Feature Request: LAN-side Anti-Tethering (Anti-NAT) & Rogue AP Detection
Hi Peplink Team,
I’d like to suggest adding a practical feature that would bring real value to Peplink routers, switches, and access points — specifically in environments where network misuse and security enforcement are critical.
Feature:
LAN-side Anti-Tethering (Anti-NAT) and Rogue Access Point Detection
The idea is to provide a way to automatically detect and block devices acting as mobile hotspots, tethered connections, or unauthorized Wi-Fi APs connected to the LAN side of the network.
Why It’s Useful:
- Helps prevent users from bypassing captive portals, firewall rules, or quotas by using personal mobile hotspots or unauthorized NAT devices.
- Detects rogue or unauthorized access points that could be re-broadcasting LAN traffic or exposing internal networks.
- Reduces risk of bandwidth abuse, unauthorized access, and L2-based attacks.
- Keeps guest and corporate networks clean and enforceable without requiring additional appliances.
Potential Detection Methods:
- Block or alert on traffic with suspicious TTL values (e.g., TTL=64 from Android tethering).
- Detect multiple MACs behind a single IP address.
- Identify AP signatures or bridge devices via MAC vendor IDs or DHCP behavior.
- Simple rule-based engine to take action: log, rate-limit, or block the offending device.
Value to Peplink:
- Adds security value at the edge with minimal complexity.
- Useful for MSPs, schools, offices, retail — where network integrity and usage control are important.
- Fits naturally into Peplink’s LAN and Wi-Fi infrastructure, and could even integrate with InControl2 for visibility and alerting.
This isn’t a complicated feature to implement, and I hope you agree it can bring real value by helping to enforce network policies and prevent detouring or misuse