Surf SOHO Firewall Mode in SSID Settings


I am new here and new to Peplink. Looking into router security led me to purchase the Surf SOHO and used Michael Horowitz’s “Surf SOHO Initial Configuration” webpage as a guide to set it up.

There is one option that has me confused and I hope someone can help me out. In the SSID Settings there is a “Firewall Mode” option of Disable, Flexible, and Lockdown. Not sure what this setting is for. It seems to imply that one can disable firewall function to a specific SSID? I am not sure why anyone would want to do that, so I don’t think I understand this setting.

Can someone explain Firewall Mode and recommend a secure setting for this option?


Hi and welcome to the forum!
Can’t say I’m immediately sure of where you’re seeing that option and I don’t have a Soho to hand, could you screen shot that page and paste it here please?

1 Like

Bottom of the SSID config page. Haven’t used it myself yet. Seems like it was added recently.

@sitloongs will know…

1 Like

Thanks! You guys sure are quick and this forum seems pretty active. Hopefully someone will have a good explanation of this parameter.

Hello and Good Day

I have the Surf soho MK3 firmware is latest, and don’t see the same as screen shot above.

1 Like

Dear all, this is the screenshot.

It is a firewall for wireless client. Below is the explanation:

Disable - Firewall disabled. This is the default setting.
Flexible - Allow all except… - Block specific wireless client. The rest is allowed.
Lockdown - Block all except… - Allow specific wireless client. The rest is blocked.

1 Like

Hi @TK_Liew to confirm is this a firewall to control specific wireless devices from getting access to the VLAN the SSID is assigned to?

if so you would combine this with additional internal firewall rules (as normal) to control inter vlan traffic still right?

1 Like

Thanks @TK_Liew and @MartinLangmaid.

Please bear with me as I am a novice at this.

If I understand correctly all clients connected to a specific SSID can limited to [or blocked from] using certain ports, IP addresses, MAC addresses, or domain names.

So an application for this could be limiting clients in a specific SSID to use only LAN resources and deny internet access?

@MartinLangmaid, below is the functionality of the firewall at Advanced > Access Rules:

Outbound firewall = LAN/VLAN —Allow/Block—> WAN
Inbound firewall = WAN —Allow/Block—> LAN/VLAN
Internal firewall = LAN/VLAN/SpeedFusion networks —Allow/Block—> LAN/VLAN/SpeedFusion networks
Local Service Firewall = WAN —Allow/Block—> Peplink/Pepwave Device

For the functionality of the firewall in SSID, it restricts the wireless client who connects to the SSID with port, IP Network, MAC Address, and domain name. For example, if you restrict TCP 8888, any connection with TCP 8888 from the wireless client will be blocked.


I went to kick the tires on this new feature and found a bug.
Firmware 8.0.2 Build 3612 on a Surf SOHO HW2

The WiFi is disabled but one SSID is defined.
I edit that SSID and set the Firewall settings to Allow all except.
I create a couple rules and Apply Changes.
The rules are gone. The firewall mode is back to being disabled.

No doubt this has something to do with the WiFi being disabled system wide. Still, the Apply Changes button did not apply the changes. The Event Log says that changes were applied.

I know, who does this? I was just testing.

1 Like


Suspected that this is a firmware bug. Let me confirm this and get back to you shortly.

1 Like

Could the SSID firewall be used to prevent any device connected to that SSID from sending/receiving any WAN traffic? I have an IoT device with a rotating MAC address that I want to block from accessing the Internet (or being accessed from the Internet). See: Surf SOHO Firewall Question - Block WAN for Specific SSID
@TK_Liew @MartinLangmaid @Michael234 @sitloongs


Looks like you may have asked the same question on two threads. @MartinLangmaid gave you a great answer via the other one. Will those solutions not work for you? What you want to do is very reasonable and many of us do it frequently.

1 Like


Confirmed is a firmware bug. This will be fix for coming firmware version 8.1.0.

1 Like

OK, thanks.

1 Like


@MartinLangmaid have give a good suggestion here:

1 Like

(Sorry if cross-posting was discouraged.) I’m trying to understand how the Firewall Settings on the SSID screen work. If I selected “Lockdown - Block all except…” and then created a rule and selected “IP Network” and put in the IP address and mask of my local network, would that prevent any device connecting to the SSID in question from:

  1. sending traffic to to any IP address except an IP address in my local network,
  2. receiving traffic from any IP address except an IP address in my local network,
  3. both, or
  4. neither?

This is what I am looking at: