Bitdefender Box 2

So now the Bitdefender Box 2 (“BDB2”) has arrived, and I am wondering: is it compatible with the Pepwave Surf Soho router? My understanding is that the BDB2 device typically requires the ability to turn the main router into “bridge” mode /or drop-in mode as Peplink refers to it.

But am I correct in understanding that the Pepwave Surf Soho router lacks drop-in-mode capability? If so, that suggests it is not compatible with the BDB2, yes? Is there any experience with using the Bitdefender Box (either first or second generation) with any Pepwave Surf Soho routers or other Peplink routers?

The Surf SOHO supports WAN IP passthrough since firmware 7.0.2.
I am not familiar with the Bitdefender Box but this might be the feature you are looking for?

Hmmm, I’m not sure. Unfortunately I’m a newbie to much of this technology, not a techie, and only slowly learning about routers and networks and such, so please forgive me if I’m misusing the concepts/language.

My understanding is that the Bitdefender Box 2 puts itself between the router and the modem, and to work needs to take over DHCP functions. With standard commercial routers, they tell you to place your router in “Bridge” or “AP” mode in order to do that (apparently a bit more than simply disabling the DHCP function). Their tech support was not familiar with Peplink/Pepwave routers, but in looking at the web site indicated “The Drop-In mode (as they call the Bridge Mode) is supported by models 210 and up.”

So I guess if the “WAN IP passthrough” is the same thing as the Drop-In mode supported by models 210 and up, it may work. Do you happen to know if it is?

I greatly appreciate your response by the way. Thanks.

Bridge mode and WAN IP passthrough are not quite the same, in general bridge mode disables the built-in wireless router/DHCP assignment in routers so that it’s only passing traffic, whereas IP Passthrough will retain other functionality of the router (including the DHCP server).
WAN IP passthrough is the closest thing to bridge mode available on the Surf Soho.

If you also need to turn off the DHCP server you can do this in Network > LAN settings on your Surf Soho.
Which is also mentioned on the Bitdefender website: https://www.bitdefender.com/support/peplink-balance-router-1405.html

Bitdefender Box 2 Can just sit inline with whatever routers you have. So if you have an ISP router (ie a fiber or cable router) you can just plug the BDB2 into that and then plug your Soho into the lan port of the BDB2),

My ISP allows me to own my own modem and my own router. I am told from Bitdefender support that the link you provided on turning off the peplink DCHP was with respect to Bitdefender Box 1 (version one). The Bitdefender Box 2 (“BDB2”), I’m told, may or may not function with “disable DCHP” mode and any given router; they can’t make any promises. For full functionality, they are telling me that attaching the BDB2 between a modem and a router that is capable of full “bridge” mode works best.

I would note that setting up a BDB2 even in “disable DCHP” mode can eliminate certain functions in the router. For example, even if I were to get a Pepwave Surf SOHO to work with BDB2 by disabling the DCHP function, I would no longer be able to create isolated VLANs for guests etc. That would also be true even if Pepwave supported a bridge function.

All of this has me wishing I had a better understanding of what is happening in the “big picture” when one uses a device like the BDB2. For example, can anyone explain the practical differences between “bridge mode” and “disable DCHP?” I am assuming that putting a router into bridge mode essentially turns it into a modem, practically speaking, resulting in all the functions of a router – firewall, firmware resistance to hacks, etc. – being then placed on shoulders of the BDB2? [I understand that traffic goes through the BDB2, and it then sends it to the router’s wifi functions to create a wifi network]. If that’s the case, then it would seem I would be depending on Bitdefender’s firmware/software to protect me from hacks, and lose whatever benefits come with a firmware’s router (such as the firmware used by Pepwave). Does that make sense?

I’m also wondering from a “big picture” view what is gained by using a device like the BDB2 to look at network traffic and stop certain iOT devices from functioning if they become erratic. That’s useful, though they don’t explain exactly how all of that works. But is there much gained by that? My understanding is that if I skip the BDB2 and use a Pepwave router as a router, I can create an isolated VLAN that’s used only for iOT devices (a VLAN in which the iOT devices can’t access the Pepwave router admin page, the Pepwave router, other devices on that particular VLAN, etc.), then even if an iOT device develops malware and goes haywire it should at least be successfully “locked out” and quarantined from any other devices on that isolated VLAN, as well as quarantined from other VLANs and the router and greater network itself…

I’m sure I may have exhausted your patience, but any thoughts would be appreciated. Regardless, thanks for your previous responses.

OK. I’ve taken a closer look at the BDB2 box (although there isn’t much info out there so keep that in mind). It seems that it is as you suggest and designed to act as the primary wired/wifi router and wants all devices to be connected to it directly. I assume that is so that it can keep an eye on all connected IPs and MAC addresses on your LAN segments and look out for nefarious traffic.That is why their support keep on saying that any additional router needs to be in bridge mode, and by bridge mode they are referring to ‘transparent bridge’ mode ie like what you see when you use a wifi enabled router as an access point. So that type of bridge mode would present wireless clients on the 3rd party wifi router to the wired network segment on the BDB2 as locally connected devices and then the BDB2 would manage and monitor them.

If you were to plug your Soho WAN into the LAN of the BDB2 with out of the box settings, the BDB2 box will only ever see one IP and one MAC address (that of the WAN port of the Soho which has NAT enabled by default). As such some of the BDB2 features would likely still work (like web filtering and blocking known bad URLs etc), but of course other features wouldn’t work (like the parental controls) since as far as the BDB2 is concerned it can only see a single device (the WAN IP & MAC of the SOHO) so can’t identify and manage the individual LAN devices connected to the LAN of your SOHO.

There is a chance that you could set the WAN of the SOHO to IP Forwarding (so no NAT) and connect it to the LAN of the BDB2.With NAT disabled the BDB2 would see individual IPs from behind the SOHO, but for that to work you would need to be able to add a static route to the BDB2 to tell it how to reach devices behind the SOHO (using the WAN IP of the SOHO as the destination) - which looks unlikely and the BDB2 would never see the LAN device MAC addresses which I suspect it would need to do its more advanced stuff…

So I think that the only role the SOHO router can have if you want to use the BDB2 is at the perimeter (on the BDB2’s WAN as the ‘ISP Router’) where you could use it for failover between ISPs (cable / USB 4G etc). Then we get to the question of the big picture… should you combine the BDB2 and the SOHO at all?

Yes I think you could/should. I see the BDB2 as another layer of security you can apply to key services / devices - particularly user devices like smartphones and laptops /PCs that are actively used and likely to be targeted at some point by viruses and phishing attacks. The BDB2 should help prevent that kind of activity and also adds parental controls, safe browsing and device management etc. So if I was going to use the BDB2 at home I would connect all my PCs and laptops and smartphones to it directly (over wifi or wired) and use the app to keep an eye on those devices and their behaviour.

In that setup the SOHO becomes a WAN controller that keeps you connected using multiple WANs if you want, and you can also create local VLANs on the SoHO to secure specific devices that would not be connected to the BDB2. Many IoT sensors connect directly to the cloud and the apps we run on our smartphones don’t connect to the IoT sensors directly but instead to the cloud as well to monitor and manage them. So keeping the IoT devices locked down in their own VLAN on the SOHO and then protecting your user devices behind the BDB2 (which would be in its own VLAN on the SOHO) works as there is no way the IoT devices can route to the BDB2 protected user devices.

You could also still use SSIDs in VLANs on the SOHO for guest wifi which again would be isolated from the VLAN the BDB2 is on which in turn is providing additional protection to those devices behind it.

If you do decide to use the BDB2 do share your experiences with it here - it looks like an interesting product and one that deserves more investigation.

Thanks. I’m now officially in over my head. I’m not sure I am getting much of this right as it is, but a few days ago I am not sure I’d even heard of a WAN or a LAN and certainly nothing of a VLAN. There’s lots of useful info to learn on the internet, and hopefully I won’t end up breaking my computer (or the internet)…

In another day or so, delivery services willing, I will have both a BDB2 and a Pepwave Surf SOHO router (“SOHO”) sitting on my desk. I may first just try swapping in the Pepwave as a replacement for my current Linksys router and seeing if I can get decent coverage/use from the SOHO with my apartment layout.

But if I then try to mix the BDB2 into the mix thereafter, I’m wondering what you mean (in very simplified fashion) when you suggest using the two together. I will have three devices before me: my own modem, the BDB2, and the SOHO. I have no ISP-provided routers/modems. BDB2 setup instructions envision three scenarios (the first of which does not apply to me): 1) one in which there is use of an ISP provided router; 2) one in which there is use of a personally owned router; and 3) one in which the BDB2 will be used as a standalone secure router.

Behind my clouded understanding, I think you are suggesting setting up the BDB2 in scenario 3, so that the BDB2 becomes my main router. I would then plug the SOHO router into the remaining plug on the BDB2?

This is what I’m suggesting. You would initially use the SOHO in the ‘ISP router’ role as far as the BDB2 is concerned.

soho1622×841 126 KB

If you disable WiFI on the SOHO and just use wifi on the BDB2 you’re devices will be protected by the BDB2. Later you can look at more advanced configurations on the SOHO to enable you to segregate your network further using VLANs and you might turn on guest wifi on the SOHO too.

There are loads of resources out there (and SOHO users on here) who can make suggestions about config for the SOHO later.

If you put the BitDefender thingy between the modem and Peplink router, good luck debugging when things to wrong. Seems like a bad idea.

Any device that tries to block iOT devices that are doing unusual network traffic is asking for trouble. First off, how do you tell if the unusual activity is good or bad? Chances are that decision, or monitoring it at least, falls on you. And, if the traffic is bad, then you are catching a malware infection after it has happened. Network isolation via VLANs and disabling UPnP goes a long long way to preventing infections in the first place.

Web filtering and the blocking of bad URLs can be had with DNS servers from Quad9, OpenDNS and others, for free. And, the Surf SOHO can force its configured DNS server to be used all the time by all connected devices, so there is no bypassing the DNS restrictions by technically advanced users.

Agreed which is why my diagram shows the peplink at the edge. Forcing all outbound DNS via Quad 9/OpenDNS is a good idea too. Personally I would stick any IoT/Smart Device on a VLAN off the SOHO so that they can’t get near my user devices attached to the BDB2.

To be fair to the BDB2 its concept is interesting - the parental controls look clever, and the fact they chuck in licensing for their AV as part of the deal makes it quite attractive.

I’ve been keeping my eye on the Fingbox as a way to add passive parental controls and monitoring to devices on my home network. It’s more ‘open’ in the way it works compared to the BDB2 which i prefer. I find it hard to trust in devices where ‘AI’ and ‘intelligent’ device activity blocking happens automagically. Fault finding becomes a mare when settings aren’t black and white and on or off.

I agree, but this means you don’t get any abnormal traffic warnings from the BDB2.

We agree here too. My initial reaction to Fingbox was a good one, but I know too little about it to have a valid opinion, yet.

Hi, I just purchased both a Surf Soho (SS) and a BDB2.
I have been told by Bitdefender to : (1) put the BDB2 box in between the modem and the SS; (2) deactivate DHCP; (3) connect the BDB2 into a LAN port of the SS. This means that no wire is connected to the WAN port of the SS. Everything seems to work correctly. However, there are a few drawbacks. The first one is that I have no access to the SS using 192.168.50.1. It is difficult for me to understand why Peplink doesn’t offer a bridge mode as so many other manufacturers do. I thank in advance Peplink to consider this request. I bet that in the future, many customers will be in the same situation as I am, because the people who purchase the SS do purchase it mainly for security reasons. So it “has” to be compatible with other security devices…

So why keep the SOHO at all? May as well unplug it and put it on the shelf.
BDB2 can be used inline between your ISP router and the WAN of the SOHO. Not sure why you think you need bridge mode? What am I missing?

Thank you very much for your reply. I see that you are an expert that often replies to people within the context of this forum. Technology is far from my field. Your reply is a concern for me. I had a security problem with my former Linksys. I looked on the internet, and found that some people recommended the SS, because they said that it was good for security reasons. I also found that, according to a few sources, the Bitdefender box was good. I didn’t know that they were incompatible. When I called to have help to install the BDB2, this is how they told me to install it. When I read your reaction, I understand that there is something wrong. Maybe I should have kept my very old Linksys that had a bridge mode. I don’t know. This experience is rather disappointing. At this point, I can’t return my SS. I have to observe that this market of “security devices” (like the BDB2) offered by a few large corporations, including Norton, is booming. I am probably not the last purchaser of the SS who wonders at what degree he or she has made a mistake. Maybe Peplink could adapt and offer what seems to be a standard : the bridge mode. I would really be happy to think that I have not made a mistake by purchasing the SS.

Guess I was trying to get to the bottom of was why did you buy the SOHO?

The SOHO is a fantastic little router for power users. It can connect to wired and wifi WANs as well as via a USB dongle. You can manage it remotely using InControl2 and use Peplinks really easy PepVPN for site to site connectivity too. Combined with a free FusionHub Solo virtual appliance, you can encrypt all your internet traffic so your ISP can’t see what you’re doing and to facilitate inbound routing when using multi-wan.

If it was me, I’d still want the SOHO on my perimeter keeping me connected, so I’d treat the SOHO as the ‘ISP router’ in Bitdefenders world, and plug the WAN of the BDB2 into the LAN of the SOHO. Then I would disable the Wifi on the SOHO, plug its WAN into my actual ISP router and use the wifi on the BDB2 box.

The SOHO is not at Access Point that also does routing. Its a router that also acts as a access point. The reason the SOHO doesn’t do bridging is because If you bridge the wifi on the SOHO to its WAN you’re disabling most of the functionality in the SOHO - so whats the point? If you need an access point go buy an access point.

It is a great little router and liked by security consultants for lots of reasons.

I have also head good things about Bitdefender B2,

They are not incompatible.

They assumed you were using it as an access point. Its not (or rather you shouldn’t be as) its a kick ass little router that also does wifi.

Everything you have done here is an upgrade to any installed Linksys - don’t go back. But what were you using the linksys for? Just as an Access point? to extend wifi in your property perhaps?

Don’t be disheartened - this stuff gets complicated fast. You’re doing the right things.

What a weird thing to say. There are tens of thousands of happy SOHO users out there.

Buy a Peplink Access Point and you’ll find bridge mode. Buy a kick ass Peplink router (that by definition needs to route between LAN and WAN) and you’ll find you can bridge its internal WIFI to the LAN (as you’re doing now) but you can not bridge the wifi to the WAN as you shouldn’t want or need to.

If you just wanted a device to act as an access point and planned on relying on the BDB2 for routing via a single ISP connection then you did make a mistake buying a SOHO.

Once you’re plugged up right - with a SOHO you now have one of the industries most secure and capable useful multi-wan routers sitting on the WAN of the BDB2 keeping it safe and providing reliable, manageable, monitored internet connectivity. personally, if that was a mistake I’d made - I’d be pretty happy with it

First, I have to say thanks for the time that you took to write your reply and reassure me to some extent.

I really would like to understand everything that you said. What I understand is that I didn’t make a big mistake, and that, at worse, I have too much equipment for what I need. That is certainly comforting. Just to mention, I have read somewhere that the BDB2 Wifi isn’t a good option, but I will keep your reply for future reference if ever, in the future, I understand better what you wrote (in particular, I don’t know what an access point is).

Maybe Peplink could give specific instructions for the people who are in my situation, or even write a section into their User Guide (that I have read, even if I didn’t understand much).

Thank you again,

J-Pierre

FWIW, I agree with what @MartinLangmaid said – 100%. You might step back a bit and simply set up the SOHO and use as it’s generally intended – as thousands of other users have. Then, if you r-e-a-l-l-y need functionality that is not contained within the SOHO, consider adding another appliance. But, before you take the latter step I’d suggest you very precisely define your objective, determine where the SOHO falls short (if it does at all) and only then, seek an additional hardware solution. (The SOHO is a rather complete solution for a great many applications – without adding “other boxes” and making the set-up unnecessarily complex.)

Speaking only for myself and my firm – not Peplink – I don’t think Peplink is (or should be) in the business of providing elementary training in networking. If, as you say, you don’t know what an access point (AP) is, hmmm, well, some reading may be well advised before spending much more $$ on hardware. Your favorite search engine is your friend.

If you take the approach I’ve suggested you’ll find many folks here who will be more than willing to help you.

Great topic; I am just investigating Bitdefender Box 2 as an addition, but, before shelling out 250 bucks, I’d like to know my scenario will work.

I have a peplink router, (balance 20 I think), and a Surf Soho, with the b20 router acting as a gateway, for a switch connecting to the Ethernet network in the house and the SS router. Connected to the SSr are a couple tablets, my cell, security cameras and some IOT devices. What I want to do is put something like a Bitdefender box 2 in-line between the router and the WiFi access, mainly because IOT devices are notoriously insecure.

Can I set the gateway address on the box 2, so it points to the address of the b20? Do I need to? I assume I would connect the WAN port on the box 2 to a LAN port on the b20 and the other side of the box 2 to the WAN port on the SSr? The other thing is, the SSr allows multiple VLANs, which I use to force the security cameras to the 5mgz channel otherwise they continually cut out, I have a standard configuration for my cell, tablets, etc., and finally the last one for the IOT devices; each has it’s own ssid and password, I like the separation and would like to keep that.

The reason I put the box 2 after the b20 is the speed, most of the reviews I read all said the same thing, it did slow down the traffic, for the WiFi side I don’t care much, maybe the cameras, that remains to be seen, but many of the devices connected on the Ethernet side require speed, these machines all have vpns, firewalls and security software already in place so should be pretty secure.

I am not a networking guy, so if this is totally wrong, be gentle, like they say, “I know just enough to be dangerous.”

Bitdefender support confirmed that this setup should work (and thank you Martin for your thorough analysis and suggestions):

My question to Bitdefender support:
I have a pepwave router configured with 1 Lan and 3 VLans, One of the VLans is dedicated to IoT devices. I would like to plug BOX2 into the VLAN dedicated port for IoT devices and turn off the pepwave’s wireless capability. I would also like to plug an access point located in a distant room that controls additional IoT devices into the BOX2’s output port . Will this configuration work on BOX2?

Answer:
Thank you for contacting Bitdefender BOX support.

Bitdefender BOX 2 can only protect one VLAN and your specified network configuration will work without any issues.

The BOX 2 device will connect into the VLAN from the Pepwave router by using the bottom port and then the top port from BOX will go into the access point.

The required setup for this installation is the following:

Should you require further assistance, please let us know.

Have a nice day!

Best Regards,
Adrian Munteanu

BOX Technical Support Engineer

I will update to confirm functionality should I decide to purchase and install.