A couple questions on some "newer" features on Surf SOHO Mk3

Hello all, it’s been a while. I first came here under another account about 3 years ago, but for lots of weird reasons I can’t find my old account info at the moment. Anyway!

Last time I was here I was in a state of crisis as I had just been hacked, and I really had no technical understanding of routers. Now I am helping someone in the same situation, but I just needed some assistance understanding some changes in the web admin.

1. I am not familiar with frame protection, the option in wireless setup. My searching seems to indicate that it is pretty new on the scene. I would like frames to be protected, I suppose, why wouldn’t I? … what’s the catch? Should I tick this option on my wi-fi vlans?

2. There is now firewall options per network on each wifi networks page on that little pulldown menu at the bottom. I assume that it defaults as disabled because it applies general access rules as defined by default. Is this a way to make it easier to, say, make a kid’s wifi or have more granular control over each firewall? I didn’t see where I could define these network-specific details, am I blind?

mfd_fwalls913×657 39.9 KB

I have on my list of things to do to research the management frame protection feature.
You can access additional settings by clicking on the blue question mark icon and then clicking the link to show advanced settings. You can then turn on Layer 2 isolation to keep devices connected to the SSID from seeing each other. You can use the VLAN feature to group devices into a virtual network and then disable inter-VLAN routing to keep them from seeing or connecting to devices in a different VLAN. Doing both of those things is useful for making a Guest network, a kids network, or an IoT network.

thank you for your reply. Yes I found the VLAN isolation shortly after writing this, the next step will be more granular access rules.
It’s very hard to get families with kids to do security stuff differently, I don’t blame them, life is intense, but slow adaptation of better tech practices is frustrating when a persistent threat is trying to get into a network.

I will leave frame management alone until there’s more out there to read about.

As I see the MFP feature (Management Frame Protection) This would be to prevent from getting spoofed management frames send. This would be negotiated since both the client and the AP should support this feature. (802.11w standard). If someone from peplink could confirm this is the standard that they implemented here then we can get a confirm on that. Trying this feature could cause problems with devices that don’t support this feature since they might not handle the information inside the beacons correctly. Trial and error I guess.

Yikes. That’s a really great and important feature to leave to trial and error. If someone has the time to deploy their Wireshark mastery and figure out some things, I’m sure the world would thank you.

I’ve been reading a lot about various wifi attacks and frame authentication would be a desirable security option, hopefully more will be available about this feature soon.

Hi I’m testing the PMF 802.11w feature for the SURF SOHO MK3 with the latest 8.0.2 firmware.

Page 71 of the owners manual states:

“Management Frame Protection
This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action.”

I can’t enable either the “optional or required” settings of this feature for some reason / the setting doesn’t save. Disabled seems to work fine. I am attempting to enable it on an AC network on a VLAN on WPA2. Do I need WPA2 enterprise for this?

What am I missing?

Hi Windward, Home user here (SURF MK3, latest firmware).

1. Management Frame Protection doesn’t work yet.

2. To make a kids network you would want to go to Advanced, Firewall, Content Blocking and start testing from there. This affects all clients / networks so you would have to add “exempted subnets” for clients that get full access. Basically make some VLANs for different clients and then exempt the ones that get full access.

You can assign VLANs to wireless networks on their configuration page (AP, Wireless SSID) as well as the ethernet ports for wired computers, Network, Port Settings, VLAN.

The IP addresses you assign to the VLANs are the ones that you would exempt for clients that get full access if I am to understand this correctly. It seems like it would be easier if they just let you assign a VLAN to be subject to content blocking from a drop down list of available VLANs or if you could just click on clients from the client list and add them to the content blocking - but you can’t. You can however click on clients from the client list add them to the DHCP reservation and copy that IP address and paste it to the exempted subnets under content blocking. That might work. If anyone tests this please let us know.

I have tested content blocking but I have not tested exempted subnet’s - I am a home user just trying to help out so YMMV. You can also check YOUTUBE to see if anyone has made a tutorial. Or if anyone can correct me please do.

3. Keeping WIFI hackers out is best accomplished through the use of large complex passwords. I generally use 30-40 digit alpha/numeric/symbolic passwords = 95^40 = 1.28 x 10^79 = very high security. My secret is I basically just randomly mash the keyboard (I’m really good at this) to create a new random password for the SURF (AP, Wireless Settings) and save.

After the SURF finishes saving, open that SSID, deselect “hide password” and then type your newly minted password into the wireless device. My method eliminates having to write down or memorize passwords. It’s also faster as I can just bash out 30-40 digit passwords effortlessly. Change your passwords often (once a month or whatever). Again my method is so easy I can do it weekly or even daily. You cannot use " or ’ in your password. No one in my home enters their own WiFi passwords - I do it for them. That way I don’t have to compromise security for easy to remember passwords for family members nor are they written down anywhere /easy to find.

Before committing to a 40 digit / difficult to enter password - try a smaller easier one just to verify the client can see and connect to the WiFi network first - punching in 40 digit passwords and failing to connect gets old fast and wastes a lot of time.

In theory you could even text message or email the password to the user and they could cut and paste it into their device - although you are sharing the password across text SMS / email if that doesn’t matter to you.

4. If you find client devices are getting locked out a lot for no apparent reason then you are probably getting deauth’ed (google it). You can use KISMET security software to verify if that is happening. Deauth is just a denial of service - they are not breaking into the wireless. Deauth’ing is used however to try and get the 4 way handshake to attempt to crack the password - but at 1.28 x 10^79 possibilities good luck. It should only take a few quadrillion quadrillion quadrillion millenia (half a google approximately) to crack at the time of this writing.

Also you could switch to using 5Ghz AC networks and use a low transmit power setting. 5Ghz doesn’t travel as far as 2.4Ghz through obstructions etc. - so to sniff your traffic the attackers would have to almost be right on your property making them easy to spot. Also most deauth tools (up until fairly recently) are 2.4Ghz a/b/g/n only.

I had this exact problem so I also took the additional step of making multiple hidden networks and multiple VLANS to isolate clients from the attacks. If one VLAN / client network gets attacked it doesn’t affect the others because each device gets their own network. Because they are all hidden its more difficult to figure out which one to deauth etc… Not impossible, just more difficult and more risky. Again the SURF is hilarious because you can make up to 15 x 5 Ghz networks. I have never had such a great router before.

Isolating networks also simplifies reconnecting the affected client since only the affected device needs a new password. The script kiddies/ bad neighbor can still deauth 5Ghz (until they get caught and criminally charged) but its a lot harder / requires better equipment / more close proximity recon = higher risk etc… Its a lot of work (?) and risk to take for something that could land them in jail and it literally only takes me 500 milliseconds to bash out a new 30-40 digit random password and copy and paste a text. This is why I love the SURF. Its made this process quick and easy and put me back in control.

When Management Frame Protection is available it will help reduce or eliminate deauthing - until the next wave of “security tools” comes out. I wish Management Frame Protection came out 5-10 years ago to be honest but at that time many consumer client devices didn’t support it.

Please bear in mind I am not an IT guy so if anyone here can point us in the right direction it would be much appreciated.

Have a great day!

Regarding wifi passwords:

I use Bitwarden password manager and generate my passwords using it. Its a great tool.

https://bitwarden.com/

For my guest network, I generated a QR code for my guests to scan in order to access the network. Most of not all smartphones can connect to wifi using their native camera to scan a QR code. Works great.

I didn’t use an online QR code scanner. Don’t trust them. I used a command line Linux program to generate it called QREncode.

https://thelinuxexperiment.com/share-your-wifi-info-via-qr-code

What a great idea! I installed qrencode up this morning and it works great. (I think the developer or some of the reviewers might have mentioned that the resulting QR image is automatically placed in the home folder under wifi.png or whatever you name it) but that’s a quibble. I passed it the “-s 10” flag for a bigger image.

For some reason I’m unable to attach the image to the appropriate Bitwarden wifi password entry, however. Maybe it doesn’t like images. Still, I can photograph it and display it to guests when they arrive. That allows me to use more complex passwords than I’ve been willing to subject guests to, so this is a big step forward.

I haven’t tried more than the three networks the documentation says are available. Can we go to 15 now, or am I misunderstanding?

I tested 15 x 5Ghz and 7 x 2.4Ghz Wireless SSID’s on my SURF MK3 on 8.0.2 build 1480. If you have one of the earlier models this may not be the case. The MK3 has 3 antennas.

….and you can make 15-16 subnets and assign them to VLANs - so you could give each WiFi network its own VLAN…

Network>Network Settings>New LAN

Even if one of my WiFi passwords got cracked (good luck 1.28 x 10^79) this would only be one network and I change them all the time.

Mine’s a MK3 using build 1480, and I just added a third VLAN - I had read you couldn’t have more than three networks (which I assumed meant one main LAN and two VLANs) so I never tried to set up anymore than that.

Is there a technical difference between a LAN and a VLAN? Can I set up another LAN, non-VLAN?

Hi. I think your answer may be found in the first two paragraphs – https://en.wikipedia.org/wiki/Virtual_LAN
Also … https://www.lifewire.com/virtual-local-area-network-817357

Well, partly. The wiki article seems to indicate that there’s only one LAN and tags logically create the VLANs, but the Lifewire says a VLAN can be made up of more than one LAN, so I still don’t know.

Hi. The specs for the SOHO, https://www.peplink.com/products/pepwave-surf-soho-specs/, don’t answer this question and it’s been a few months since we touched a SOHO. But we have one in storage here and I can break it out tomorrow and test if you don’t have an answer by then. I am quite certain several LAN segments can be created and of those a number of them can be assigned to VLANs. I can easily furnish you a screen shot of a SOHO properly config’d with one untagged LAN and one VLAN but I think you want to do more than that.

Just curious – can you provide some info in your use case which would require several subnets on a SOHO?

Rick,

My use case is trivial and not worth your breaking out an old router. I already have a “main” LAN and three VLANs configured, so thank you, but I won’t need that either, though I appreciate the offer.

I noted my problem in a recent post. I have my home network segmented into Main, Guest VLAN and IoT VLAN, plus one more VLAN as of today for testing purposes. The problem is that I cannot run Apple AirPlay with music from a VLAN, only the Main LAN, and I don’t want to put my iPhone or computer on the IoT VLAN. Again, this is trivial, and I have work-arounds.

My question of adding a new non-VLAN LAN was to see if I could trick Airplay into playing on the possible new LAN, but I’d still have to put my iPhone on the same network, so it’s not something it’s useful to pursue.

Again, thanks.