Considering the Surf SOHO AC router but have questions


#1

After reviewing the documentation for the Surf SOHO version 3 (AC model), I have a few questions.

  1. Can the router be restricted to only access the router admin pages via a hardwired ethernet connection on the LAN side? I want to restrict it to only accept login from a physically connected PC to an ethernet port so the admin console cannot be accessed via wireless LAN, WAN, or app. I realize it’s very old-school to prefer accessing the router in this manner, but with phishing links and other ways that viruses can get onto devices in my LAN, I’d prefer this, if possible.

  2. Can the app be disabled in the admin console from having access to the router? By disabling InControl Cloud Management, would that also prevent any app access?

  3. How many characters can I use for my admin password and are there any character rules? Some routers only recognize the first 10 or so characters.

  4. If a brute force attack was attempted on the admin console to login to my admin user, how many password guesses are allowed, and what occurs when that number is met?

  5. Does the router support beamforming?


#2

We limit the access to a Vlan. Please find the attached screenshot.

Believe you are referring to Router Utility. You can whitelist the source IP to access Web Admin from WAN. Please find the screenshot below.

32 characters. you may enter any character you wish.

Please use the method I provided in question 1 and 2.

Just to confirm. Are you referring to this - http://www.pcworld.com/article/2061907/all-about-beamforming-the-faster-wi-fi-you-didnt-know-you-needed.html?


#3

I’ve seen references to VLANs. Can I create one that says it’s ethernet hardwire connected only? I’m a home user with some technical knowledge but little in networking.

Concerning the router utility, if I set the WAN connection access settings to Allow Access from the following IP subnets only (like in your pic) and listed no IP subnets, would that mean no WAN connections were allowed? I would prefer this.

How many password guesses would be allowed in the method from question 1 and 2? There’s a balance to ensuring I don’t human-error too many times vs knowing it’s a brute force attack.

Yes, that is the beamforming tech I have read about that is an optional part of the AC network standard.

Thanks so much for your patience!


#4

[quote=“abeth, post:3, topic:7626, full:true”]
I’ve seen references to VLANs. Can I create one that says it’s ethernet hardwire connected only? [/quote]
Yes. You can do it at Network > Port Settings.

The provided screenshot just showing where the feature is. In fact, you can’t leave it blank. If Web Admin access from WAN is not allowed, you just need to configure the Web Admin Access to LAN Only.

We don’t limit the password retry at the moment.

This is not supported at the moment. We will look into this in future firmware release.


#5

How do I configure the firewall on the router so I’m secure? I’ve always used routers with easy interfaces, but these days, their software is so flimsy that a hacker can drive an 18-wheeler thru it sideways.

Suggestions for the non-techy home user?


#6

If you are looking to protect the LAN users, please configure Default rule as Deny Any Any for Inbound Firewall Rules (Network > Access Rules > Inbound Firewall Rules).

Optional

  1. Configure allowed Outbound Firewall Rules (Network > Access Rules > Outbound Firewall Rules).

  2. Configure Default rule as Deny Any Any for Outbound Firewall Rules (Network > Access Rules > Outbound Firewall Rules).

Hope this help.


#7

Hi, I’m also considering the Surf SOHO AC Router and I thought I’d just add some further questions to this thread if possible… I do hope that’s OK!?

  • Can anyone (is anyone allowed to) elaborate on whether the firewall in the Surf SOHO AC is built on either Linux iptables or BSDs pf please?

  • Is there a list of CLI commands please? I couldn’t see anything in the manual but I may have been looking in the wrong place.

  • Is it likely to be considered in the future, to allow admin access on the router(s) via the InControl cloud management platform or via the app ONLY? I’m thinking along the lines in which Apple manage their routers (which they are no longer going to update by the way).

  • If I’m lucky enough to get 200Mbps internet through cable, will the Surf SOHO AC Router be able to deal with that please? I think I read somewhere that the throughput on the router is 120Mbps?

  • Can outbound traffic be limited from the firewall? For example, can I allow ONLY ports 80 and 443 on a guest network? Are all clients are isolated from each other and unable to communicate?

  • Am I able to define a different network to each of the LAN ports if I desired? For example, I’d like to setup:

192.168.1.0 network on LAN port 1
192.168.2.0 network on LAN port 2
192.168.3.0 network on LAN port 3
192.168.4.0 network on LAN port 4

Finally, can the SSIDs I create be tied to each of the above networks please? Will they be completely segregated by default or will I need to create firewall rules to achieve this?

Thanks for taking the time to look over my questions.


#8

@brill

[quote]Can anyone (is anyone allowed to) elaborate on whether the firewall in the Surf SOHO AC is built on either Linux iptables or BSDs pf please?
Is there a list of CLI commands please? I couldn’t see anything in the manual but I may have been looking in the wrong place.
[/quote]Configuration via CLI is quite limited on our products. Our GUI is meant to be so user-friendly that you don’t even need CLI for doing anything. :wink:

[quote]Is it likely to be considered in the future, to allow admin access on the router(s) via the InControl cloud management platform or via the app ONLY? I’m thinking along the lines in which Apple manage their routers (which they are no longer going to update by the way).
[/quote]“Remote Web Admin” is an available feature on our IC2, which redirect you to the specific device’s login page.

[quote]If I’m lucky enough to get 200Mbps internet through cable, will the Surf SOHO AC Router be able to deal with that please? I think I read somewhere that the throughput on the router is 120Mbps?
[/quote]No. For higher throughput you’ll have to consider using a higher tier model. For 200Mbps Balance One will be your next choice.

[quote]Can outbound traffic be limited from the firewall? For example, can I allow ONLY ports 80 and 443 on a guest network? Are all clients are isolated from each other and unable to communicate?

Am I able to define a different network to each of the LAN ports if I desired? For example, I’d like to setup:
[/quote]You can filter firewall based on source subnet.
Port-based VLAN will achieve your requirement for separating the interface into different subnet, while inter-VLAN routing will give you isolation of subnet.

[quote]Finally, can the SSIDs I create be tied to each of the above networks please? Will they be completely segregated by default or will I need to create firewall rules to achieve this?
[/quote]Via VLANs.

##### I'm not entirely sure how big is the environment in which you're planning to deploy this, but to avoid under-sizing, do note on the recommended users for Surf SOHO though.


#9

Hi, thanks for coming back to me. The environment is just a small home office, 7 users at the moment (not always here at once) with no more than 5 guests at any one time and even that would be VERY unusual. It’s a real disappointment that the Surf SOHO throughput is limited to only 120Mbps, though I appreciate I can move up to the Balance One.

Do you publish the source code anywhere for your routers? I hope that question does not cause offence!

I’m over in Orlando, Florida later this month and wondering if I can purchase the Balance One whilst over there? Are there any resellers in that State near Sanford Int’l Airport?


#10

I have a question. What is the point of an ac router if the bandwith is limited just to 120Mbps?

It seems to be a severe limitation of throughput


#11

How about:

  1. 5GHz is far, far less crowded than 2.4GHz.
  2. Often not all communications involve wi-fi. (Indeed, we have a couple of installations where wi-fi is disabled.)
  3. Often not all communications involve a WAN (e.g. client-to client, Ethernet client to Ethernet-connected back-up server, etc)

Frankly, I don’t find Peplink’s approach to be unreasonable at all. Fortunately, Peplink seems to have adopted a strategy where you pay more – you get more. You can start with, say, a SOHO or Balance 20, and as one’s needs become greater one can move up the scale in capability, complexity – and price. Logical, I think. The basic heuristics learned in working with the Peplink devices at the lower end of the product spectrum carry over nicely to the “bigger” models.