Layer 2 Isolation Pepwave Surf SOHO Firmware 7.0.0


#1

I’m curious about some differences I see between InControl and the device admin client on the Pepwave Surf SOHO.

  1. InControl shows WPA2 - Person as having TKIP/AES:CCMP while the device client shows AES:CCMP

Are these meaningful differences in the settings that happen to be inconsistent between administration clients or a typo/misinformation?

  1. InControl shows me a Layer 2 Isolation checkbox option on my SSIDs while the device client does not.

Is InControl the only way for me to utilize Layer 2 Isolation or is there a way to do it on the device client?


#2

Click the blue ? in the upper right side of your 1st image. A message will be displayed “To set SSID advanced settings, please click here.” Click the link “here”. You can then enable Layer 2 Isolation locally on your Surf SOHO.

Please note the layer 2 isolation only applies to wireless devices on the same physical SSID radio. An iPhone and a Macbook connected to the same AP will not be able to see each other. However they will be able to see devices in the same subnet connected through an ethernet connection, including devices on other APs. If you require more isolation, you will need to configure additional rules in Advanced > Firewall > Internal Network Firewall Rules.


#3

Thanks! I found it. (that does seem like a strange UI decision to put the advanced options under a “?” which generally denotes “help” or additional “info”.

Thanks for the info on the Layer 2 Isolation as well. I may need a bit more clarification.

I currently have 3 LANs set up (1 untagged and 2 VLANs). I have matching SSIDs for them. Both the VLANs have “Inter VLAN routing” turned off which I assumed would not let them see outside of their own VLAN and that the Layer 2 Isolation would not let them see other devices within the VLAN.

In my case all devices are wireless with the exception of a home server on the non-VLAN network.

The goal is that all the devices on a VLAN have complete isolation (they can’t see each other inside their own VLAN and can’t see outside of the VLAN) and that the home network can see everything inside its network.


#4

I also have the switch set up like this with the trunk being the home server. Not sure if that’s working as I intend or not…


#5

(that does seem like a strange UI decision to put the advanced options under a “?” which generally denotes “help” or additional “info”.

You will get used to this pretty quick as you configure your network. The more interesting and/or advanced features are usually found through links in the ? bubbles. I find myself clicking them whenever I see one, looking for more features.

Both the VLANs have “Inter VLAN routing” turned off which I assumed would not let them see outside of their own VLAN

With Inter VLAN routing turned off for a given VLAN, any client devices on that network will only be able see other devices on that network and the gateway (aka internet).

and that the Layer 2 Isolation would not let them see other devices within the VLAN.

If the SOHO’s AP is the only physical AP on your network, then client devices on that SSID will not be able to see each other.

The goal is that all the devices on a VLAN have complete isolation (they can’t see each other inside their own VLAN and can’t see outside of the VLAN)

Again assuming the SOHO AP is the only physical AP on your network, your configuration should A) isolate wireless clients from each other and B) isolate clients on VLAN2 and VLAN3 from the other two networks (Untagged and VLANx).

the home network can see everything inside its network.

 

I also have the switch set up like this with the trunk being the home server.

You will probably need to set LAN Port 1 to Access and Untagged LAN rather than Trunk and Any. If your server’s IP is 192.168.0.x and you are not running VMs with IPs in VLAN2 or VLAN3, there really is no need to trunk traffic to that port. Moreso, the NIC may not even support 802.1Q tags and/or be configured for such, so you couldn’t even send tagged traffic if you wanted to. With an IP in the Untagged VLAN (192.168.0.x) and Inter VLAN routing enabled, you will be able to communicate with properly configured devices on VLAN2 and VLAN3 from the server.


#6

Great, that seems to get me where I want to go.

The Pepwave Surf is indeed the only physical AP.

I don’t really understand the trunk/access for VLANS, so I was shooting blind there.

Thanks for the help!