Guest network on Surf SOHO

Can you offer click-here type-this instructions for creating a Guest WiFi network on a Surf SOHO. By “guest” network, I mean one that can get to the Internet but is blocked by the router from seeing any Ethernet devices and any devices on another WiFi network.

I tried the Layer 2 Isolation feature but that did not totally isolate the WiFi network.

Thank you.

Hi Michael,

In fact Layer 2 Isolation + Guest Protect can meet your requirements. Guest Protect is supported in B305 and above (act as AP Controller). Alternatively you may deploy standalone Pepwave AP to achieve this.

1 Like

By B305 I assume you are referring to a Balance model 305. I have a Surf SOHO which has no Guest Protect option (at least none that I have seen). I also do not have a Pepwave AP. While I am not perfectly clear about exactly what Layer 2 Isolation does, by itself, it does not meet my needs. From the documentation it seems that it keeps users of the one WiFi network where it is enabled from seeing each other, but in my tests it did not keep them from seeing other LAN resources.

So, to sum up, the Surf SOHO can not create a WiFi network that gives clients Internet access but isolates them from all other LAN devices. True?

Essentially Layer 2 Isolation will not block MAC-Addresses/anything layer 2 related.
Guest Protect allows for blocking at Layer 3.

So, to sum up, the Surf SOHO can not create a WiFi network that gives clients Internet access but isolates them from all other LAN devices. True?

Perhaps the VLAN functionality can restrict users of one SSID such that they can’t see Ethernet connected devices on the LAN?

Hi Michael,

Below is the suggestion.

  1. Create new Vlan for guest. For example Vlan 2. Then disable Intervlan Routing for Vlan 2.

  2. Assign staff SSID to Untagged Vlan (default Vlan).

  3. Assign guest SSID to Vlan 2.

Hope this make sense.

1 Like

Finally, got around to testing this. I am a bit out of my league with VLANs and the Surf SOHO manual is no help. In a nutshell, my question is: does the new VLAN get assigned its own IP subnet? That is, if my existing LAN is 192.168.50.x, then should I use 10.10.10.x for the new VLAN? And, if so, then should I assign the router a new private IP address on the 10.10.10.x subnet? And, what is the “name” of LAN? Is it just a comment for my own use?

Thanks in advance.


Please refer to the settings below:

  1. VLAN settings
  • Defining Guest VLAN & LAN

  • Details Guest VLAN setting

  • Details LAN setting

  1. WIFI SSIDs setting

  • WIFI Guest SSID

Thank you


Wow, thanks for taking the time to make the screenshots.
I see now that the network name is just a comment for my personal use and that the VLAN can (should? must?) use a different subnet and that the router does indeed get a different internal IP address on each VLAN/subnet.
Thank you.

I tried this and it works, so thanks again.
In the screen shot of the LAN configuration

I see that Inter-VLAN routing is enabled. Any particular reason for that, if the Guest VLAN has it off?

Hi Michael,

Inter-VLAN routing is to allow communication between the Vlans. If this was disabled at Guest Vlan, any communicates with Guest Vlan will be blocked.

1 Like

Hey all…

I’m not seeing the option to create additional vlan’s on my surf soho rev 2 firmware 6.2.1. Is this functionality available on the surf? My guest wireless clients still have L3 access to my wired devices (confirmed with nmap).



Finally figured out to access the VLAN menu you have to enable “Advanced” menus via the help “?” button. Have guest isolation working now. Very cool!!!


The user interface for enabling the VLAN feature is much more confusing than it should be. Not sure why its hidden out of the box. That said, it is documented to work this way in user manual.

Thank you for the great explanation, @sitloongs! :slight_smile:

Hi i need some help when i do this the other SSID cant be found by my devices. The only one available is the guest SSID. What do you think could be wrong?

Nothing about creating an isolated SSID on the Surf SOHO hides the SSID itself. There is an option in most routers to hide the SSID but most people don’t think this is a worthwhile thing to do. Perhaps you hid the networks by mistake?

Another explanation of creating a “guest” network on the Surf SOHO is here

The thing is i had both ssids working and for some reason the primary one doesnt work. When i disable the guest network the primary one now comes up. i have not enabled the option to hide the SSID

The term “doesn’t work” for an SSID is vague. Can clients logon to the network at all? If not, maybe its a password issue. Or, can they logon to the SSID but not get to the Internet? If so, it might be a firewall rule issue.

As for why disabling one SSID would impact another SSID, I have no guess at all.

If you open a problem ticket, you may be able to upload a file with all the settings of your router to Peplink to have them review it.