Surf Soho EVERYTHING HELP! Going out of my mind! Small business and home networking!


#1

Okay, So I am totally a newbie who got his default comcast netgear router hacked one too many times while doing database work for my company. That being said, I ordered a surf soho, as many people online recommended it. However, coming from knowing simple home routers, to this, leaves me in a world of confusion. Since this product arrived, I have been tinkering with it, reading over the manual, over and over and over again, all to no avail, and feeling as though my knowledge about this router is by no means increasing. With all of the tinkering with settings and different configuration attempts I have been doing on this router, I have managed to really piss my roomates off as our internet connection is never stable with the router constantly rebooting! I am opposed to posting in forums, as usually with enough time and reading, and googling, I can figure things out, however, I need to get on with my life and it’s been a month of messing with this thing all to no avail. I mean, I can’t even for the life of me figure out what the hell PepVPN is, as there is pretty little documentation about it. Is it a “Virtual” connection inside my router? Or is it for the purposes of connecting to another party on the Wan? OMG PLEASE HELP!!! Can someone please give me step by step instructions on how to configure the pepwave surf soho to the specifications that I need to use it for? Below I have described my setup, and how I would ideally like things to work. Any help would be greatly appreciated!

Okay,

First of all, I am connected to my service provider via a netgear c500 modem using just a home account with one IP (not static) from the service provider.

Secondly, I have roomates who I don’t know very well, and who are a bit odd an not the mildest bit computer savy. Recently, I believe I was hacked as many of my passwords got changed and I got locked out of my computer and other accounts. Then i got the surf soho. It is my suspiscion (from looking at all of the logs, ddos attacks, outbound trafic from certain computers, as well as a certain computer from within my network constantly querying my computer) that one of my roomates has a virus on their computer and may be part of a bot net. After telling them my suspicion, they blew me off looking at me like they didn’t care and didnt’ know what I was talking about. So I can’t really do much else without causing a scene.

That being said, the first thing I would like to do is:

  1. Create a different wifi or virtual network with a different name and password that is for the untrusted computer (s). I would want those computers to get full internet access but be quarantined from the internal home network. This wireless network could be called “Infected Wireless” with login password being “Whatever”. I would want a full incoming firewall on all ports of this network (no upnp) so the untrusted devices could do minimal damage, and could be less of a liability in opening up the rest of the internal network for outside devices and predators. Essentially, I would want all other networks and devices to be completely insulated from this network as if it’s a totally separate internet connection from a different home. I would want this network to use our local ISP (and IP address), but force all of the computers using this connection to use Norton DNS in place of our ISP’s DNS servers.

  2. Then, I would like to create a 2nd wifi and/or virtual network for Semi-trusted computers and other peripheral devices, that may or may not have been infected from the infected laptop while on the old router.

Hypothetically, this network would be called “semi-trusted Devices wireless” with login password “semi-trusted”. This network would of service to a few macs, a few smartphones, and an xbox360. Ideally, I would like all of these devices to have internal communication, especially the sonos speakers, as those are controlled by an iPhone connected to the same network. I have been having problems with getting the songs and the iPhone to see each other on the network and can’t for the life of me figure out how to do this, or what ports to forward etc. etc. Also, as for the xbox360, do I need to forward ports for that as well? It doesn’t need to communicate with anything other than the internet. I believe it connects via UDP. I would also want to block anyone on this network from accessing the administrator page on anything to do with admin. I would also want this network to use our local ISP (IP address), but force all devices connected to this to use Norton DNS in place of our ISP’s DNS servers. I would want a full inbound WAN firewall aside from the ports that would be used by the xbox, the Sonos speakers, and the iPhones connecting to them.

  1. Third, I don’t know what the heck pepVPN is or how it functions. It is killing me trying to figure out if it is a vpn service, or just a name for a virtual connection from part of the router, to another part of the router?. Anyway, one of the MAIN reasons I bought this router aside from security, was that it stated that it had the ability to use vpn services. Normally, I use a service such as IP vanish (openVPN) to browse the internet and log into emails securely and safely. However it can be a bit of a drag having the software running on my mac all the time. Therefore, I was hoping there was a way to make the Surf Soho run another separate network with either an open VPN or at the bare minimum an L2TP connection on its own, with the ability to stop all traffic if it accidentally disconnects from the 3rd party VPN servers. Ideally, all computers (clients?) logged into this AP would be automatically connecting to the 3rd party VPN service for secure emails. This would essentially eliminate the need for VPN software to be run on my computers. Is any of this possible? If none of this is possible, would it at least be possible to create a vpn Passthrough (which i still don’t really know what that is), in order to allow all computers using VPN software to work on the surf soho using the 3rd party VPN servers? I would want a full inbound WAN and LAN firewall aside from the ports that would be used by the VPN client.

  2. One more problem is the company I work with uses torrenting for files and has regulations with it that forbid public access such as a private tracker does. So I am trying to use a torrent client with Peer Exchange (PEX), Distributed Hash Table (DHT), and local peer discovery all disabled. So far, it has been very unsuccessful. I have managed to find a way to download a little bit, however, it seems as though I am unable to do any uploading with the surf soho. Could you advise me on a way to let my torrent client pass through the surf soho in order to be able to upload? I am very daunted by my inability to make this happen. Once again, if there could be a separate internal or private virtual network for devices using file sharing that would be great as well. I would want a full inbound firewall aside from the ports that would be used by the torrent client.

  3. Lastly, I would like to make a separate network strictly for the administrator of the device. Once again, this network would be completely insulated from any internal or external network with only the ability to log in as the administrator himself via ethernet or local wifi (if possible) access the surf soho web interface.

  4. Last few concerns:
    a) There are a few quirks that i have noticed that I can’t wrap my head around. First, when I received the surf soho, it came installed with firmware 6.2.1. I then installed 6.2.2, and it went haywire, completely changing user interfaces on me, and adding a lot of unfamiliar options that I have never seen. Once I re-installed firmware 6.2.2, everything seemed back to normal, aside from the fact that firmware 6.2.1 was completely deleted and I can no longer revert to the factory default firmware.It just shows one firmware option (6.2.2) and that is all! Is my device defective? Any ideas whats going on?

b) A problem I can’t figure out is my Surf Soho always pushes google DNS onto every computer using it’s connection. EVEN when i have our ISP’s DNS configured in the WAN as well as every other setting for dns. WHY is this happening? How do I get my surf soho to stop using google DNS and forcing all of its clients to use it? Am I being hacked or my DNS hijacked or something? Funny thing is, when I plug in my old nether router, it goes back to pushing our ISP’s DNS to all of the connected computers like I want it to. It also pushes any other DNS I input to it down to connected computers unlike the surf soho. Why will my regular router do this but not the surf soho? Does this have anything to do with RIP being disabled?

c) My surf soho is connected directly to my modem (Netgear CM500). Would you recommend putting a password on my modem? Or are they unhackable or so limited in function that it doest’ matter?

d) What the heck is layer 2 routing? I can’t find anything on google about it. There is a ton of info about layer 3 insulation, but it almost seems as if layer 2 in non-exhistant and just a pep wave made up term or lingo! Any help on an explanation of this?

e) Does the surf soho support Ipv6? If so, is there a way to disable/enable it when using/not using my 3rd party VPN client?

f) Does the support or lack thereof for ipv6 have anything to do with some of my DNS and other problems listed above and below?

FINALLY,
Things to note about my ideal configuration:

I am not interested in bothering with online admin system control or logging in from my phone (for now) or an external web address. I would like to keep the administrator privileges as local as possible. So if we can configure this all without using

Note 2) I am most interested in security as I do a lot of private database stuff for work (i work from home), and speed (for the home entertainment side of things), as I do a lot of streaming video and gaming. But security comes first, obviously.

In summary,
Is any of this possible? And if not, what is the best I could do to make something close to this setup, and HOW? I literally can’t figure out how this router functions whatsoever. I have no idea of the order in which it operates, and for the life of me, can’t figure any sort of logical hierarchy, in what functions come before or trump other functions. Its very frustrating and has been a drag on my life for an entire month.

If none of this can be done via virtual networks on my router, is there any way to combine all of my needs into one? i.e. blocking the infected computer from talking to any computer on my network but allowing it internet access, allowing the xbox, macs, sonos speakers and iPhones to communicate with each other, allowing or facilitating a vpn service like ipvanish, and also allowing torrent uploads and downloads for certain computers?

Any and all help and advice from some networking aficionados and experts would REALLY REALLY REALLY be appreciated! I am ready to tear my eyeballs out (or just go and buy a crappy home router again and return the surf soho), and have had it up to here ^^^^^^^^^^^^^^^^^^^^^^^^^!!! In any event, it is all very welcomed and appreciated! Thanks again supermuch if you can help me with any of this!


#2

Hello,

To better assist you. If you could open a support ticket with us and leave your number and a link to this forum post, one of our technicians will be able to follow-up with a phone call as this is a lot of information to go over.
Also, you may reach out to the reseller that you bought this from as they have Peplink Certified engineers that can assist as well.

To open a support ticket:
https://contact.peplink.com/secure/create-support-ticket.html


#3

Okay thanks! I have already done so, so hopefully I hear back and can get things squared away. Once I do I will post my settings and how I solved this with the tech on here so others can reference it. But anyone is MORE than welcome to still help me out here! :wink:


#4

I feel your pain. Documentation from Peplink suffers from being written by experts. Thus, much goes unsaid because networkig experts already know it.

PepVPN is a site-to-site product. That is, it makes a VPN connection between two Peplink routers. If you have one Peplink router, ignore it. The Surf SOHO can also act as a VPN server, but you can grow into that later. It is not able to act as a VPN client.

The Surf SOHO can create three WiFi networks. You can isolate your roomates, such that they can get to the Internet but nothing else. Likewise, any malware on their computers will not be able to see any of your computers at all.

In consumers routers, you use a Guest network for this, the Surf SOHO does not offer Guest networks. Higher end Peplink routers do. However, the Surf SOHO can still offer the isolation of a Guest network it just takes a few steps. You need to first create a VLAN (the procedure is strange but documented), then create a new SSID/network, InfectedWireless in your example, and assign that new SSID to the VLAN. This keeps your roommates off the main LAN. Also, the new network should have Layer 2 Isolation enabled. That keeps your roomates from seeing each other even though they all use the same InfectedWireless SSID. Of course, the InfectedWireless network should use the normal WPA2 encryption.


#5

Hello,

As far as I know, it is not possible to assign different DNS servers to different SSIDs. That would be a great question to ask here, as a standalone issue. In your case, make the router use Norton DNS and if you dont want it on your computers, over-ride on each computer.

There is only one firewall for the router, there are not individual firewalls for each SSID

Your semi trusted network/SSID could be on a second VLAN but with Layer 2 isolation disabled. Devices on this SSID can thus see each other but not the main LAN. Not sure if they can get into the router from a vlan (theres that documentation issue again), but its easily tested.

To use IPVanish from a router, rather than a computer, you will need another router. The Surf SOHO can not function as a VPN client, not for any of the popular types of VPN. That said, many routers can do this. Asus can with their stock firmware. Or, you can flash another router with alternate firmware. Or, many VPN providers will sell you a router pre-configured to use with their service. Or, try FlashRouters.com. To me, the worst thing about the Surf SOHO is that it can not function as a VPN client. I too, would use this often. Instead Peplink focuses on VPN server functionality, which I never use.

VPN passthrough works fine on the Surf SOHO. In just means that computers running VPN software will work.

No idea about bit torrent.

There is no need for a separate network strictly for the administrator of the device. Totally isolated devices can not get to the router at all. Then too, you should lock down the router such that only HTTPS is used and also use a non-standard port, such as something between 20,000 and 31,000. That is, the only way into the router should be

https://1.2.3.4:20999

And change the router userid, dont use “admin”. And use a long password, of course.

The UI differences between 6.2.1 and 6.2.2 were trivial. No idea why you saw a drastic change.

Modems are indeed hackable from the LAN side, so yes put a password on it. Or, you can make a firewall rule that blocks access to the modems IP address from the LAN.

To keep the administrator privileges as local as possible, turn off InControl2.

Whew.