Please allow turning off the WiFi by VLAN, not merely turning off the SSID. This would, for instance, allow a GuestVLAN WiFi that functioned when needed and turned off when not needed.
A weird use case. 99.9% of people probably do not want to have to jump through hoops to enable/disable WiFi for guests. Best solution is properly designing your network so the guest network is completely segmented and a guest cannot cross over from the guest network to your main network/other networks. If that is done, what is the big deal if the WiFi is left on? Can you better explain your use case/reasoning?
“Hiding the SSID has been called a security feature on the theory that
bad guys can’t hack into a network they can’t see. But, the protection
offered by not broadcasting the SSID is trivially easy to bypass. In my
opinion, and the opinion of many experts, hiding the network name is not
worth the operational hassle. Let the name be broadcast.” Choosing an SSID - RouterSecurity.org
“(T)he protection offered by not broadcasting the SSID is trivially easy to bypass” pretty much says it all - turning off the SSID is pointless. Yes, my VLAN cannot access any other VLAN, but why would I want a WiFi that isn’t in use left available for potential hackers to practice on? Allow me to turn the WiFi off. With a simple on/off button you can leave it on forever, if that’s your desire, and still allow those of us who wish to turn it off to do so.
Just a quick check: A defined SSID may be in one of three states:
- Available and the name is broadcast: The public can see the name of the SSID, and can try to connect. The strength of the SSID password is the primary barrier against connecting, with the VLAN isolation being the second level of defense.
- Available and the name is not broadcast (“hiding” it, in the terminology of the web site you link to): The public has to know (or guess) the name of the SSID in order to connect. This is the “easy to bypass” referred to on the web site. The peplink admin panel for SSIDs refers to this as the “Broadcast SSID” checkbox, in InControl2 it is referred to as “SSID Visibility” (show or hide).
- Not available, i.e., the SSID is turned off. This is not related to whether a particular VLAN is defined or not.
(3) is the one you want, it seems. That can be achieved by defining an “always off” schedule, and toggle the SSID “Schedule” setting between always on (the SSID is available) and always off (the SSID is simply not available to anyone). You can achieve the same effect in InControl2 for groups of devices being toggled on or off using such a mechanism.
If you are employing InControl2 a better mechanism is to assign a particular tag to the SSID - only those devices that are enabled by being tagged with that tag will make the SSID available. Adding or removing the tag for the unit in question then determines whether an SSID is available on that unit or not.
Cheers,
Z
That’s correct - (3) is the one I want, and if your system works, then I won’t need a new feature. In a previous thread I gathered (perhaps wrongly) that “always off,” and “SSID off” would occasionally connect/not connect. In my case I was unable to connect and questioned whether that satisfied my needs. I thought I gathered that it would not. (I’m not trying to tell you what someone “meant,” just what I gathered.)
The user manual for v8.2.0 wasn’t completely clear to me, to wit: “15.1.4 Schedule - Enable and disable different functions (such as WAN connections…).” If this does work for my needs then perhaps the manual might clarify the issue a bit more.
I didn’t maintain InControl for my Surf SOHO, but I believe now a subscription is in order for my Balance 20X. Thanks.
Being off as opposed to hidden does the security trick. Consider this snapshot from a Wi-Fi sniffer:
It displays the SSIDs made available by two peplink APs. Most of them are broadcast with a network name (what you see when looking for Wi-Fi connections), and one of them is not broadcasting a name (listed here as “Hidden Network”). The latter is an example of a network where access is available, but you have to know the network name in order to connect. In other words, not that secure.
All of these networks have BSSIDs (identies) which is what ultimately identifies them when one connects.
And then there is an example of a network that is simply off: At the bottom you see one AP broadcasting the availability of a network named “…GDPR…”. The other AP does not include a network with that name in its offering. It is quite simply not there.
In this case the GDPR network has been turned off for that particular AP by means of IC2 (the AP does not have the GDPR tag). Any device trying to connect to that network cannot do it using this AP.
Similarly, the network “…SM Aux…” is made available by the first AP, and not by the second. Same mechanism, same (good) security.
And finally, there is the network named “…streaming…”. You don’t see it - because it is turned off for both of these APs. It simply is not there (though the router for these APs does have a VLAN named “…streaming…”) :-).
[quote]
I didn’t maintain InControl for my Surf SOHO, but I believe now a subscription is in order for my Balance 20X. Thanks[/quote]
I recommend continuing PrimeCare for your unit - it includes IC2 as well as all kinds of other goodies (such as continued warranty).
Be well.
Z
I checked on the subscription prices yesterday. InControl isn’t available as a standalone after the first year. PrimeCare is and it includes, among other things, InContol for $49 USD per year. Thanks.
1 Like