###Background**:**
This is a workaround derived from this forum thread discussions, for those who wish an additional countermeasure to prevent a Peplink device contacting InControl 2 (IC2).
###Workaround:
Currently, the Outbound Firewall Rule will not block the local-breakout traffic to IC2, while the team is working on it and targeting firmware 8.3.1. As a workaround, we have tested using the Outbound Policy to achieve the same purpose.
This option remain valid/available for the Peplink devices that running firmware 8.2.1 or lower.
Step#1
According to the JSON file as highlighted in this KB article, the Peplink device needs to resolve ac1.peplink.com & ac2.peplink.com in order to initiate the connection to IC2.
Step#2
We can create the outbound domain rule and send all traffic destined to these 2 hostnames to all WANs with zero “0” weight, meaning no packet will be sent out. And set “When NO Connections are Available = Drop the Traffic”.
- Rule 1 > Block ac1.peplink.com - “Block-AC1”
- Rule 2 > Block ac2.peplink.com - “Block-AC2”
Step#3
Recommended step (no mandatory), after applying the Outbound rules, reboot the router to clear the DNS cache, in case the resolved hostnames are cached in the system. Done!
###NOTES:
- With these 2 rules in place, the Peplink device will not be able to contact IC2 regardless of whether the “System > InControl > Controller” option is “InControl” or “Disable”.
- By disabling the RA and InControl options from the Peplink router (this is a recommended method), it should sufficiently stop the device from connecting to Remote Assistance server and InControl 2 system. As mentioned, the above steps are the assurance available for the user with more controls.
###[Update on firmware 8.3.0]
We have added the enhancement into firmware 8.3.0 RC6 and onwards, which was originally targeted on firmware 8.3.1. Now, you can utilize the Outbound Firewall Rule to block the Peplink device from contacting InControl 2.
Step#1 - Enable blocking of local network traffic option
Once it is activated, you will see a banner at the top that indicate the feature is enabled.
Step#2 - Define the relevant firewall rules
-
Create 2 domain rules, with destination “ac1.peplink.com” & “ac2.peplink.com” respectively. It is advisable to enable the [Event Logging] for tracking purposes, when needed.
-
Once both rules are defined, click the [Apply Changes] to save and activate the changes.
-
Similar to the Outbound rules mentioned above, it is recommended to reboot the router to clear the DNS cache, in case the resolved hostnames are cached in the system.
-
You can check device status from IC2, or, do a simple verification via PING test to “ac1.peplink.com” & “ac2.peplink.com”, it should fails as traffic being blocked.
###NOTE:
This firewall blocking local network traffic option could be applied to other system services as well, please use it with cautious, to avoid blocking all outbound traffic entirely.