A couple questions on some "newer" features on Surf SOHO Mk3

Hello all, it’s been a while. I first came here under another account about 3 years ago, but for lots of weird reasons I can’t find my old account info at the moment. Anyway!

Last time I was here I was in a state of crisis as I had just been hacked, and I really had no technical understanding of routers. Now I am helping someone in the same situation, but I just needed some assistance understanding some changes in the web admin.

1. I am not familiar with frame protection, the option in wireless setup. My searching seems to indicate that it is pretty new on the scene. I would like frames to be protected, I suppose, why wouldn’t I? … what’s the catch? Should I tick this option on my wi-fi vlans?

2. There is now firewall options per network on each wifi networks page on that little pulldown menu at the bottom. I assume that it defaults as disabled because it applies general access rules as defined by default. Is this a way to make it easier to, say, make a kid’s wifi or have more granular control over each firewall? I didn’t see where I could define these network-specific details, am I blind?

mfd_fwalls913×657 39.9 KB

I have on my list of things to do to research the management frame protection feature.
You can access additional settings by clicking on the blue question mark icon and then clicking the link to show advanced settings. You can then turn on Layer 2 isolation to keep devices connected to the SSID from seeing each other. You can use the VLAN feature to group devices into a virtual network and then disable inter-VLAN routing to keep them from seeing or connecting to devices in a different VLAN. Doing both of those things is useful for making a Guest network, a kids network, or an IoT network.

thank you for your reply. Yes I found the VLAN isolation shortly after writing this, the next step will be more granular access rules.
It’s very hard to get families with kids to do security stuff differently, I don’t blame them, life is intense, but slow adaptation of better tech practices is frustrating when a persistent threat is trying to get into a network.

I will leave frame management alone until there’s more out there to read about.

As I see the MFP feature (Management Frame Protection) This would be to prevent from getting spoofed management frames send. This would be negotiated since both the client and the AP should support this feature. (802.11w standard). If someone from peplink could confirm this is the standard that they implemented here then we can get a confirm on that. Trying this feature could cause problems with devices that don’t support this feature since they might not handle the information inside the beacons correctly. Trial and error I guess.

Yikes. That’s a really great and important feature to leave to trial and error. If someone has the time to deploy their Wireshark mastery and figure out some things, I’m sure the world would thank you.

I’ve been reading a lot about various wifi attacks and frame authentication would be a desirable security option, hopefully more will be available about this feature soon.

Hi I’m testing the PMF 802.11w feature for the SURF SOHO MK3 with the latest 8.0.2 firmware.

Page 71 of the owners manual states:

“Management Frame Protection
This feature protects stations against forged management frames spoofed from other devices. Frames that are protected include Disassociation, Deauthentication and QoS Action.”

I can’t enable either the “optional or required” settings of this feature for some reason / the setting doesn’t save. Disabled seems to work fine. I am attempting to enable it on an AC network on a VLAN on WPA2. Do I need WPA2 enterprise for this?

What am I missing?