I’m late to reply, but @mystery you can disable the ability for InControl connectivity.
To prevent Peplink support from accessing a Peplink router remotely, even in the event of a hidden backdoor, could I first connect the internet to an Edge Router running Pfsense with its firewall enabled, and then link the Edge Router’s LAN to the Peplink’s WAN?
You can put a firewall in front of the Peplink to monitor all sessions in and out but you’d need to actively monitor the traffic to spot non typical behavior I think.
1 Like
To prevent unauthorized traffic (including potential backdoor access) originating from the inner Peplink router in a two-router setup, I propose the following configuration for the outbound firewall on the outer edge router:
- Set the default outbound policy to “deny all” traffic from the inner Peplink router. This ensures that no traffic is permitted unless explicitly allowed, providing a secure baseline.
- Define specific rules to allow legitimate traffic from the inner Peplink router. This step ensures that only trusted traffic, such as predefined IP addresses, ports, or protocols, can pass through the firewall.
- Create rules to block known backdoor traffic. If specific details are known (e.g., IP addresses, ports, or protocols), establish targeted rules to prevent such traffic from exiting the network.
- Enable logging for denied traffic. This will allow monitoring of any attempts to bypass the firewall, offering insights into potential unauthorized access attempts.
This configuration aims to enhance user control over access to the inner Peplink router in a SOHO environment. While effective in this context, I acknowledge that this approach may not scale well for larger, remotely managed Peplink deployments. I welcome any feedback on potential improvements or additional considerations that may have been overlooked.
1 Like