Restrict Wifi to not use cellular

I have added a Pepwave to my travel trailer that I am likely going to be renting out for others to use. In order to keep tabs on the trailer I did add a SIM card into the Pepwave so that I can monitor network usage remotely. More so, the thought was that the SIM card could be used for remote management of the Pepwave. Say the renter takes the trailer to a camp ground that has wifi, I do not want them to have access to the admin interface, so they can then text me the wifi SSID and password. I would then remote in via InControl and set the Wifi as WAN appropriately for the pepwave and they are off to the races.

The problem I am thinking I am going to have, I do not want renters to utilize the SIM card’s data for internet usage. Only for backend data that I control.

How would I set this up?
Specifically if the WAN/Wifi as WAN 2.4Ghz/Wifi as WAN 5.0Ghz are active that wifi traffic is passed along those connections back to the internet. But if the only active WAN is the cellular, to not allow any Wifi traffic to access the internet. (But still allow me to remote in via InControl to update Wifi settings accordingly.)

Enforce the DHCP clients to the WiFi WAN or use Prioritized with only the WANs you want and do not allow them to fall through.

So you want to monitor network usage or monitor the RV’s whereabouts?

If the former, that is weird, why do you care about renter’s network usage? I’d just give them access to the Peplink, then when you get there, factory reset it, and load a config file with all of your settings. If the latter, then OK I understand.

This could be a nice feature request though, to allow a different level user to just connect to WiFi networks, etc, and not have full admin access.

I was thinking of perhaps giving them access to network infrastructure that I put in the trailer (including a Roku with a Plex server off trailer). My T-Mobile plan allows me to pay for extra data at something like $10/10GB. Giving them access to that would be a good selling point for renting the trailer to those that want to glamp.

But that idea may go by the way-side. At the very least it would allow me to control access to the Pepwave so they do not have access to the admin portal. (Because let’s face it, unless Peplink gives multi level user access, the only access they could get is global admin access, while I could just reload the admin configuration, I really do not want to have to do that with every turn around.)

So creep-factor aside. How do I enforce the DHCP clients to the WiFi WAN?

You will need to make a couple of outbound policy rules for this, but it’s a pretty straightforward configuration. Outbound policy rules are processed top down and first to match applies, so you should put the rule for Ic2 at the top of the list.

To match traffic for Ic2 make a rule that looks like the example below. Given how minimal Ic2 data use is you might just want to send this out the cellular WANs as a higher priority so it works regardless of what the WiFi WAN is doing, I normally use a PepVPN tunnel for this to keep Ic2 working smoothly regardless of what connectivity is available but you get the idea.

For the next part you need a rule to match the network clients, you say you only want DHCP stuff to go out via just the Wi-Fi WAN so does that imply you have some non DHCP clients that you want to leave with access - the Roku perhaps?

If so a simple-ish way is make sure your DHCP scope only issues IPs on a specific range that divides nicely into a CIDR network block.

For example, you have used as the LAN network where your clients reside.

You could divide that into two /25 blocks which would effectively be - for the lower block and 192.168.128 - for the upper block.

Configure DHCP to issue IPs from one /25 or the other, put your static devices in the other block - note this is still configured as a /24 on the Peplink, we are just logically dividing where we put clients so the outbound policy can be crafted to match their traffic cleanly.

Let’s say we configure DHCP to issue addresses on the lower /25 block, to make an outbound policy match that traffic you’d need something like this:

Any other clients in the upper block would fall past that rule and just get the default policy applied, or you could make a rule to specifically match them too.

1 Like