Router Security Pepwave Surf SOHO Router Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I spoke about Router Security at the O'Reilly Security Conference in New York City on Nov. 1, 2017. See a PDF of the slides
 

In 2013, I couldn't take the security flaws in router firmware any more and went looking for a low end business class router hoping to find professionally done firmware without paying a huge price.

The first company I considered was Peplink. I had run across them in 2011 while looking for a multi-WAN router. That seems to be their specialty. At the time (2011) I bought their cheapest multi-WAN router (a Balance 20 for $300 without WiFi) and it had performed great for those couple years.

By 2013, the Balance 20 was no longer the cheapest Peplink router, the company had introduced the Pepwave Surf SOHO which offered WiFi at roughly half the price of a Balance 20 but could only talk to one ISP at a time. I gambled on it, was impressed with the security features, and have used it ever since.

Note that I am not selling this router. I have no connection to Peplink/Pepwave. Peplink has not contributed to this page at all. There are some links on this page to where you can purchase the router, but they are not affiliate links. My only relationship to Peplink is as a customer.

Sections Below
Why I recommend the Surf SOHO Three Hardware Editions 
Monitoring and ReportingThree Inputs
DownsidesPeplink Firmware
Guest NetworksAnd ...
Closest CompetitionBuying the Surf SOHO
More Horsepower 

Why I recommend the Pepwave/Peplink Surf SOHO

I do not recommend the Surf SOHO for its speed (its rated for 120Mbps), price or Wi-Fi range. I recommend it for professionally written, well supported, reliable as heck firmware - without the slew of security problems that affect consumer routers. There is nothing sexy about it, in fact, it's somewhat ugly. There is even a Downsides section below (it has shrunk over time). At roughly $200, many routers are cheaper, but the price is an amazing bargain for a business class router. For example, the step up model is $500.

I recommend Peplink, even though they do not share my focus on security. In fact, for a long time their Wi-Fi routers did not even offer stand-alone WPA2. The most secure option was a combination WPA/WPA2. You could not restrict access to just WPA2. This has since changed, it shows that their focus is not on security. But, it doesn't have to be. That's how bad consumer routers are.

Peplink is not a big name in routers. At a conference in the summer of 2015, I asked someone who had just given a presentation about routers what he thought of Peplink - and he had never heard of the company. This is a security feature in and of itself. Since Peplink routers are not used by millions of people, bad guys are probably not focused on finding their flaws.

A business oriented router includes a different set of features than consumer models.

For example, the Surf SOHO is capable of site to site VPN connections, something few consumers understand. It does this with PepVPN, which only connects to other Peplink devices (better security). I have used this to enable file sharing for a company with employees in different locations, and, to make file backups easier. Files can be copied from one location to another exactly the same way they are copied from one folder to another. The site-to-site VPN does not have to run 24x7 and it can be configured such that only one end can initiate the connection. Thus, if you use it for connecting to your parents to backup their files, you can insure that only your Peplink router initiates the connection, never theirs.

As a business class device, the Surf SOHO does not support WPS, which is great for security. WPS was the feature that turned me away from consumer routers in the first place.

Peplink actively maintains the firmware in their routers. Unlike consumer routers, they do not walk away from their older routers, thus requiring customers to buy a new router to get bug fixes. And, unlike higher end UTMs, there is no yearly fee to use their software/firmware. At one point, I had to pay to upgrade the Balance 20 router mentioned above from firmware version 5 to version 6, but that policy has since changed. And, Peplink at the time was still supporting version 5 of their firmware with bug fixes, I wanted a feature that was only offered in version 6.

When you buy a consumer router, you are buying the hardware. Router manufacturers aim to get the software (that is, firmware) as cheaply as possible. When you buy a Peplink router, you are buying the software. That's what they stake their claim on, its what they build their reputation on. They are not unique, this is common in business class routers. Peplink just happens to offer this in the Surf SOHO at a remarkably low price.

Also, the user interface on some business class routers is meant for networking experts, and anyone else would have a hard time dealing with it. Ubiquity is a great example of this. This is not true with Peplink/Pepwave, their user interface is just as easy for a non-techie to deal with as that on a consumer router.

On the security side, the Peplink firmware does a great job of locking down both local and remote administration as described on the Security Checklist page. Also, you can change the userid for administering the router. Many (most?) routers only let you change the password, not the userid.

And, Peplink has a GREAT feature: multiple firmwares. The router maintains two copies of the firmware, which takes almost all the risk out of both making configuration changes and upgrading the firmware. If something goes wrong, you can reboot the router to fall back to the way things were before the change. This feature alone is enough to recommend their product line.

The Peplink firmware is also very good at monitoring the network. Perhaps most importantly it has a detailed display of the currently connected devices. You can assign friendly names to devices (i.e. Harveys iPad) to make it easier to identify them. For wireless devices the router shows the signal strength of the connection, a rare feature. You can drill down on any particular device and see all of its connections to the Internet. I have used this feature to verify that a VPN is doing what it is supposed to be doing, funneling all data to a single VPN server. If the Internet feels slow, the router displays the current bandwidth used by each device and also has many history reports of bandwidth per device.

Peplink offers unusually good technical support at the support forums on their website. The forums are are populated by people that understand the technology and intelligently respond to questions. This thread is an excellent example. The company had originally marketed their Balance One router as supporting Gigabit speeds, but when a customer inquired, they found Windows machines in their lab were getting 900Mbps and recent Mac OS X machines were only getting 700Mbps speeds. The came clean about this, admitted they were puzzled at first, and now sell the Balance One router as supporting 600Mbps speeds. I find the honesty extremely refreshing and it really makes me trust the company.

It is very easy to report a bug to Peplink (website home page -> Support -> Contact us) and they respond quickly to it - and the response is intelligent. And, your router does not have to be under warranty to report a bug.

Peplink supports VLANs. As a rule, all the devices in your home share one network, referred to as a LAN or Local Area Network. The problem with this is that a device in your home may be malicious and try to corrupt other devices. Also, not every device in your home needs to share files or printers with all the other devices. VLANs let you logically separate the devices in your home into different groups. When I first tried to setup a VLAN in 2015, I found the documentation useless. That said, I asked for help in their online Forum and eventually was able to create a VLAN-isolated Wi-Fi network with their help. Thus, my Surf SOHO had one Wi-Fi network on the main LAN where devices can share printers and files and another Wi-Fi network where devices were isolated.

Originally, Peplink only supported VLANs for Wi-Fi networks but you can now also assign the Ethernet LAN ports to VLANs. That is, you can assign each LAN port to a different VLAN (screen shot is from firmware 6.3.2), or you can group LAN ports into VLANs.

All three hardware versions of the Surf SOHO run reasonably cool. Still, if you put your hand on the top, you can tell where the CPU is.

It can function as a VPN server using L2TP/IPsec (Advanced -> Remote User Access, in both firmware 7.0.1 and 6.3.4). Nobody thinks PPTP is secure, nonetheless it also offers a PPTP server.

Privacy: A number of new routers require you to have an account with the hardware manufacturer. Peplink does not. Some routers can not be configured offline, Peplink routers can. Some routers phone home with assorted data to the hardware manufacturer. Peplink does not, as long as their InControl system is disabled.

The Surf SOHO can create isolated wireless networks, much like Guest networks, where devices can get to the Internet and nothing else. Much more on this below in the section on Guest Networks.

It supports both UPnP and NAT-PMP but each is disabled by default, which is the secure default. This illustrates how the Surf SOHO is a business class router vs. a consumer router. Consumer routers typically ship with UPnP enabled because it's cheaper - it avoids tech support calls. But, it is not as safe for the Internet at large. A huge reason that IoT is a security disaster, is due to UPnP being enabled by default. Google's second generation routers, Google Wifi have UPnP enabled by default - they are marketed at consumers. Ditto for the Ubiquiti AmpliFi mesh router system.

The Surf SOHO offers full control over DNS, yet another indication of its being a professional device rather than a toy. Typically, devices on a network are assigned DNS servers by the router. But, any computing device can be configured to use whatever DNS servers it wants. If, for example, parents configure their router to use DNS servers that block porn, the kids can change their computers to use other DNS servers that don't block anything. However, the kids computers still go through the router and the Surf SOHO sees their DNS requests and can, optionally, re-route them to the DNS servers the router is configured to use. This forces kids to hack into the neighbors Wi-Fi network :-) I have seen my Roku box make DNS requests using Google's DNS server (8.8.8.8). Don't know why it does that, but with the Surf SOHO, I can force the Roku box to use my preferred DNS servers.

A nice Wi-Fi feature is the ability to limit the channels used by the automatic channel selection. On the 2.4GHz band, it is generally agreed that everyone wins when routers limit themselves to channels 1, 6 and 11. You can force this on the Surf SOHO MK3 by editing the list of allowable channels (see a firmware 7.0.2 screen shot). I have not tested how well the Surf SOHO picks Wi-Fi channels, but if it is making a bad choice on the 5GHz band, you can limit the channels there too.

Firmware 6.3, released in December 2015 added Wake On LAN (WOL). This is great for working on grandmas computer while she is sleeping. If you have given devices on your LAN friendly names, the Wake-on-LAN feature, thankfully, displays these friendly names so you don't need to keep track of the MAC address for each device.

The web interface is not hard to use. Granted, this is a matter of opinion, but its not just mine. It is basically the same as the web interface of any consumer router, except that it offers some additional features. You can test drive the user interface at peplink.com/products/balance/live-demo. As of October 2017 the demo was of a very high end model, the Balance 710, running firmware version 7.0.2.

Peplink routers do not spy on you. Some Asus routers include software from Trend Micro that phones home (see here and here). In May 2017, Netgear started enabling Router Analytics by default on some of their routers. Most of mesh router systems, such as Eero and Google Wifi, phone home with unknown data about your network activity. According to PC Magazine, the Norton Core Secure router has a privacy policy that says "we will not sell or rent your or your Child's Personal Information to any third parties for marketing purposes" which raises the question of just what data they have. The article also notes that Norton "will respond to legal requests for information from law enforcement that could include your data." Ugh.

Uploading a large file will not hog the Internet connection in such a way as other users are prevented from using the full available download bandwidth. This, thanks to an option called DSL/Cable Optimization (see screen shot from firmware 7.0.2).

Finally, Peplink makes it very easy to report bugs, which is a huge contrast from consumer router companies. You simply go to the support section of their website and the link is not hard to find. They also publish it in their Release Notes. All you need is an email address and the serial number of your Peplink router. From personal experience, I can say that they do respond to bug reports.

Three Hardware Editions  top

There are three hardware versions/editions of the Surf SOHO. The first two were very similar, the main difference being the speed of the Ethernet ports. On the first version the ports ran at 100Mbps, the second edition upped this to Gigabit Ethernet. The second edition was retired around July 2016. The third edition went on sale at the end of 2016.

The first two editions supported both the 2.4GHz and 5GHz frequency bands, but you could only use one frequency band at a time. And, they maxed out at Wi-Fi N. The third edition added Wi-Fi ac, concurrent dual band Wi-Fi and a Kensington lock security slot.

The WAN speed rating was increased from 100Mbps in version 2 to 120Mbps in version 3. I speed tested a version 2 model many times and saw it run at 112Mbps, the exact same speed as the modem without the router being connected. And these were real tests with the router implementing a host of features. Some vendors quote speeds with all features disabled which is not realistic.

Peplink refers to the first version as HW1 and the second as HW2. Makes sense. For whatever, reason, the third version is known as MK3. Beats me why.

The picture at the top of this page shows the front of the third edition (MK3). Here is the rear view of the first two editions. There are two RP-SMA antenna ports and the USB port is only used for WAN antennas. The Wi-Fi Signal Strength only applied to the Wi-Fi as WAN feature. Here is a picture of the rear of the third edition. There are now three antennas instead of two and the Wi-Fi signal strength LEDs have been removed. In all cases, the Ethernet ports are metal rather than plastic and they all have small LEDs that indicate the link speed.

To see which hardware version a specific Surf SOHO is, logon to the router, go to the Status tab, click on Device in the left side vertical stripe and look for "Hardware Revision" and model number. Hardware versions 1 and 2 are labeled as such. Version 3, however is also labeled as version 1 (last verified with firmware 7.0.2). Version 3 actually identifies itself by MK3 in the Model field. Stooopid it is.

All three hardware versions have internal Wi-Fi antennas. The specs for the MK3 edition do not mention the internal antennas. The first two editions had a configuration option for using either the internal or external antennas. This was removed in the MK3 version.

The internal antennas on the first two editions were 1dBi omnidirectional. On the MK3, the external antennas are 3x3 MIMO. All three antennas send and receive on both bands.

On the MK3 edition, each SSID has its own frequency band profile. That is, for each SSID, you can specify if it lives only on the 2.4GHzband, only on the 5GHz band, or, on both frequency bands. This was not an issue with the first two versions as they only supported one frequency band at a time.

As noted above, the feature that can limit the Surf SOHO to channels 1, 6 and 11 on the 2.4GHz band (when it is allowed to dynamically choose the channel on its own) is only available on the MK3 edition.

See the technical specs for the MK3 edition.

Monitoring and Reporting  top

The Surf SOHO does a good job of showing you what's going on.

This starts with the list of attached devices all shown on one screen making it easy to spot anything out of the ordinary. The router lets you assign friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. It shows which SSIDs wireless devices are connected to and the signal strength from the point of view of the router. You also see the current upload and download bandwidth used by each device. It's a lot of useful information in one place.

If one device sparks interest, you can drill down to see all the Internet connections it currently has, although this is not as easy as it could be. One use of this feature is to insure that a VPN connected device is, in fact, only communicating only the VPN server. Another use is to check that a mobile device doing online banking has an encrypted connection to the bank. Or, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits.

The Surf SOHO also does a great job reporting on bandwidth usage. It has a daily bandwidth summary that shows total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.

Bandwidth monitoring also includes current bandwidth (see sample report). The bandwidth display moves from right to left. The vertical axis changes, dynamically, as needed. The router always displays the average and peak download speed (green) and upload speed (blue).

This can help you see if you are getting the speed you pay for from your ISP. For example, here is a current bandwidth report taken just after uploading a very large file. The average upload speed was 14.14Mbps with a max/peak speed of 16.57Mbps. If the expected outbound speed of this Internet connection was 20Mbps then it is performing fine. However, if the expected speed was much higher than 20Mbps, then it is under-performing. Of course, this could also be a limitation on the machine accepting the uploaded file.

If nothing else, the current bandwidth reports can double check an Internet speed test utility/site. Or, maybe you are paying your ISP for speed that's so fast, you can't use it. For example, if you pay for 200Mbps down and your peak usage when downloading multiple big files concurrently is only 80Mbps, then you can save money with a slower cheaper connection. It is very unlikely any ISP provided router will provide this information.

The Surf SOHO can email you about a limited number of error conditions. The only error I have been notified about, so far, is when the ISP goes off-line and when it comes back on-line. With a single WAN connection, the off-line message can't be sent until it comes back on-line, unless you set up automatic fail-over. Still, it is useful to know about outages, though its much more helpful on a multi-WAN device such as the Peplink Balance series where the message goes out immediately via the still-working WAN connection. The emails can be sent using any email address. Here is a screen shot of configuring the Surf SOHO to be an email client.

And, Three Inputs  top

As a Defensive Computing kind of guy, the Surf SOHO allows for a great backup system should the primary ISP suffer an outage.

It supports a feature Peplink calls "WiFi as WAN" that lets the router use a WiFi network as input. At first, I thought nothing of the feature. Then, one day, my ISP went down for the good part of a day. What to do? In the old days I would connect a single important laptop to a smartphone WiFi hotspot, but now I had more devices that needed to be online. And, some of them were Ethernet connected to the router. So, I fed the Surf SOHO the WiFi hotspot from a smartphone and it worked great. When the phone had to leave the premises, I fed the router from a different smartphone. This allowed many devices to share the smartphone hotspot and none of them had to change in any way at all. They talked to the router before, during and after the ISP outage in exactly the same way (be it Ethernet or WiFi). Interestingly, the "WiFi as WAN" feature causes the router to use WiFi for both input and output concurrently.

Of course a smartphone gets its Internet access from a 3G/4G/LTE network as do assorted MiFi type devices. Likewise, the Surf SOHO can use 3G/4G/LTE for Internet access, without a smartphone. Peplink supports many cellular antennas that can be plugged into the USB port of the router. In addition, you may be able to plug an Android phone into the USB port of the Surf SOHO for wired tethering. The Android phone has to support this, something that can be tested using a computer before trying it on the router. Wired tethering should be faster than feeding the router Wi-Fi from a smartphone, but I have not tried this. And, I think this is only possible with Android, iPhones would have to feed the router with Wi-Fi.

The Surf SOHO lets you define the three inputs in priority order. For example, it can be configured to use a wired ISP normally, and, should that fail, to fall back to a Wi-Fi network for Internet access and, if thats not available, fall back to a 3G/4G/LTE network. What the Surf SOHO does not do, is two different Internet sources at the same time (a feature called multi-WAN). Most Peplink routers support this, but they cost more than the Surf SOHO.

The WiFi as WAN feature would also let you travel with the Surf SOHO (its not all that big). This feature could be used to connect the Surf SOHO to Wi-Fi offered by a hotel. All your devices, both Ethernet and Wi-Fi, would be much safer connecting to the Surf SOHO rather than directly to the hotel network.

In August 2016, I blogged about an experience using Wi-Fi as input to the Surf SOHO.

In June 2017, John Hagensieker wrote about connecting a router running DD-WRT to a cellphone hotspot: iPhone Tethering with Router with DD-WRT.

Downsides  top

No product is perfect and the Surf SOHO has its downsides.

If your Internet connection is faster than 120Mbps, the Surf SOHO is probably not for you. That said, routers do not have a single speed rating, much depends on the features that are enabled. For example, Doug Reid of SmallNetBuilder.com found that enabling Smart queue QoS, slowed down the throughput of a Ubiquiti EdgeMAX EdgeRouter Lite from 940 to 120 Mbps. Routers can also employ Cut Through Forwarding to artificially inflate their speed rating. Since Peplink does not compete on speed, their speed self-rating is likely to be conservative. Still, for connections of 200Mbps or higher, see the More Horsepower section below.

When upgrading a cable modem, I did some detailed speed tests with a second generation Surf SOHO (speed rating of 100Mbps). Speeds vary all the time, even minute to minute, so any such testing is of limited value. That said, using Fast.com, a computer tested at 91Mbps down through the router and a gigabit switch and tested at 120Mbps when directly connected to both the old and new modem. I know, I should not have tested through a switch, but I had the network to myself. At DSL Reports, the computer tested at 102Mbps through the router and switch vs. 114 directly connected to each modem. At Speedtest.net it tested at 97 connected to the router and switch, vs. 117 connected directly to each modem. So, it seems the speed rating of 100Mbps for the router is spot on. In all cases the upload speeds were identical, 11 or 12Mbps.

Peplink devices, the Surf SOHO included, do not offer file or printer sharing based off the USB port. The routers have a USB port, but it is used for a 3G/4G/LTE antenna to provide Internet access. I consider this a plus because this type of file sharing has been associated with a number of security bugs. Some may consider it a minus.

When it comes to VPNs on routers, everyone is focused on the router providing a VPN server. My focus, however, is on a router that provides a VPN client and the Surf SOHO does not offer this. The Resources page has links to many routers that can function as either a VPN or TOR client. As for VPN server software, the Surf SOHO offers L2TP/IPsec and the insecure PPTP. It does not offer OpenVPN. On the other hand, the VPN server can limit VPN clients to a specific VLAN.

Rate limiting is limited. The Surf SOHO has a single knob (so to speak) for limiting bandwidth usage. You can set a maximum download and a maximum upload speed, but it applies to every device on the network. Higher end Peplink routers let you put network devices into one of three groups: Manager, Staff, and Guest with bandwidth limits applied to the Staff and Guest groups.

Because the Surf SOHO has no dedicated Guest network feature, it is missing some restrictions other routers can put on Guest users, such as limiting the time they can use the network.

The Surf SOHO does not log blocked incoming connection attempts. On routers that do, I find this very interesting data to peruse, but that's me.

There is no Wi-Fi on/off button on the Surf SOHO.

On the MK3 (third) hardware version of the Surf SOHO, the web interface is confusing in the way it identifies the hardware version. In the Status section (Device sub-section) it identifies itself as "Hardware Revision 1". You have to check the Model field to look for the MK3.

The MK3 edition has a WiFi LED on the front panel that blinks all the time. I find it annoying. It blinks slowly to indicate that Wi-Fi is enabled but there are no wireless clients, and it blinks continuously to indicate wireless data transfer. Tape may be your friend.

The Surf SOHO is a single device and any single device will have a much more limited Wi-Fi range when compared to a mesh router system. Peplink does not make a mesh router system. That said, there are two ways that owners of any single router can increase their Wi-Fi range.

  1. A mesh router system can be plugged into a LAN port of the router. The downside is that consumer mesh routers offer less information about connected devices than the Surf SOHO does. Also, they don't support VLANs.
  2. An access point, a Wi-Fi transmitter, can be plugged into a LAN port of the router. Peplink has their own line of Access Points starting at $130, but they don't have any documentation about using their Access Points with the Surf SOHO. They focus more on using them with higher end Peplink devices

Most vendors do worse, but still, the Peplink documentation is poor. While it is extensive, in terms of the number of pages, it is amazingly devoid of information. The company does try - they update their documentation regularly and they keep it in sync with changes to their firmware which is much more than other router companies do. But, to me, its 300 pages of "Enter your name in the Name field" repeated over and over and over. Lots of words, very little information. Specifically, it lacks background information and an explanation of concepts. It is documentation for experts. Not that consumer routers are any better.
NOTE: As of Oct. 2017 they seem to fallen behind on updating the User Guide. The latest edition is from Jan. 2017 for firmware 7.0. It was not updated for firmware 7.0.1 or for 7.0.2.

Peplink Firmware  top

Like many routers, those from Peplink can backup the current settings to a file that you download. To backup the current settings at any time in firmware 7.0.2, go to System -> Configuration -> Download Active Configurations. This downloads a very small .conf file. The file name starts with yyyymmdd, then the Peplink model number, then the serial number of the device. A really nice thing that Peplink does is to always remind you to make a backup of the current router settings before it installs new firmware See a screenshot. All routers should do this.

A check for new firmware from the router web admin site often fails to find available updates. In March 2016, firmware 6.2.2 failed to find either the newer 6.3 version or the even newer 6.3.1 edition which was, at the time, a month old. That said, things may be looking up, in July 2016 firmware 6.3.1 did detect that 6.3.2 was available and in October 2017, firmware 6.3.4 detected that 7.0.2 was available.

I have yet to see a router vendor that documents their firmware upgrade procedure, so here is what to expect. As with other routers the firmware can be updated automatically or manually. I suggest the manual procedure because it provides much more feedback during the process. Here are screenshots of manually upgrading the firmware from 6.2 to 6.3. The first phase validates the just downloaded (or just-uploaded if doing this manually) firmware. The second phase is the actual installation which, you are warned, takes about 6 minutes. In the third phase the router re-boots into the new firmware. In my experience the router display may hang here forever or it may revert to the logon screen. An online update from 6.3.1 to 6.3.2 in Aug. 2016, hung after saying it was installing the new firmware. The upgrade ran fine, it just told me nothing.

When administered locally, firmware updates are a manual thing. Some routers can self-update, I have a list of those I know about on the Resources page. That said, none of the routers self-update well. It is as if everyone was still beta testing the feature. My specific gripes with the way things are done are on the Firmware Self-Updating page. While non-techies are probably better off with a self-updating router, it strikes me as an accident waiting to happen. I have already heard about Google Wifi rebooting itself in the middle of the afternoon and screwing someone up.

I have very little experience with Peplink's online administration service, InControl2. However, I have seen that it can schedule firmware updates (screen shot).

As for notification about firmware updates, Peplink sometimes emails you when there is a major update - here is a an example from December 2015, announcing version 6.3. But that is the exception rather than the rule. The burden of learning about firmware updates is mostly on your shoulders. At least, it is if you are limited to the web interface in the router. Again, InControl2 different.

While maintaining two copies of the firmware is a great feature, you can not download a newer firmware to use later. Whenever new firmware is downloaded (or uploaded if doing it manually), the router automatically reboots and uses it. That said, the only real downside is the router reboot, because you can always reboot it back into the firmware you were using just before the last update. Again, InControl2 is different.

In October 2017 when the KRACK flaw in WPA2 made news, Peplink issued a Security Advisory on day one: Security Advisory: WPA2 Vulnerability (VU#228519). The normal Wi-Fi access point functions of their routers were not affected by this vulnerability. However, routers that support Wi-Fi as WAN were affected. Fixed firmware was released in about two weeks. All router vendors, but one, responded to the KRACK flaw in some way; at the least, they issued a press release saying they were researching the issue. The lone holdout was Apple.

Guest Networks  top

This is a good news bad news story. The good news is that, if configured correctly, the Surf SOHO offers the best possible security for a Guest Wi-Fi network. The bad news is: getting to that point is hard. Or, rather, it was hard for me, but following the steps below should make it easy for you.

By the "best possible security" I mean that guest users can see the Internet and nothing else. That is, devices on the Guest network are totally isolated from all other devices connected to the router. If an IoT device is hacked, buggy or malicious, it can not infect or spy on anything else, it can't even detect that other devices are connected to the same router. Specifically:

The Surf SOHO does not offer an explicit option for Guest networks. The documentation on this issue is disgraceful. Even 3GStore, a retailer of Peplink devices, put out a note for their customers about creating Guest networks on the Surf SOHO that was wrong.

CONCEPT

To isolate wireless devices from the main LAN requires a VLAN (Virtual LAN). Rather than all the devices attached to the router being part of one big group, VLANs allow you to make sub-groups of devices attached to the router. One sub-group could be all the devices attached to a specific SSID (the Surf SOHO can create three SSIDs). Another group might be devices plugged into LAN ports 1 and 2.

Normally, the reason we create a VLAN is to have isolated groups of devices. However, that is not the only usage, so Peplink has a checkbox for each VLAN to control whether it is isolated or not. Isolation good.

The basic approach, is to first create a VLAN (that is, give it a name and a number), then assign an SSID to it. This puts all the wireless devices connected to that SSID into that VLAN/group. If only one SSID is using a specific VLAN, then those devices are isolated from other devices using the router. Then, to prevent devices on the same SSID from seeing each other, we need to enable "Layer 2 isolation".

DETAILED STEPS

VLANs are an advanced topic and support for VLANs is disabled by default.

To enable VLANs in both firmware 6.3.x and 7.0.x, do Network -> LAN -> Network Settings. In the "IP Settings" section at the top of the page, click on the white question mark in the blue circle. The small window, shown here, pops up saying "If you need to define multiple VLANs, press here". Click on the word "here". A second window pops up that says "The LAN settings will be switch to advanced mode with VLAN support. Are you sure?" CLick on the Proceed button. Then, click on Apply Changes on the main menu bar (black horizontal stripe across the top of the screen).

Applying the changes takes you back to the main Dashboard page. Go back to Network -> Network Settings. Before creating new VLANs, there are two changes I would make. Start by clicking on "Untagged LAN" and turn off the checkbox for Inter-VLAN routing. Then, I would give it a more descriptive name, something like PrivateLAN or PrivateNetwork or MikeysPrivateLAN. Then click the gray Save button at the bottom of the window and, again, Apply Changes. Then back to Network -> Network settings.

With VLAN support enabled, the router will display a new gray button labeled "New LAN". It really should say "New VLAN". To actually create a VLAN, click on this button and you should see this screen (as of firmware 6.3.3).

Next, you assign both a name and a number to the VLAN. The name can be anything that makes sense to you. If you intend to use the VLAN with a single SSID, then name it after that SSID with "vlan" part of the name. For example, the VLAN for SSID "michael" might be called "michaelsvlan". The VLAN number is not particularly important, as long its unique. Peplink refers to the number as a "VLAN ID" but its a number. Again, to isolate this new VLAN, do not enable Inter-VLAN routing.

Each VLAN gets its own sub-network (aka subnet) which requires you to enter three IP addresses. As an example, consider the 10.22.22.x subnet from the prior screen shot.

  1. The first field, called simply "IP Address" is the IP address of the router on this subnet. At first this can be confusing, as this is a second IP address for the router. From the main network, the router can be addressed as 192.168.50.1 (using Peplink defaults) but from this new VLAN/subnet, it has to be addressed as something starting with 10.22.22. In the screen shot, the secondary router IP address is 10.22.22.2. Why 2? It is best to avoid an IP address that ends with 1 or 254. For more, see the IP address page.
  2. The other two IP addresses you need to enter are the DHCP IP range. The vast majority of devices that connect to a router, are assigned an IP address when they connect. DHCP is the protocol that handles this. For the 10.22.22.x subnet in the screen shot the DHCP IP Range is 10.22.22.100 through 10.22.22.199. The routers IP address should be outside the DHCP range.

The maximum number of devices allowed on a subnet is complicated. However, it is simple and almost always good enough to use the common standard of 256. This is defined using something called a subnet mask which is the numbers just next to the router IP address in the example screen shot. The value, 255.255.255.0 (/24) means, in English, a maximum of 256 devices are allowed on this subnet. In the example, however, the network is limited to 100 devices, numbered 100 through 199. It could just as easily have been 10.22.22.5 through 10.22.22.252.

If you like to be neat, you can relate the VLAN number/ID to the subnet. For instance, subnet 192.168.2.x could be assigned to VLAN number 2 and 192.168.8.x could be assigned to VLAN number 8. This is totally optional.

Also note that each VLAN can have different DNS servers. One great use for this might be to use a child-friendly DNS service on an SSID that kids use, and a non-restrictive DNS service on an SSID that adults use. VLANs can also have different Content Blocking rules.

Next, to assign an SSID to this VLAN, do AP -> Wireless SSID and click on the name of a network. The process of assigning it to a VLAN, at this point, is simple, there is a drop-down list of the available VLANs. Be sure to click the Apply Changes button on the top of the screen. When this is done, the SSID is isolated from the main LAN and from other SSIDs. It now has its own subnet.

Then, to prevent devices on the same SSID from seeing each other, we need to enable "Layer 2 isolation". In Firmware 6.3 and 7.0, do AP -> Wireless SSID -> click on the SSID name, then turn on the checkbox for "Layer 2 Isolation". There is, however, a small user interface gotcha. The first time you do this, at least as of firmware 7.0.1, the option for Layer 2 Isolation is not visible. As with VLANs, the router defaults to a simple mode and you need to know the secret handshake to see advanced settings. The secret handshake in this case is the white question mark in the blue circle (see screen shot). You need to click it, and then click again, where instructed, to see the advanced settings. The advanced settings stick around for a while, but you may have to do this again the next time.

Finally, you can control which VLANs can logon to the router. To see this option in firmware 7.0.2, go to System -> Admin Security -> Allowed LAN Networks. By default, everyone can logon to the router but this is best changed to limit local access to a single VLAN. In the example, only MikeysPrivateLAN is allowed access to the router. Using our earlier example, this prevents anyone on the 10.22.22.x subnet/VLAN from logging on to the router using IP address 10.22.22.2. They won't even be able to view the logon page. Interestingly, this setting also blocks Peplink's own mobile app from talking to the router, if it connects to an SSID/VLAN that is not allowed in. I learned that the hard way.

At this point, you have a single, totally isolated, guest SSID.

The Surf SOHO allows for more than one isolated SSID. Simply create another VLAN for the second network. The Surf SOHO can create a maximum of three SSIDs. One approach is to use one isolated SSID as a Guest network and to use another for IoT devices that don't need to access shared resources such as files, a network printer or a NAS device. IoT devices in this category might be a Roku box, an Apple TV or an Internet radio. In this case, the subnets might be
  -- 192.168.68.x for the shared network (Ethernet devices and the non-isolated SSID)
  -- 10.1.1.x for the IoT isolated SSID
  -- 10.2.2.x for the Guest isolated SSID

One downside to isolating devices in a VLAN is that they lose access to a network printer. I have read that a firewall rule could open TCP port 631, used by IPP, on the VLAN with the printer and thus poke a hole in the isolation to allow printing. I have not yet tried this. One reason it may not work is that there are many ways to send jobs to printers and all printers may not support IPP.

AND ...   top

The Surf SOHO can create three wireless networks. This is better than some routers, worse than others. I find it sufficient as it lets me have a private WiFi network for trusted devices, a guest WiFi network and a dedicated, isolated WiFi network for IoT devices.

The Surf SOHO has external, detachable antennas that use a standard connector providing two upgrade options. Obviously, you can replace the antennas. Or, less drastically, using an RP-SMA Female to RP-SMA Male cable you can simply move the antennas away from the router.

Originally, the Surf SOHO could not schedule anything. When the ability to schedule things was first introduced in firmware 6.3 (December 2015), the number of things that could be scheduled was limited. As of firmware 6.3.2 (July 2016) the Wi-Fi could be scheduled, but individual SSIDs could not. The scheduling of individual SSIDs is now available in firmware version 7.0. Being able to schedule network(s) to turn themselves off at times when no one will be using them is a nice security feature.

Here is a screenshot of a custom schedule that I defined, one that turns off at 1am and back on at 6am. You do this at System -> Schedule. Here is a screenshot of the definition of an SSID that is assigned to this schedule.

New consumer routers make it easy to pause Internet access for children. You either list the attached devices and kick them off-line one at a time, or you assign all the devices belonging to children to a group and pause that group. The Surf SOHO can not do this, per se, but you can get the same effect by assigning children to their own SSID. Then, you can either schedule the availability of that SSID or manually disable it as needed.

The Ethernet ports on the Surf SOHO have orange and green LEDs which can be very helpful in debugging a connection problem. If something isn't working, the first thing to check is whether, at the Ethernet level, the two devices are talking to each other. The LEDs also indicate the speed the Ethernet port is running at. Fewer and fewer routers seem to offer this. And, the Ethernet ports are metal, not plastic. I also like that the Ethernet ports are dedicated to WAN and LAN use. Many of the latest consumer mesh Wi-Fi router systems have Ethernet ports that determine for themselves whether they are on the LAN or WAN side of things. I don't know how that works, but it strikes me as an accident waiting to happen.

Many of the new consumer mesh router systems, support Bluetooth, which opens a whole new can of worms when it comes to security. Those that I looked into, fail to document exactly what Bluetooth is used for and I have not seen one that lets you disable Bluetooth. The Surf SOHO does not do Bluetooth.

Some IP addresses are reserved for internal use only. The most famous are those that start with 192.168. Others start with 10 and 172.16. These reserved IP addresses are not allowed on the real Internet, so you might think that requests for them would not be allowed out of the Surf SOHO. But, Peplink allows it because their routers are used in very complicated networks, the configuration of which is beyond me.

In a simple environment, with a single Peplink router directly connected to a modem, we can prevent communication out to any of these normally private IP addresses with a firewall rule. Specifically, in firmware 7.0.2, go to Advanced -> Access Rules (in the Firewall section) -> Outbound Firewall Rules. Create three rules where the Protocol is any, the source IP and Port is Any Address, the Action is Deny and for Destination IP and Port, chose Network. The three different networks would be: IP: 10.0.0.0 Mask 255.0.0.0 (/8), IP:172.16.0.0 Mask 255.240.0.0 (/12) and IP: 192.168.0.0 Mask 255.255.0.0 (/16). Here is a screen shot of this. To know if these rules are ever invoked, you can enable Event Logging.

The one exception might be if you want to access the modem via the ever popular IP address 192.168.100.1. To allow this, create a firewall rule that sits above these three (they are evaluated top down). This is shown in the screen shot. I blogged about this in Feb. 2015: Talk to your modem and Using a router to block a modem.

Like all router vendors, Peplink also offers a smartphone app and a cloud service. The smartphone app is relatively new and not nearly as full-featured as the web interface. Their cloud service, InControl2, has a nifty feature: remote access to the web interface. If you are willing to use a cloud service (I am hesitant) this means you no longer need to deal with Dynamic DNS for access to a router whose IP address may change at any time.

NOTE: The Pepwave Surf SOHO is not the same as the Pepwave Surf On-The-Go. (SOTG). They are, quite different. The Surf On-The-Go is a small travel router with a single Ethernet port. Its also much cheaper. I own the Surf On-The-Go and would not recommend it. I have traveled with it and it worked just fine. But the software/firmware it runs is very different from the mainline Peplink software. Different, and to me at least, worse.

Another benefit of Peplink routers is debugging. There are two features that aid the company in solving a problem. The first is a Diagnostic Report that you can generate. The router will download a small diagnostic file (about 200K) that you can attach to a problem ticket when requesting technical support. What a great system. If Peplink needs to look at your router to debug a problem, you don't need to give them a password, the router has a built in Remote Assistance feature. Needless to say, it is off by default.

I once upgraded an old Surf SOHO (hardware version 1) with a new one (hardware version 2). I backed up the configuration settings from the old one to a file (many routers do this) and imported the file to the new router. It worked fine. Both routers were running the same firmware version.

The supported DDNS providers are: dyndns.org, changeip.com, no-ip.org, tzo.com and DNS-O-MATIC. There is also an option for other providers using a custom URL, but others must support the DYN API. I tried to use dynu.com and it failed.

The Peplink cloud system for managing their products is called InControl2. It is totally optional and can be disabled at any time. A new Surf SOHO includes a one year warranty and a one year subscription to InControl2. Any Peplink device under warranty includes access via InControl2. After the first year you can extended access just to InControl2, without extending the warranty for $29 for 1 year (SKU ICS-012) or $49 for 2 years (SKU ICS-024). While the Surf SOHO is under warranty, you can extend the warranty. Not all Peplink devices allow InControl2 without being under warranty. Those that do: Balance One and Core, Balance 20, 30, 50, MAX BR Series, MAX On-The-Go, AP One Series, AP Pro FusionHub Essential and FusionHub Pro.

Back in 2014, a hacker found a flaw in Peplink software. It became news in November 2016 when the details were presented at a security conference. According to Lucian Constantin of PC World, the hacker "was impressed with how Peplink responded to his report and how the company handled the vulnerability." That's what you want in a router vendor. A Motherboard article by Andrada Fiscutean said basically the same thing:

The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw. "[We] worked directly with Amihai so that we could release a fix as quickly as possible," Eric Wong, evangelist at Peplink, said. The patch was soon available. Their commitment to security made the hacker trust them. At home, Neiderman is using a Peplink router, the one the company gave him as a thank you for notifying them.

And, the flaw was only exploitable because the Peplink routers were miserably deployed. Whoever was in charge, made at least three security mistakes configuring the routers.

FYI: From the Peplink Forum Peplink rocks! Total satisfaction July 22, 2017.

The Peplink announcements page includes security advisories.

Here is my one concession to everyone's interest in Wi-Fi speed. On a net connection that peaks at 108Mbps, I can get 40Mbps from a Surf SOHO version 2 on the 2.4GHz band with a standard 20MHz wide channel. A Surf SOHO v3 (MK3), running Wi-Fi ac on the 5GHz band, with a narrow 20MHz channel, tested at 62Mbps. With a wider channel, and a device that supports the wider channel, speed on the 5GHz band would increase. Many speed tests are done with two LAN side devices, these were done with the Speedtest.net Android app from the Internet. Your mileage will vary. Heck, my mileage varies.

Closest Competition  top

So far, I have been happy with Peplink and thus have not needed to experiment with other vendors. That said, reasonably priced hardware running professional grade firmware is also available from Ubiquiti. I say that based on what I have read, I have no personal experience with Ubiquiti branded devices. I have used the consumer AmpliFi division of Ubiquiti and was not impressed. To me, a big drawback to the Ubiquiti system is that some features require their Java based server software to be running 24x7, somewhere other than on their routers and access points.

Perhaps the most obvious alternative to Peplink is pfSense. I have not used pfSense but it is far more functional than the Surf SOHO and that is likely to mean the software is beyond the ability of non-techies to deal with. In contrast, I feel that the Surf SOHO user interface is no more harder to deal with than the web interface of any consumer router. Buying a box with pfSense pre-installed is also much more expensive. The bottom-of-the-line SG-1000 is $150 with a single Ethernet LAN port and no Wi-Fi. Stepping up to the SG-3100 gets you 4 LAN ports, plus an Ethernet port that can either be used for dual WAN or as a LAN port. But, it costs $350 and also has no Wi-Fi. Professional tech support for pfSense is $590/year.

The two Synology routers, the newer RT2600ac and the older RT1900ac are also on my short list. Again, I have no personal experience with them. The beat the Surf SOHO in that they self-update their firmware, they can function as VPN clients and they do LAN side file sharing. On the flip side, it supports WPS and the Ethernet ports are cheap plastic, rather than metal, and they don't have LED indicator lights. I do not know if the do a good job of firmware updating. The company brags that its user interface is "incredibly intuitive even for non-techy people" and the routers have many advanced features. As of mid-September 2017, the newer model cost about $210 and the older one is roughly $123. A couple NewEgg reviews said tech support is bad. The ratings at Amazon.com are not great.

A few years back, I would have also included Ruckus Wireless, but I think they are now limited to producing access points. They used to produce reasonably priced routers, I had one.

Buying the Surf SOHO  top

The Surf SOHO is a bottom of the line Peplink product. Perhaps that's why its sold under the Pepwave name. Peplink has an online store on their website but they only sell their more expensive routers. The cheaper stuff is sold by a small number of Peplink partners. Of these partners, the only one I have used is 3G store.

In 2013, when I purchased my first Surf SOHO, it was hardware version 1 and it cost $130 without external antennas.

Hardware version 2 was initially available for $159 without external antennas, but that didn't last. By and large it was $179 with external antennas.

When released, hardware version 3 (the current MK3 edition) was initially $180 (give or take). That didn't last long, it soon went up to $200 with external antennas.

An unboxing video of the new model, and a review, is available from RV Mobile Internet. They like it for "great support for tethering cellular modems and hotspots over USB."

AVAILABILITY HISTORY
Initially hardware version 3 was to have been available at the end of September 2016.
In early Oct. 2016, it was expected at either the end of October or early November.
In the US, it became available sometime in late November 2016.
November 22, 2016: 3Gstore, wrote that The New Pepwave Surf SOHO MK3 Has Arrived!
Early January 2017: Out of stock at Amazon, 3G store and FrontierUS.
January 12, 2017: It is in stock at 3G Store.
January 20, 2017: It is in stock at Amazon
February 15, 2017: It is available for $199 at both 3G Store and Amazon but out of stock at Frontier

October 1, 2017: Amazon was selling it for $159 without external antennas. Be warned however, that the MK3 version, takes 3 antennas and Amazon suggests bundling the router with a package of only two antennas. At 3G Store it is still $199 with three antennas included. If you know enough about antennas to pick your own, you can save money at Amazon. If not, the safer bet is to buy from 3G Store with known good antennas. And, 3G Store offers tech support that Amazon does not. It is also $199 at Frontier but it is not clear if this includes the antennas or not.

November 15, 2017: Amazon is now selling it for $199 without antennas. And, their product description has multiple mistakes, for example, it says there are two antenna ports. The 3G Store price is a relative bargain, as it is also $199 but includes antennas.

More Horsepower  top

If you need more horsepower than the Surf SOHO offers and want a single device with built-in Wi-Fi, then go for the Balance One (roughly $500). That said, you are probably better off with a non-Wi-Fi router and one or more Access Points. As noted earlier, Peplink access points start at $130. All the routers in the Balance line can act as access point controllers; the Surf SOHO can not. As far as I can tell, the cheapest Balance routers are the Balance 20 (roughly $300) and the Balance One Core (roughly $400). The lower end Balance routers support 10 access points.

The Balance 20 has been $299 for the last four years. It is sold at 3G Store and Amazon. The Balance One Core is normally $399 at both Amazon and 3G Store. In mid-November 2016, it was only $341 at Amazon. The Balance One (with built-in Wi-Fi) is normally $499 at both Amazon and 3G Store. In mid-November 2016, it was only $439 at Amazon.

One reason to upgrade would be speed. As noted earlier, the Surf SOHO MK3 (hardware version 3) is rated at 120Mbps by Peplink. The two Balance One models conservatively support speeds to up 600Mbps and may well go up to a gigabyte. The Balance 20 is an old model, it is rated for 150Mbps.

If you are after reliability, all the Balance routers support concurrent multi-WAN connections with 7 different load balancing algorithms. The Surf SOHO only allows for fallback to a secondary ISP if the primary one fails. From years of personal experience, I can attest that Peplink routers are great at handling concurrent Ethernet-based WAN connections.

Peplink WAN connections can either be Ethernet or wireless via an antenna plugged into the USB port on the router, talking to a 3G/4G/LTE network. If you don't have a mobile device with a USB interface, smartphones running Android v4.x and later can be tethered to the USB port to provide LTE Internet access. Peplink touts this for failover on the Balance Ones but that is selling themselves short. The 3G/4G/LTE connection can also be used concurrently with a wired WAN connection, load balanced together.

Both Balance One models come with 8 LAN ports which can be an advantage to anyone interested in segregating LAN ports into VLANs - a really nifty security option. The older Balance 20 has 4 LAN ports.

Note that the Wi-Fi on the Balance One is limited. While it does support simultaneous dual-band, it does not support the latest AC flavor of Wi-Fi. It also does not support external antennas, which the Surf SOHO does. As of Jan. 2016 it was limited to creating the same three SSIDs as the Surf SOHO. In response to a Forum question on this, Peplink said that they were planning on upping this to 16 SSIDs. Another limitation is that it does not support Wi-Fi as WAN, the ability to use a Wi-Fi connection as input rather than output. I have used this with a Surf SOHO, when the main ISP suffered a day-long outage. I turned on the hotspot feature in a smartphone as used the Wi-Fi coming out of the smartphone as input to the Surf SOHO. Worked like a charm.



Top 
This page was last updated: November 15, 2017 10PM CT     
Created: June 3, 2015
Viewed 58,032 times since June 3, 2015
(64/day over 903 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2017