supporting Gigabit speeds, but when a customer inquired, they found Windows machines in their lab were getting 900Mbps and recent Mac OS X machines were only getting 700Mbps speeds. The came clean about this, admitted they were puzzled at first, and now sell the Balance One router as supporting 600Mbps speeds. I find the honesty extremely refreshing and it really makes me trust the company.
It is very easy to report a bug to Peplink (website home page -> Support -> Contact us) and they respond quickly to it - and the response is intelligent. And, your router does not have to be under warranty to report a bug.
Peplink supports VLANs. As a rule, all the devices in your home share one network, referred to as a LAN or Local Area Network. The problem with this is that a device in your home may be malicious and try to corrupt other devices. Also, not every device in your home needs to share files or printers with all the other devices. VLANs let you logically separate the devices in your home into different groups. When I first tried to setup a VLAN in 2015, I found the documentation useless. That said, I asked for help in their online Forum and eventually was able to create a VLAN-isolated Wi-Fi network with their help. Thus, my Surf SOHO had one Wi-Fi network on the main LAN where devices can share printers and files and another Wi-Fi network where devices were isolated.
Originally, Peplink only supported VLANs for Wi-Fi networks but you can now also assign the Ethernet LAN ports to VLANs. That is, you can assign each LAN port to a different VLAN (screen shot is from firmware 6.3.2), or you can group LAN ports into VLANs.
The Surf SOHO versions 1 and 2 run fairly cool, I would not even call it warm. I have no experience yet with the latest edition, hardware version 3, the one that was introduced in November 2016.
It can function as a VPN server using either PPTP or L2TP/IPsec (Advanced -> Remote User Access).
Privacy: A number of new routers require you to have an account with the hardware manufacturer. Peplink does not. Some routers can not be configured offline, Peplink routers can. Some routers phone home with assorted data to the hardware manufacturer. Peplink does not, as long as their InControl system is disabled.
The Surf SOHO can create isolated wireless networks, much like Guest networks, where devices can get to the Internet and nothing else. Much more on this below in the section on Guest Networks.
It supports both UPnP and NAT-PMP but each is disabled by default, which is the secure default. This illustrates how the Surf SOHO is a business class router vs. a consumer router. Consumer routers typically ship with UPnP enabled because it's cheaper - it avoids tech support calls. But, it is not as safe for the Internet at large. A huge reason that IoT is a security disaster, is due to UPnP being enabled by default. Google's second generation routers, Google Wifi have UPnP enabled by default - they are marketed at consumers. Ditto for the Ubiquiti AmpliFi mesh router system.
The Surf SOHO offers full control over DNS, yet another indication of its being a professional device rather than a toy. Typically, devices on a network are assigned DNS servers by the router. But, any computing device can be configured to use whatever DNS servers it wants. If, for example, parents configure their router to use DNS servers that block porn, the kids can change their computers to use other DNS servers that don't block anything. However, the kids computers still go through the router and the Surf SOHO sees their DNS requests and can, optionally, re-route them to the DNS servers the router is configured to use. This forces kids to hack into the neighbors Wi-Fi network :-) I have seen my Roku box make DNS requests using Google's DNS server (18.104.22.168). Don't know why it does that, but with the Surf SOHO, I can force the Roku box to use my preferred DNS servers.
Finally, Peplink makes it very easy to report bugs, which is a huge contrast from consumer router companies. You simply go to the support section of their website and the link is not hard to find. All you need is an email address and the serial number of your Peplink router. From personal experience, I can say that they do respond to bug reports.
The Surf SOHO does a good job of showing you what's going on.
This starts with the list of attached devices all shown on one screen making it easy to spot anything out of the ordinary. The router lets you assign friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. It shows which SSIDs wireless devices are connected to and the signal strength from the point of view of the router. You also see the current upload and download bandwidth used by each device. It's a lot of useful information in one place.
If one device sparks interest, you can drill down to see all the Internet connections it currently has, although this is not as easy as it could be. One use of this feature is to insure that a VPN connected device is, in fact, only communicating only the VPN server. Another use is to check that a mobile device doing online banking has an encrypted connection to the bank. Or, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits.
The Surf SOHO also does a great job reporting on bandwidth usage. It has a daily bandwidth summary that shows total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.
Bandwidth monitoring also includes current bandwidth (see sample report). The bandwidth display moves from right to left. The vertical axis changes, dynamically, as needed. The router always displays the average and peak download speed (green) and upload speed (blue).
This can help you see if you are getting the speed you pay for from your ISP. For example, here is a current bandwidth report taken just after uploading a very large file. The average upload speed was 14.14Mbps with a max/peak speed of 16.57Mbps. If the expected outbound speed of this Internet connection was 20Mbps then it is performing fine. However, if the expected speed was much higher than 20Mbps, then it is under-performing. Of course, this could also be a limitation on the machine accepting the uploaded file.
If nothing else, the current bandwidth reports can double check an Internet speed test utility/site. Or, maybe you are paying your ISP for speed that's so fast, you can't use it. For example, if you pay for 200Mbps down and your peak usage when downloading multiple big files concurrently is only 80Mbps, then you can save money with a slower cheaper connection. It is very unlikely any ISP provided router will provide this information.
The Surf SOHO can email you about a limited number of error conditions. The only error I have been notified about, so far, is when the ISP goes off-line and when it comes back on-line. With a single WAN connection, the off-line message can't be sent until it comes back on-line, unless you set up automatic fail-over. Still, it is useful to know about outages, though its much more helpful on a multi-WAN device such as the Peplink Balance series where the message goes out immediately via the still-working WAN connection. The emails can be sent using any email address. Here is a screen shot of configuring the Surf SOHO to be an email client.
It supports a feature Peplink calls "WiFi as WAN" that lets the router use a WiFi network as input. At first, I thought nothing of the feature. Then, one day, my ISP went down for the good part of a day. What to do? In the old days I would connect a single important laptop to a smartphone WiFi hotspot, but now I had more devices that needed to be online. And, some of them were Ethernet connected to the router. So, I fed the Surf SOHO the WiFi hotspot from a smartphone and it worked great. When the phone had to leave the premises, I fed the router from a different smartphone. This allowed many devices to share the smartphone hotspot and none of them had to change in any way at all. They talked to the router before, during and after the ISP outage in exactly the same way (be it Ethernet or WiFi). Interestingly, the "WiFi as WAN" feature causes the router to use WiFi for both input and output concurrently.
Of course a smartphone gets its Internet access from a 3G/4G/LTE network as do assorted MiFi type devices. Likewise, the Surf SOHO can use 3G/4G/LTE for Internet access, without a smartphone. Peplink supports many cellular antennas that can be plugged into the USB port of the router. In addition, you may be able to plug an Android phone into the USB port of the Surf SOHO for wired tethering. The Android phone has to support this, something that can be tested using a computer before trying it on the router. Wired tethering should be faster than feeding the router Wi-Fi from a smartphone, but I have not tried this. And, I think this is only possible with Android, iPhones would have to feed the router with Wi-Fi.
The Surf SOHO lets you define the three inputs in priority order. For example, it can be configured to use a wired ISP normally, and, should that fail, to fall back to a Wi-Fi network for Internet access and, if thats not available, fall back to a 3G/4G/LTE network. What the Surf SOHO does not do, is two different Internet sources at the same time (a feature called multi-WAN). Most Peplink routers support this, but they cost more than the Surf SOHO.
The WiFi as WAN feature would also let you travel with the Surf SOHO (its not all that big). This feature could be used to connect the Surf SOHO to Wi-Fi offered by a hotel. All your devices, both Ethernet and Wi-Fi, would be much safer connecting to the Surf SOHO rather than directly to the hotel network.
In August 2016, I blogged about an experience using Wi-Fi as input to the Surf SOHO.
No product is perfect and the Surf SOHO has its downsides.
The most obvious downside was that it did not support concurrent dual band. This is supposed to change with the revised third edition of the router due to go on sale around Thanksgiving 2016. The first two editions of the Surf SOHO, which were sold up until July 2016, supported both the 2.4GHz and 5GHz frequency bands, but could only use one at a time. And, they did not support the latest AC flavor of Wi-Fi, each maxed out at Wi-Fi N. The new third edition will support AC Wi-Fi.
The Surf SOHO can create no more than three wireless networks. This is better than some routers, worse than others. I find it sufficient as it lets me have a private WiFi network for trusted devices, a guest WiFi network and a dedicated, isolated WiFi network for IoT devices.
When it comes to VPNs on routers, everyone is focused on the router providing a VPN server and the Surf SOHO provides a couple. My focus, however, is on a router that provides a VPN client and the Surf SOHO does not offer this. The Resources page has links to many routers that can function as either a TOR or VPN client.
Rate limiting is limited. The Surf SOHO has a single knob (so to speak) for limiting bandwidth usage. You can set a maximum download and a maximum upload speed, but it applies to every device on the network. Higher end Peplink routers let you put network devices into one of three groups: Manager, Staff, and Guest with bandwidth limits applied to the Staff and Guest groups.
The Surf SOHO does not log blocked incoming connection attempts. On routers that do, I find this very interesting data to peruse, but that's me.
There is no Wi-Fi on/off button on the Surf SOHO.
Peplink devices, the Surf SOHO included, do not offer file or printer sharing based on the USB port. The routers have a USB port, but it is used for a 3G/4G/LTE antenna to provide Internet access. I consider this a plus because this type of file sharing has been associated with a number of security bugs. Some may consider it a minus.
The Peplink documentation is poor. While it is extensive, in terms of the number of pages, it is amazingly devoid of information. The company does try - they update their documentation regularly and they keep it in sync with changes to their firmware. This is more than many other router vendors do. But, to me, its 300 pages of "Enter your name in the Name field" repeated over and over and over. Lots of words, very little information. Specifically, it lacks background information and an explanation of concepts. It is documentation for experts. Not that consumer routers are any better.
Like many routers, those from Peplink can backup the current settings to a file that you download. A really nice thing that Peplink does is to always remind you to make a backup of the current router settings before it installs new firmware See screenshot. All routers should do this.
A check for new firmware from the router web admin site often fails to find updates that have been released months earlier. At the end of March 2016, firmware 6.2.2 failed to find either the newer 6.3 version or the even newer 6.3.1 edition which was, at the time, a month old. That said, things may be looking up, in July 2016 firmware 6.3.1 did detect that 6.3.2 was available.
I have yet to see a router vendor that documents their firmware upgrade procedure, so here is what to expect. As with other routers the firmware can be updated automatically or manually. I suggest the manual procedure because it provides much more feedback during the process. Here are screenshots of manually upgrading the firmware from 6.2 to 6.3. The first phase validates the just downloaded (or just-uploaded if doing this manually) firmware. The second phase is the actual installation which, you are warned, takes about 6 minutes. In the third phase the router re-boots into the new firmware. In my experience the router display may hang here forever or it may revert to the logon screen. An online update from 6.3.1 to 6.3.2 in Aug. 2016, hung after saying it was installing the new firmware. The upgrade ran fine, it just told me nothing.
Another important aspect of router firmware, is how you are notified about updates. Peplink emails you when there is a major update - here is a an example from December 2015, announcing version 6.3. Sadly, they do not announce minor updates that are often bug fix releases. Thus, the burden of learning about firmware updates is mostly on your shoulders.
A small number of routers can self-update without human involvement and some may prefer, or even need, such a router. It reminds me too much of Windows 10 updates, an accident waiting to happen - especially if the router does not support multiple firmwares.
While maintaining two copies of the firmware is a great feature, you can not download a newer firmware to use later. Whenever new firmware is downloaded (or uploaded if doing it manually), the router automatically reboots and uses it. That said, the only real downside is the router reboot, because you can always reboot it back into the firmware you were using just before the last update.
Firmware 6.3, released in December 2015 adds a Wake On LAN feature. Great for working on grandmas computer while she is sleeping. If you have given devices on your LAN friendly names, the router, thankfully, displays these friendly names so you don't need to keep track of MAC addresses.
This is a good news bad news story. The good news is that, if configured correctly, the Surf SOHO offers the best possible security for a Guest Wi-Fi network. The bad news is: getting to that point is hard. Or, rather, it was hard for me, but following the steps below should make it easy for you.
By the "best possible security" I mean that guest users can see the Internet and nothing else. That is, devices on the Guest network are totally isolated from all other devices connected to the router. If an IoT device is hacked, buggy or malicious, it can not infect or spy on anything else, it can't even detect that other devices are connected to the same router. Specifically:
The Surf SOHO does not offer an explicit option for Guest networks. The documentation on this issue is disgraceful. Even 3GStore, a retailer of Peplink devices, put out a note for their customers about creating Guest networks on the Surf SOHO that was wrong.
To isolate wireless devices from the main LAN requires a VLAN (Virtual LAN). Rather than all the devices attached to the router being part of one big group, VLANs allow you to make sub-groups of devices attached to the router. One sub-group could be all the devices attached to a specific SSID (the Surf SOHO can create three SSIDs). Another group might be devices plugged into LAN ports 1 and 2.
Normally, the reason we create a VLAN is to have isolated groups of devices. However, that is not the only usage, so Peplink has a checkbox for each VLAN to control whether it is isolated or not. Isolation good.
The basic approach, is to first create a VLAN (that is, give it a name and a number), then assign an SSID to it. This puts all the wireless devices connected to that SSID into that VLAN/group. If only one SSID is using a specific VLAN, then those devices are isolated from other devices using the router. Then, to prevent devices on the same SSID from seeing each other, we need to enable "Layer 2 isolation".
VLANs are an advanced topic and support for VLANs is disabled by default. To enable VLANs in firmware 6.3.3, do Network -> LAN -> Network Settings. In the "IP Settings" section at the top of the page, click on the question mark in the blue circle. In the window that pops up, click on the word "here". A windows pops up asking "The LAN settings will be switch to advanced mode with VLAN support. Are you sure?" CLick on the Proceed button. Then, we need to click Apply Changes on the main menu bar (black horizontal stripe across the top of the screen).
Applying Changes takes you back to the main Dashboard page. Go back to Network -> LAN -> Network Settings. Click on the "Untagged LAN" and turn off the checkbox for Inter-VLAN routing.
After VLAN support has been enabled, the router will display a new gray button labeled "New LAN". It really should say "New VLAN". To actually create a VLAN, click on this button and you should see this screen (as of firmware 6.3.3).
Next, you assign both a name and a number to the VLAN. The name can be anything that makes sense to you. If you intend to use the VLAN with a single SSID, then name it after that SSID with "vlan" part of the name. For example, the VLAN for SSID "michael" might be called "michaelsvlan". The VLAN number is not particularly important, as long its unique. Peplink refers to the number as a "VLAN ID" but its a number. Again, to isolate this new VLAN, do not enable Inter-VLAN routing.
Each VLAN gets its own sub-network (aka subnet) which requires you to enter three IP addresses. As an example, consider the 10.22.22.x subnet from the screen shot.
The maximum number of devices allowed on a subnet is complicated. However, it is simple and almost always good enough to use the common standard of 256. This is defined using something called a subnet mask which is the numbers just next to the router IP address in the example screen shot. The value, 255.255.255.0 (/24) means, in English, a maximum of 256 devices are allowed on this subnet. In the example, however, the network is limited to 100 devices, numbered 100 through 199. It could just as easily have been 10.22.22.5 through 10.22.22.252.
If you like to be neat, you can relate the VLAN number/ID to the subnet. For instance, subnet 192.168.2.x could be assigned to VLAN number 2 and 192.168.8.x could be assigned to VLAN number 8. This is totally optional.
Also note that each VLAN can have different DNS servers. One great use for this might be to use a child-friendly DNS service on an SSID that kids use, and a non-restrictive DNS service on an SSID that adults use. VLANs can also have different Content Blocking rules.
Next, to assign an SSID to this VLAN, do AP -> Wireless SSID and click on the name of a network. The process of assigning it to a VLAN, at this point, is simple, there is a drop-down list of the available VLANs. Be sure to click the Apply Changes button on the top of the screen. When this is done, the SSID is isolated from the main LAN and from other SSIDs. It now has its own subnet.
Then, to prevent devices on the same SSID from seeing each other, we need to enable "Layer 2 isolation". In Firmware 6.3 and 7.0, do AP -> Wireless SSID -> click on the SSID name, then turn on the checkbox for "Layer 2 Isolation". There is, however, a small user interface gotcha. The first time you do this, at least as of firmware 7.0.1, the option for Layer 2 Isolation is not visible. As with VLANs, the router defaults to a simple mode and you need to know the secret handshake to see advanced settings. The secret handshake in this case is the white question mark in the blue circle (see screen shot). You need to click it, and then click again, where instructed, to see the advanced settings. The advanced settings stick around for a while, but you may have to do this again the next time.
Finally, you can control which Wi-Fi networks can logon to the router. To see this option in firmware 6.3.3, do System -> Admin Security -> Allowed LAN Networks . By default, every SSID can logon to the router but this is easily changed to limit local access to a single SSID/VLAN. In the example, only MikeysPrivateLAN is allowed access to the router. Using our earlier example, this prevents anyone on the 10.22.22.x subnet/VLAN from logging on to the router using IP address 10.22.22.2. Interestingly, this setting even blocks Peplink's own Android app from talking to the router, if it connects to an SSID/VLAN that is not allowed in. I learned that the hard way.
Devices not assigned to a VLAN will be in a default group called "Untagged LAN" (data packets in a VLAN are sometimes referred to as "tagged"). To insure these devices can't see any device in a VLAN, do Network -> Network Settings. Click on the "Untagged LAN" network and make sure that Inter-VLAN routing is not enabled.
At this point, you have a single, totally isolated, guest SSID.
The Surf SOHO allows for more than one isolated SSID. Simply create another VLAN for the second network. The Surf SOHO can create a maximum of three SSIDs. One approach is to use one isolated SSID as a Guest network and to use another for IoT devices that don't need to access shared resources such as files, a network printer or a NAS device. IoT devices in this category might be a Roku box, an Apple TV or an Internet radio. In this case, the subnets might be
-- 192.168.68.x for the shared network (Ethernet devices and the non-isolated SSID)
-- 10.1.1.x for the IoT isolated SSID
-- 10.2.2.x for the Guest isolated SSID
One downside to isolating devices in a VLAN is that they lose access to a network printer. I have read that a firewall rule could open TCP port 631, used by IPP, on the VLAN with the printer and thus poke a hole in the isolation to allow printing. I have not yet tried this. One reason it may not work is that there are many ways to send jobs to printers and all printers may not support IPP.
The Surf SOHO has external, detachable antennas that use a standard connector providing two upgrade options. Obviously, you can replace the antennas. Or, less drastically, using an RP-SMA Female to RP-SMA Male cable you can simply move the antennas away from the router. For even better Wi-Fi you can add an Access Point to any router. Peplink has their own line of Access Points starting at $130, but they don't have any documentation about using their Access Points with the Surf SOHO.
Originally, the Surf SOHO could not schedule anything. When the ability to schedule things was first introduced in firmware 6.3 (December 2015), the number of things that could be scheduled was limited. As of firmware 6.3.2 (July 2016) the Wi-Fi can be scheduled, but individual SSIDs can not. The scheduling of individual SSIDs is in the works and is tentatively planned for firmware 6.4. Being able to schedule network(s) to turn themselves off at times when no one will be using them is a nice security feature.
The Ethernet ports on the Surf SOHO have orange and green LEDs which can be very helpful in debugging a connection problem. If something isn't working, the first thing to check is whether, at the Ethernet level, the two devices are talking to each other. The LEDs also indicate the speed the Ethernet port is running at. Fewer and fewer routers seem to offer this. And, the Ethernet ports are metal, not plastic. I also like that the Ethernet ports are dedicated to WAN and LAN use. Many of the latest consumer mesh Wi-Fi router systems have Ethernet ports that determine for themselves whether they are on the LAN or WAN side of things. I don't know how that works, but it strikes me as an accident waiting to happen.
Speaking of the new consumer mesh router systems, many support Bluetooth, which opens a whole new can of worms when it comes to security. Those that I looked into, fail to document exactly what Bluetooth is used for. The Surf SOHO does not do Bluetooth.
Like all router vendors, Peplink also offers a smartphone app and a cloud service. The smartphone app is relatively new and not nearly as full-featured as the web interface. Their cloud service, InControl2, has a nifty feature: remote access to the web interface. If you are willing to use a cloud service (I am hesitant) this means you no longer need to deal with Dynamic DNS for access to a router whose IP address may change at any time.
NOTE: The Pepwave Surf SOHO is not the same as the Pepwave Surf On-The-Go. (SOTG). They are, quite different. The Surf On-The-Go is a small travel router with a single Ethernet port. Its also much cheaper. I own the Surf On-The-Go and would not recommend it. I have traveled with it and it worked just fine. But the software/firmware it runs is very different from the mainline Peplink software. Different, and to me at least, worse.
Another benefit of Peplink routers is debugging. There are two features that aid the company in solving a problem. The first is a Diagnostic Report that you can generate. The router will download a small diagnostic file (about 200K) that you can attach to a problem ticket when requesting technical support. What a great system. If Peplink needs to look at your router to debug a problem, you don't need to give them a password, the router has a built in Remote Assistance feature. Needless to say, it is off by default.
I once upgraded an old Surf SOHO (hardware version 1) with a new one (hardware version 2). I backed up the configuration settings from the old one to a file (many routers do this) and imported the file to the new router. It worked fine. Both routers were running the same firmware version.
The supported DDNS providers are: dyndns.org, changeip.com, no-ip.org, tzo.com and DNS-O-MATIC. There is also an option for other providers using a custom URL, but others must support the DYN API. I tried to use dynu.com and it failed.
Back in 2014, a hacker found a flaw in Peplink software. It became news in November 2016 when the details were presented at a security conference. According to Lucian Constantin of PC World, the hacker "was impressed with how Peplink responded to his report and how the company handled the vulnerability." That's what you want in a router vendor. A Motherboard article by Andrada Fiscutean said basically the same thing:
The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw. "[We] worked directly with Amihai so that we could release a fix as quickly as possible," Eric Wong, evangelist at Peplink, said. The patch was soon available. Their commitment to security made the hacker trust them. At home, Neiderman is using a Peplink router, the one the company gave him as a thank you for notifying them.
And, the flaw was only exploitable because the Peplink routers were miserably deployed. Whoever was in charge, made at least three security mistakes configuring the routers.
FYI: From the Peplink Forum Peplink rocks ! Total satisfaction July 22, 2017.
So far, I have been happy with Peplink and thus have not needed to experiment with other vendors. That said, reasonably priced hardware running professional grade firmware is also available from Ubiquiti. I say that based on what I have read, I have no personal experience with Ubiquiti branded devices. I have used the consumer AmpliFi division of Ubiquiti and was not impressed. To me, a big drawback to the Ubiquiti system is that some features require their Java based server software to be running 24x7, somewhere other than on their routers and access points.
Perhaps the most obvious alternative to Peplink is pfSense. I have not used pfSense but it is far more functional than the Surf SOHO and that is likely to mean the software is beyond the ability of non-techies to deal with. In contrast, I feel that the Surf SOHO user interface is no more harder to deal with than the web interface of any consumer router. Buying a box with pfSense pre-installed is also much more expensive. The bottom-of-the-line SG-1000 is $150 with a single Ethernet LAN port and no Wi-Fi. Stepping up to the SG-3100 gets you 4 LAN ports, plus an Ethernet port that can either be used for dual WAN or as a LAN port. But, it costs $350 and also has no Wi-Fi. Professional tech support for pfSense is $590/year.
The two Synology routers, the newer RT2600ac and the older RT1900ac are also on my short list. Again, I have no personal experience with them. The beat the Surf SOHO in that they self-update their firmware, they can function as VPN clients and they do LAN side file sharing. On the flip side, it supports WPS and the Ethernet ports are cheap plastic, rather than metal, and they don't have LED indicator lights. I do not know if the do a good job of firmware updating. The company brags that its user interface is "incredibly intuitive even for non-techy people" and the routers have many advanced features. As of mid-September 2017, the newer model cost about $210 and the older one is roughly $123. A couple NewEgg reviews said tech support is bad. The ratings at Amazon.com are not great.
A few years back, I would have also included Ruckus Wireless, but I think they are now limited to producing access points. They used to produce reasonably priced routers, I had one.
The Surf SOHO is a bottom of the line Peplink product. Perhaps that's why its sold under the Pepwave name. Peplink has an online store on their website but they only sell their more expensive routers. The cheaper stuff is sold by a small number of Peplink partners. Of these partners, the only one I have used is 3G store.
In 2013, when I purchased my first Surf SOHO, it was hardware version 1. The Ethernet ports were Fast Ethernet (100Mbps) and it cost $130 without external antennas (the Surf SOHO has an internal 1dBi omnidirectional Wi-Fi antenna).
In hardware version 2, the Ethernet ports were upgraded to Gigabit Ethernet (see technical specs). For a while it was available for $159 without external antennas, but that didn't last. By and large it was $179 with external antennas. I speed tested a version 2 model. A computer directly connected to a a cable modem got the exact same speed when Ethernet connected to the router, about 112Mbps. As of early July 2016, version 2 was discontinued and no longer available for purchase.
To see which hardware version a specific Surf SOHO is, logon to the router, go to the Status tab, click on Device in the left side vertical stripe and look for "Hardware Revision" in the display. In their documentation, hardware versions 1 and 2 are referred to as HW1 and HW2, while version 3 is known as MK3.
Hardware version 3 upgrades the Wi-Fi from N to AC and the number of antennas from 2 to 3. It also offers concurrent dual-band Wi-Fi, the previous versions were single band. Technically, the Surf SOHO MK3 Wi-Fi is 3x3 MIMO. All three antennas send and receive on both bands. The maximum Internet speed is increased, up to 120Mbps, though as noted above, I have personally seen version 2 run at 112Mbps. Also new is a Kensington lock security slot. Pricing initially remained the same, roughly $180.
WHEN: Initially the new v3 Surf SOHO router was to have been available at the end of September 2016. As of early Oct. 2016, it was expected at either the end of October or early November 2016. As of November 7th it was expected at the end of November. In the US, it did become available sometime in late November 2016.
On Nov. 22, 2016, Peplink reseller 3Gstore, wrote that The New Pepwave Surf SOHO MK3 Has Arrived!.
An unboxing video of the new model, and a review, is available from RV Mobile Internet. They like it for "great support for tethering cellular modems and hotspots over USB."
Early January 2017: Out of stock at Amazon and 3G store and FrontierUS.
January 12, 2017: It is in stock at 3G Store.
January 20, 2017: It is in stock at Amazon.
February 15, 2017: It now costs $199 at both 3G Store and Amazon, but is available
February 15, 2017: Still out of stock at Frontier.
If you need more horsepower than the Surf SOHO offers, the most logical upgrades in the Peplink line are the Balance One (roughly $500 with Wi-Fi built-in) and the Balance One Core (roughly $400 without Wi-Fi).
As of mid-November 2016, the Balance One Core was $341 at Amazon.com and the Balance One was $439. In late December 2016, the Balance One Core was $399 and the Balance One was $499. These prices have not changed as of mid September 2017.
One reason to upgrade would be speed. The Surf SOHO maxes out at 100Mbps (soon to be 120Mbps), the two Balance One models support speeds to up 600Mbps (even higher for Windows machines). Another important feature is dual WAN. Both Balance One models support two concurrent Ethernet connections to two different ISPs. The Surf SOHO can only talk to one ISP at a time. This is a big deal, both in terms of speed and reliability. If one ISP fails, the router chugs along happily without it. When that ISPs connection is back up, the router gladly uses it again. From years of personal experience, I can attest that Peplink routers are great at handling multiple concurrent Ethernet WAN connections.
Both Balance One models come with 8 LAN ports which can be a big advantage to anyone interested in segregating LAN ports into VLANs - a really nifty security option.
The big difference between the Balance One models is Wi-Fi. The cheaper "core" model does not do Wi-Fi. However, the Wi-Fi on the more expensive model is limited. While it does support simultaneous dual-band, it does not support the latest AC flavor of Wi-Fi. It also does not support external antennas, which the Surf SOHO does. And, it is currently (Jan 2016) limited to creating the same three SSIDs as the Surf SOHO (although in response to a Forum question on this, Peplink said that they are planning on upping this to 16 SSIDs). And, perhaps the biggest limitation is that it does not support Wi-Fi as WAN, the ability to use a Wi-Fi connection as input rather than output. I have used this with a Surf SOHO, when the main ISP suffered a day-long outage. I turned on the hotspot feature in a smartphone as used the Wi-Fi coming out of the smartphone as input to the Surf SOHO. Worked like a charm.
Like the Surf SOHO, both Balance One models can use a USB based antenna, talking to a 3G/4G/LTE network. If you don't have a mobile device with a USB interface, smartphones running Android v4.x and later can be tethered to the USB port to provide LTE Internet access. Peplink touts this for failover on the Balance Ones but that is selling themselves short. The 3G/4G/LTE connection can also be used concurrently with a wired WAN connection, load balanced together. Peplink offers 7 different algorithms for load balancing multiple Internet connections
Both Balance One models can be used as a controller for multiple Peplink Access Points - they are designed for small business use. For home use, if your house is really big, this can be useful.
I would suggest that anyone needing to step up from a Surf SOHO opt for the Balance One Core and add an access point (or two or three) to it. Peplink APs start at about $130. Then too, an existing Wi-Fi router can also be used to provide Wi-Fi, just plug it into one of the 8 LAN ports (either turn off DHCP in the Wi-Fi router or insure its using a different subnet from the Balance One Core). Take this advice with a grain of salt however, I have no hands-on experience with either Balance One model.