Guest network on Surf SOHO

Michael234 · 2015-09-26 10:50:41 UTC

Can you offer click-here type-this instructions for creating a Guest WiFi network on a Surf SOHO. By “guest” network, I mean one that can get to the Internet but is blocked by the router from seeing any Ethernet devices and any devices on another WiFi network.

I tried the Layer 2 Isolation feature but that did not totally isolate the WiFi network.

Thank you.

TK_Liew · 2015-09-28 00:23:05 UTC

Hi Michael,

In fact Layer 2 Isolation + Guest Protect can meet your requirements. Guest Protect is supported in B305 and above (act as AP Controller). Alternatively you may deploy standalone Pepwave AP to achieve this.

Michael234 · 2015-09-28 09:35:05 UTC

By B305 I assume you are referring to a Balance model 305. I have a Surf SOHO which has no Guest Protect option (at least none that I have seen). I also do not have a Pepwave AP. While I am not perfectly clear about exactly what Layer 2 Isolation does, by itself, it does not meet my needs. From the documentation it seems that it keeps users of the one WiFi network where it is enabled from seeing each other, but in my tests it did not keep them from seeing other LAN resources.

So, to sum up, the Surf SOHO can not create a WiFi network that gives clients Internet access but isolates them from all other LAN devices. True?

Jarid_Petermann · 2015-09-28 13:45:52 UTC

Essentially Layer 2 Isolation will not block MAC-Addresses/anything layer 2 related.
Guest Protect allows for blocking at Layer 3.

Michael234 · 2015-09-29 09:53:12 UTC

So, to sum up, the Surf SOHO can not create a WiFi network that gives clients Internet access but isolates them from all other LAN devices. True?

Michael234 · 2015-09-30 11:13:40 UTC

Perhaps the VLAN functionality can restrict users of one SSID such that they can’t see Ethernet connected devices on the LAN?

TK_Liew · 2015-10-01 00:26:19 UTC

Hi Michael,

Below is the suggestion.

Create new Vlan for guest. For example Vlan 2. Then disable Intervlan Routing for Vlan 2.
Assign staff SSID to Untagged Vlan (default Vlan).
Assign guest SSID to Vlan 2.

Hope this make sense.

Michael234 · 2015-12-08 14:26:49 UTC

Finally, got around to testing this. I am a bit out of my league with VLANs and the Surf SOHO manual is no help. In a nutshell, my question is: does the new VLAN get assigned its own IP subnet? That is, if my existing LAN is 192.168.50.x, then should I use 10.10.10.x for the new VLAN? And, if so, then should I assign the router a new private IP address on the 10.10.10.x subnet? And, what is the “name” of LAN? Is it just a comment for my own use?

Thanks in advance.

sitloongs · 2015-12-08 18:20:05 UTC

Hi,

Please refer to the settings below:

VLAN settings

Defining Guest VLAN & LAN

Details Guest VLAN setting

Details LAN setting

WIFI SSIDs setting

WIFI LAN SSID

WIFI Guest SSID

Thank you

Michael234 · 2015-12-09 12:02:13 UTC

Wow, thanks for taking the time to make the screenshots.
I see now that the network name is just a comment for my personal use and that the VLAN can (should? must?) use a different subnet and that the router does indeed get a different internal IP address on each VLAN/subnet.
Thank you.
Michael

Michael234 · 2015-12-10 09:52:34 UTC

I tried this and it works, so thanks again.
In the screen shot of the LAN configuration

https://forum.peplink.com/attachment.php?attachmentid=2698&d=1449627498

I see that Inter-VLAN routing is enabled. Any particular reason for that, if the Guest VLAN has it off?

TK_Liew · 2015-12-10 19:15:03 UTC

Hi Michael,

Inter-VLAN routing is to allow communication between the Vlans. If this was disabled at Guest Vlan, any communicates with Guest Vlan will be blocked.

pepuserjj · 2015-12-25 10:23:34 UTC

Hey all…

I’m not seeing the option to create additional vlan’s on my surf soho rev 2 firmware 6.2.1. Is this functionality available on the surf? My guest wireless clients still have L3 access to my wired devices (confirmed with nmap).

Regards,

JJ

pepuserjj · 2015-12-25 18:33:02 UTC

Finally figured out to access the VLAN menu you have to enable “Advanced” menus via the help “?” button. Have guest isolation working now. Very cool!!!

JJ

Michael234 · 2015-12-27 10:19:04 UTC

The user interface for enabling the VLAN feature is much more confusing than it should be. Not sure why its hidden out of the box. That said, it is documented to work this way in user manual.

Edward · 2015-12-27 21:09:18 UTC

Thank you for the great explanation, @sitloongs!

trabas · 2017-06-08 04:56:43 UTC

Hi i need some help when i do this the other SSID cant be found by my devices. The only one available is the guest SSID. What do you think could be wrong?

Michael234 · 2017-06-08 19:59:22 UTC

Nothing about creating an isolated SSID on the Surf SOHO hides the SSID itself. There is an option in most routers to hide the SSID but most people don’t think this is a worthwhile thing to do. Perhaps you hid the networks by mistake?

Another explanation of creating a “guest” network on the Surf SOHO is here
http://routersecurity.org/pepwavesurfsofo.php#guestnetworks

trabas · 2017-06-09 00:10:18 UTC

The thing is i had both ssids working and for some reason the primary one doesnt work. When i disable the guest network the primary one now comes up. i have not enabled the option to hide the SSID

Michael234 · 2017-06-09 01:49:55 UTC

The term “doesn’t work” for an SSID is vague. Can clients logon to the network at all? If not, maybe its a password issue. Or, can they logon to the SSID but not get to the Internet? If so, it might be a firewall rule issue.

As for why disabling one SSID would impact another SSID, I have no guess at all.

If you open a problem ticket, you may be able to upload a file with all the settings of your router to Peplink to have them review it.