Router to control separate AP(s) with multiple VLANs?

Okay, I’ll warn you up front, this is going to get a bit convoluted. :wink:

I currently have an older router (running Tomato) with 4 LAN ports that are separated into two separate VLANs, both of which can hit the internet (get out on the WAN), but cannot see each other (no cross traffic). And that’s the idea. One VLAN is considered trusted and the other is untrusted.

Most of my home’s wired network jacks are on the trusted VLAN, along with two APs (for whole house coverage). The untrusted network is for guests and for devices that need access to the internet but have no business on my primary VLAN with my file servers (e.g., Amazon Echos, FIOS STBs). That untrusted VLAN has a third AP just for untrusted wireless clients.

I want to upgrade to a more modern set of network devices (my router and APs are all 10+ years old) and simplify it if I can. I like the idea of a Peplink router that can control separate Peplink APs from the same dashboard. That said, I don’t need dual WANs. The Surf SOHO Mk3 looks good, but it’s not clear to me if it can control remote APs (like the AP One AC Mini) as seemlessly as the Balance routers can. If it can’t, I’d be tempted to get the non-wifi Balance router and just get separate APs to keep life simple. If it can, then I might need one fewer AP.

So I suppose that’s my first question - can the Surf SOHO Mk3 control remote APs the same as the Balance routers?

Either way, I also need to figure out how many APs I need. Right now I have 3:

  • Trusted in basement
  • Trusted two floors up at bedroom level
  • Untrusted also two floors up on bedroom level

If I buy something like the AP One AC Mini for my top floor, can it accept traffic for two separate (and isolated) VLANs…and can those VLANs also have wired assets on them?

To clarify, what I want:

  • Define two VLANs on the router and assign specific router LAN ports to them (e.g., eth1 & 2 are trusted VLAN; eth 3 & 4 are untrusted VLAN)
  • Have one or more APs somehow on the same wired network, where each AP supports two SSIDs, where one SSID is tied to the trusted VLAN and the other SSID is tied to the untrusted VLAN

If so, what LAN ports would those APs be connected to? One of the VLANs defined above or a third VLAN?

Or would I need to do what I am doing now - drop one AP on the wired network for the trusted VLAN and drop another AP on the wired network for the untrusted VLAN.

And if any or all of this is possible, does it drive me toward the Balance instead of the Surf SOHO?

And if you got this far, I owe you a beer. :wink:

1 Like

Hello @scuba_steve,
This is a very easy to achieve, you can use
1 x Balance ONE Core router
3 x AP ONE Enterprise WAP (you will need a PoE Switch or injector to run these)
and you can most likely reuse your existing network cabling.

This choice of router and WAPs will all work harmoniously together and support multiple SSIDs with VLANs, you can also take advantage of the InControl2 cloud management & monitoring too (free for the warranty period of the products).

I suggest you reach out to a local partner to help you with the solution, which country are you in?
Happy to Help,
Marcus :slight_smile:

1 Like

Thanks Marcus.

So from your response, I infer that if I have two separate VLANs (on different router LAN ports) with no allowed cross traffic, I will need to put a separate AP on each VLAN.

Or expressed graphically

Is that correct? i.e., There is no way to collapse those two APs into just one AP and have wireless clients join the appropriate VLAN based on the SSID to which they connect? Perhaps by connecting that single AP to a third router LAN port configured in a different manner?

If not, that’s what I am doing already with my existing hardware. I was hoping to reduce the number of devices I am dealing with.

Also, I am a bit confused about the POE requirements for the APs. I am considering the AP One AC Mini. Does it not come with an AC adapter? Is it required to run over POE? If so, that seems like an issue for me. I really don’t want to also replace my switches. So I suppose if they do not support an AC adapter, I would then need to buy POE injectors.

This is not simplifying my network. :wink:

I am in the USA BTW. And thanks again! Cheers!

Hello @scuba_steve,
Properly setup you will not need separate WAPs as each WAP recommended above can do multiple SSID assigned to specific VLANs, cross traffic comes down to how you setup your VLANs, in Peplink balance routers you simply turn of inter VLAN routing, it is that simple.

If you want to reduce the number of WAPs required, you certainly can do that as the model recommended is capable of working like 16 WAPs (you can have up to 16 SSIDs running from the one device each on different VLANs)

VLANs will be managed within the router and the WAP, so you can just plug (via PoE) the WAPs directly into the switch, this gives a much more simplified installation on the physical level and leaves you more flexibility on the network level.
When setup correctly, the WAPs will act as an extension of the network port, so each device connected to it will believe it is on the correct network based on the SSID.
The Balance one also allows you to assign any of its LAN ports to behave as network trunks (to allow the VLANs) or be assigned to a specific VLAN so it becomes easy to separate your physical traffic too should you need.

We find that Peplink’s systems make VLANs very easy to setup and manage compared to a lot of the other vendors we also have to work with out there.

We have found that the AP One Enterprise to be a great product and for that reason we stick with it in preference of the mini, we also use the AP One Rugged a fair bit, the choice of WAP though needs to come down to what you prefer though we do like the AP One Enterprise & AP One Rugged.

On the power side, the use of a PoE injector or PoE Switch is going to use about the same power as a local plug-pack for the mini, we prefer the PoE approach as it allows you to centralise all of the systems power management into the one location and makes using a UPS if you choose a lot more suitable too.

Happy to Help,
Marcus :slight_smile:


Thanks again Marcus. Super helpful. And the PoE explanation makes a lot of sense. Thanks for taking the time for such a thoughtful reply.

Wish I could play with both the Surf SOHO and the Balance One Core along with a remote AP before I jumped in. I suspect the SOHO might work for me given that I am only provisioned for a single 50 Mbps WAN, but the Core seems significantly more flexible…with a corresponding significant increase in price. $179 (US) for a SOHO (with integrated AP) or three times that for a Core with just a Mini AP. Ouch.

Oh well. decisions, decisions. :thinking:


1 Like

Well, after a lot of consideration, I pulled the trigger on a Balance One Core this evening. It will be here tomorrow.

The AP decision is on hold. Looks like the Mini currently has a significant connection drop issue, which Peplink claims (in these forums) is due to a driver issue they are actively attempting to resolve. Thus, I was tempted to follow your recommendation and buy the Enterprise AP instead. Unfortunately, it appears to require POE (i.e., it does not support an adapter). Thus, I would need to hunt down its power requirements and buy an appropriate injector…and I am just about done with research for the evening. :wink:

I’ll get the Balance up and running and later consider which AP to purchase. Until then, I’ll use the three older units I have on hand with the old school config - one hanging on each VLAN.

Thanks again for the advice. :+1:

1 Like

You will need a 802.3af PoE injector for the AP One Enterprise.
Peplink has it’s own, part number is ACW-107.
The Pepwave AP One Mini comes with a standard power adapter in the box.

Besides the ACW-107, I have used the Xclaim AF-Xi Gigabit PoE injector alot.
Never had any problems.


Great, thanks Joey.

I received the Balance One today but ended up mailing it back. I didn’t even open the box. Reason - I ordered it off Amazon before I realized how important the vendor is for support. Turns out the vendor I selected is not an authorized Peplink reseller. Whoops.

I have a new one on the way from 3GStore (via Amazon). It should be here on Sunday, so my fun will be delayed a couple of days. Will give me time to look into PoE injectors. :wink:


1 Like

One more related question -

Are the actual power requirements for the AP One Enterprise documented anywhere? I understand it needs an 802.3af injector, but the rated power for commercially available 802.3af injectors seems to vary quite a bit.

The AP One Enterprise specs page states max power consumption is 13W, but the recommended PoE injector, the ACW-107, advertises itself as 48V DC at 30W…and the label on the ACW-107 states output is 56V, 0.6A - i.e., 39W. I’m guessing the AP One Enterprise doesn’t draw nearly that much…and I am also sure I don’t want to pay $80 US each for power injectors. :wink:


1 Like

Hi Steve,

I’m not entirely sure, Peplink doesn’t state this in the AP comparison matrix or in the datasheet either.
It just says 802.3af.

@TK_Liew/@sitloongs, can you tell us what the actual power requirements of the AP One Enterprise are?

1 Like

Maximum power consumption for AP One enterprise is 13W and also AP One Enterprise is rated/comply to 802.3af. So any power output devices (Power Injector or PoE Switch or other) comply to 802.3af should sufficient to power the device.
Please check AP “power consumption” info here:

ACW-107 is a universal PoE Injector that can use to power up 802.3at and 802.3af devices.


Yep, that’s the same source I located earlier and from which I derived the 13W max power consumption reference in my question. Thanks much for confirming sitloongs. :+1:


1 Like