|Router Security||Pepwave Surf SOHO Router||
Website by |
In 2013, I couldn't take the security flaws in router firmware any more and went looking for a low end business class router hoping to find professionally done firmware without paying a huge price.
The first company I considered was Peplink. I had run across them in 2011 while looking for a multi-WAN router. That seems to be their specialty. At the time (2011) I bought their cheapest multi-WAN router (a Balance 20 for $300 without WiFi) and it had performed great for those couple years.
By 2013, the Balance 20 was no longer the cheapest Peplink router, the company had introduced the Pepwave Surf SOHO which offered WiFi at roughly half the price of a Balance 20 but could only talk to one ISP at a time. I gambled on it in 2013, liked the security, and have used it ever since.
I do not recommend the Surf SOHO for its speed, features or price. Rather, for professionally written, reasonably secure firmware without the slew of security problems that affect consumer routers. In terms of speed and sexy features, it's nothing to write home about (see the Downsides section below).
I recommend Peplink, even though they do not focus on security. In fact, for a long time their Wi-Fi routers did not even offer stand-alone WPA2. The most secure option was a combination WPA/WPA2. You could not restrict access to just WPA2. While this has now changed, it shows that their focus is not on security. But, it doesn't have to be. That's how bad consumer routers are.
Peplink is not a big name in routers. At a conference in the summer of 2015, I asked someone who had just given a presentation about routers what he thought of Peplink - and he had never heard of the company. This is a security feature in and of itself. Since Peplink routers are not used by millions of people, bad guys are probably not focused on finding their flaws.
A business oriented router includes a different set of features than consumer models.
For example, the Surf SOHO is capable of site to site VPN connections, something few consumers understand. It does this with PepVPN, which only connects to other Peplink devices (better security). I have used this enable file sharing for a company with employees in different locations, and, to make file backups easier. Files can be copied from one location to another exactly the same way they are copied from one folder to another. The site-to-site VPN does not have to run 24x7 and it can be configured such that only one end can initiate the connection. Thus, if you use it for connecting to your parents to backup their files, you can insure that only your Peplink router initiates the connection, never theirs.
As a business class device, the Surf SOHO does not support WPS, which is great for security. WPS was the feature that turned me away from consumer routers in the first place.
Peplink actively maintains the firmware in their routers. Unlike consumer routers, they do not walk away from their older routers, thus requiring customers to buy a new router to get bug fixes. And, unlike higher end UTMs, there is no yearly fee to use their software/firmware. At one point, I had to pay to upgrade the Balance 20 router mentioned above from firmware version 5 to version 6, but I believe that policy has since changed. And, Peplink at the time was still supporting version 5 of their firmware with bug fixes, I wanted a feature that was only offered in version 6.
When you buy a consumer router, you are buying the hardware. Router manufacturers aim to get the software (that is, firmware) as cheaply as possible. When you buy a Peplink router, you are buying the software. That's what they stake their claim on, its what they build their reputation on. They are not unique, this is common in business class routers. Peplink just happens to offer this in the Surf SOHO at a remarkably low price.
Also, the user interface on some business class routers is meant for networking experts, and anyone else would have a hard time dealing with it. Ubiquity is a great example of this. This is not true with Peplink/Pepwave, their user interface is just as easy for a non-techie to deal with as that on a consumer router.
On the security side, the Peplink firmware does a great job of locking down both local and remote administration as described on the Security Checklist page. Also, you can change the userid for administering the router. Many (most?) routers only let you change the password, not the userid.
And, Peplink has a GREAT feature: multiple firmwares. The router maintains two copies of the firmware, which takes almost all the risk out of both making configuration changes and upgrading the firmware. If something goes wrong, you can reboot the router to fall back to the way things were before the change. This feature alone is enough to recommend their product line.
The Peplink firmware is also very good at monitoring the network. Perhaps most importantly it has a detailed display of the currently connected devices. You can assign friendly names to devices (i.e. Harveys iPad) to make it easier to identify them. For wireless devices the router shows the signal strength of the connection, a rare feature. You can drill down on any particular device and see all of its connections to the Internet. I have used this feature to verify that a VPN is doing what it is supposed to be doing, funneling all data to a single VPN server. If the Internet feels slow, the router displays the current bandwidth used by each device and also has many history reports of bandwidth per device.
Peplink offers unusually good technical support at the support forums on their website. The forums are are populated by people that understand the technology and intelligently respond to questions. This thread is an excellent example. The company had originally marketed their Balance One router as supporting Gigabit speeds, but when a customer inquired, they found Windows machines in their lab were getting 900Mbps and recent Mac OS X machines were only getting 700Mbps speeds. The came clean about this, admitted they were puzzled at first, and now sell the Balance One router as supporting 600Mbps speeds. I find the honesty extremely refreshing and it really makes me trust the company.
It is very easy to report a bug to Peplink (website home page -> Support -> Contact us) and they respond quickly to it - and the response is intelligent. And, your router does not have to be under warranty to report a bug.
Peplink supports VLANs. As a rule, all the devices in your home share one network, referred to as a LAN or Local Area Network. The problem with this is that a device in your home may be malicious and try to corrupt other devices. Also, not every device in your home needs to share files or printers with all the other devices. VLANs let you logically separate the devices in your home into different groups. When I first tried to setup a VLAN in 2015, I found the documentation useless. That said, I asked for help in their online Forum and eventually was able to create a VLAN-isolated Wi-Fi network with their help. Thus, my Surf SOHO had one Wi-Fi network on the main LAN where devices can share printers and files and another Wi-Fi network where devices were isolated.
Originally, Peplink only supported VLANs for Wi-Fi networks but you can now also assign the Ethernet LAN ports to VLANs. That is, you can assign each LAN port to a different VLAN (screen shot is from firmware 6.3.2), or you can group LAN ports into VLANs.
The Surf SOHO versions 1 and 2 run fairly cool, I would not even call it warm. I have no experience yet with the latest edition, hardware version 3, the one that was introduced in November 2016.
It can function as a VPN server using either PPTP or L2TP/IPsec (Advanced -> Remote User Access).
Privacy: A number of new routers require you to have an account with the hardware manufacturer. Peplink does not. Some routers can not be configured offline, Peplink routers can. Some routers phone home with assorted data to the hardware manufacturer. Peplink does not, as long as their InControl system is disabled.
The Surf SOHO can create isolated wireless networks, much like Guest networks, where devices can get to the Internet and nothing else. Much more on this below in the section on Guest Networks.
It supports both UPnP and NAT-PMP but each is disabled by default, which is the secure default. This illustrates how the Surf SOHO is a business class router vs. a consumer router. Consumer routers typically ship with UPnP enabled because it's cheaper - it avoids tech support calls. But, it is not as safe for the Internet at large. A huge reason that IoT is a security disaster, is due to UPnP being enabled by default. Google's second generation routers, Google Wifi have UPnP enabled by default - they are marketed at consumers. Ditto for the Ubiquiti AmpliFi mesh router system.
The Surf SOHO offers full control over DNS, yet another indication of its being a professional device rather than a toy. Typically, devices on a network are assigned DNS servers by the router. But, any computing device can be configured to use whatever DNS servers it wants. If, for example, parents configure their router to use DNS servers that block porn, the kids can change their computers to use other DNS servers that don't block anything. However, the kids computers still go through the router and the Surf SOHO sees their DNS requests and can, optionally, re-route them to the DNS servers the router is configured to use. This forces kids to hack into the neighbors Wi-Fi network :-) I have seen my Roku box make DNS requests using Google's DNS server (126.96.36.199). Don't know why it does that, but with the Surf SOHO, I can force the Roku box to use my preferred DNS servers.
Finally, Peplink makes it very easy to report bugs, which is a huge contrast from consumer router companies. You simply go to the support section of their website and the link is not hard to find. All you need is an email address and the serial number of your Peplink router. From personal experience, I can say that they do respond to bug reports.
The Surf SOHO does a good job of showing you what's going on.
This starts with the list of attached devices all shown on one screen making it easy to spot anything out of the ordinary. The router lets you assign friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. It shows which SSIDs wireless devices are connected to and the signal strength from the point of view of the router. You also see the current upload and download bandwidth used by each device. It's a lot of useful information in one place.
If one device sparks interest, you can drill down to see all the Internet connections it currently has, although this is not as easy as it could be. One use of this feature is to insure that a VPN connected device is, in fact, only communicating only the VPN server. Another use is to check that a mobile device doing online banking has an encrypted connection to the bank. Or, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits.
The Surf SOHO also does a great job reporting on bandwidth usage. It has a daily bandwidth summary that shows total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.
It supports a feature Peplink calls "WiFi as WAN" that lets the router use a WiFi network as input. At first, I thought nothing of the feature. Then, one day, my ISP went down for the good part of a day. What to do? In the old days I would connect a single important laptop to a smartphone WiFi hotspot, but now I had more devices that needed to be online. And, some of them were Ethernet connected to the router. So, I fed the Surf SOHO the WiFi hotspot from a smartphone and it worked great. When the phone had to leave the premises, I fed the router from a different smartphone. This allowed many devices to share the smartphone hotspot and none of them had to change in any way at all. They talked to the router before, during and after the ISP outage in exactly the same way (be it Ethernet or WiFi). Interestingly, the "WiFi as WAN" feature causes the router to use WiFi for both input and output concurrently.
Of course a smartphone gets its Internet access from a 3G/4G/LTE network as do assorted MiFi type devices. Likewise, the Surf SOHO can use 3G/4G/LTE for Internet access, without a smartphone. Peplink supports many cellular antennas that can be plugged into the USB port of the router. In addition, you may be able to plug an Android phone into the USB port of the Surf SOHO for wired tethering. The Android phone has to support this, something that can be tested using a computer before trying it on the router. Wired tethering should be faster than feeding the router Wi-Fi from a smartphone, but I have not tried this. And, I think this is only possible with Android, iPhones would have to feed the router with Wi-Fi.
The Surf SOHO lets you define the three inputs in priority order. For example, it can be configured to use a wired ISP normally, and, should that fail, to fall back to a Wi-Fi network for Internet access and, if thats not available, fall back to a 3G/4G/LTE network. What the Surf SOHO does not do, is two different Internet sources at the same time (a feature called multi-WAN). Most Peplink routers support this, but they cost more than the Surf SOHO.
The WiFi as WAN feature would also let you travel with the Surf SOHO (its not all that big). This feature could be used to connect the Surf SOHO to Wi-Fi offered by a hotel. All your devices, both Ethernet and Wi-Fi, would be much safer connecting to the Surf SOHO rather than directly to the hotel network.
In August 2016, I blogged about an experience using Wi-Fi as input to the Surf SOHO.
No product is perfect and the Surf SOHO has its downsides.
The most obvious downside was that it did not support concurrent dual band. This is supposed to change with the revised third edition of the router due to go on sale around Thanksgiving 2016. The first two editions of the Surf SOHO, which were sold up until July 2016, supported both the 2.4GHz and 5GHz frequency bands, but could only use one at a time. And, they did not support the latest AC flavor of Wi-Fi, each maxed out at Wi-Fi N. The new third edition will support AC Wi-Fi.
The Surf SOHO can create no more than three wireless networks. This is better than some routers, worse than others. I find it sufficient as it lets me have a private WiFi network for trusted devices, a guest WiFi network and a dedicated, isolated WiFi network for IoT devices.
When it comes to VPNs on routers, everyone is focused on the router providing a VPN server and the Surf SOHO provides a couple. My focus, however, is on a router that provides a VPN client and the Surf SOHO does not offer this. The Resources page has links to many routers that can function as either a TOR or VPN client.
Rate limiting is limited. The Surf SOHO has a single knob (so to speak) for limiting bandwidth usage. You can set a maximum download and a maximum upload speed, but it applies to every device on the network. Higher end Peplink routers let you put network devices into one of three groups: Manager, Staff, and Guest with bandwidth limits applied to the Staff and Guest groups.
The Surf SOHO does not log blocked incoming connection attempts. On routers that do, I find this very interesting data to peruse, but that's me.
There is no Wi-Fi on/off button on the Surf SOHO.
Peplink devices, the Surf SOHO included, do not offer file or printer sharing based on the USB port. The routers have a USB port, but it is used for a 3G/4G/LTE antenna to provide Internet access. I consider this a plus because this type of file sharing has been associated with a number of security bugs. Some may consider it a minus.
The Peplink documentation is poor. While it is extensive, in terms of the number of pages, it is amazingly devoid of information. The company does try - they update their documentation regularly and they keep it in sync with changes to their firmware. This is more than many other router vendors do. But, to me, its 300 pages of "Enter your name in the Name field" repeated over and over and over. Lots of words, very little information. Specifically, it lacks background information and an explanation of concepts. It is documentation for experts. Not that consumer routers are any better.
Like many routers, those from Peplink can backup the current settings to a file that you download. A really nice thing that Peplink does is to always remind you to make a backup of the current router settings before it installs new firmware See screenshot. All routers should do this.
A check for new firmware from the router web admin site often fails to find updates that have been released months earlier. At the end of March 2016, firmware 6.2.2 failed to find either the newer 6.3 version or the even newer 6.3.1 edition which was, at the time, a month old. That said, things may be looking up, in July 2016 firmware 6.3.1 did detect that 6.3.2 was available.
I have yet to see a router vendor that documents their firmware upgrade procedure, so here is what to expect. As with other routers the firmware can be updated automatically or manually. I suggest the manual procedure because it provides much more feedback during the process. Here are screenshots of manually upgrading the firmware from 6.2 to 6.3. The first phase validates the just downloaded (or just-uploaded if doing this manually) firmware. The second phase is the actual installation which, you are warned, takes about 6 minutes. In the third phase the router re-boots into the new firmware. In my experience the router display may hang here forever or it may revert to the logon screen. An online update from 6.3.1 to 6.3.2 in Aug. 2016, hung after saying it was installing the new firmware. The upgrade ran fine, it just told me nothing.
Another important aspect of router firmware, is how you are notified about updates. Peplink emails you when there is a major update - here is a an example from December 2015, announcing version 6.3. Sadly, they do not announce minor updates that are often bug fix releases. Thus, the burden of learning about firmware updates is mostly on your shoulders.
A small number of routers can self-update without human involvement and some may prefer, or even need, such a router. It reminds me too much of Windows 10 updates, an accident waiting to happen - especially if the router does not support multiple firmwares.
While maintaining two copies of the firmware is a great feature, you can not download a newer firmware to use later. Whenever new firmware is downloaded (or uploaded if doing it manually), the router automatically reboots and uses it. That said, the only real downside is the router reboot, because you can always reboot it back into the firmware you were using just before the last update.
Firmware 6.3, released in December 2015 adds a Wake On LAN feature. Great for working on grandmas computer while she is sleeping. If you have given devices on your LAN friendly names, the router, thankfully, displays these friendly names so you don't need to keep track of MAC addresses.
This is a good news bad news story. The good news is that, if configured correctly, the Surf SOHO offers the best possible security for a Guest Wi-Fi network. The bad news is: getting to that point is hard. Or, rather, it was hard for me, but following the steps below should make it easy for you.
By the "best possible security" I mean that guest users can see the Internet and nothing else. That is, devices on the Guest network are totally isolated from all other devices connected to the router. If an IoT device is hacked, buggy or malicious, it can not infect or spy on anything else, it can't even detect that other devices are connected to the same router. Specifically:
The Surf SOHO does not offer an explicit option for Guest networks. The documentation on this issue is disgraceful. Even 3GStore, a retailer of Peplink devices, put out a note for their customers about creating Guest networks on the Surf SOHO that was wrong.
To isolate wireless devices from the main LAN requires a VLAN (Virtual LAN). VLANs allow you to group devices attached to the router. Normally, the reason to create a VLAN is to create isolated groups of devices. However, that is not the only usage, so Peplink has a checkbox for each VLAN/group to control whether it is isolated or not.
The basic approach, in firmware 6.3, is to first create a VLAN (that is, give it a name and a number), then assign an SSID to it. This puts all the wireless devices connected to that SSID into that VLAN/group.
VLANs are an advanced topic and support for VLANs is disabled by default. To enable VLANs in firmware 6.2, do Network -> LAN -> Basic Settings. In the "IP Settings" section at the top of the page, click on the question mark in the blue circle. In the window that pops up, click on the word "here". Confirm that you want to switch over to Advanced mode. Also on this page, since we want to isolate the VLAN, be sure to disable Inter-VLAN routing.
After VLAN support has been enabled, the router will display a new gray button labeled "New LAN". It really should say "New VLAN". To actually create a VLAN, click on this button. Next, you assign both a name and a number to the VLAN. The name can be anything that makes sense to you. Something like "Guest-vlan" is a good place to start. Again, to isolate the VLAN, do not enable Inter-VLAN routing.
Next, to assign an SSID to this VLAN, do AP -> Wireless SSID. Click on the name of a network. The process of assigning it to a VLAN, at this point, is simple, there is a drop-down list of the available VLANs. At this point, the SSID is isolated from the main LAN and from other SSIDs and has its own subnet.
The option that prevents devices on the same SSID from seeing each other is called "Layer 2 isolation". In Firmware 6.3, do AP -> Wireless SSID -> click on the SSID name -> turn on the checkbox for "Layer 2 Isolation".
Finally, you can control which Wi-Fi networks can logon to the router. To see this option in firmware 6.3, do System -> Admin Security -> Allowed LAN Networks . By default, every SSID can logon to the router but this is easily changed to limit local access to a single SSID/VLAN. Interestingly, this setting even blocks Peplink's own Android app from talking to the router if it connects to an SSID that is not allowed in.
Devices not assigned to a VLAN will be in a default group called "Untagged LAN" (data packets in a VLAN are sometimes referred to as "tagged"). To insure these devices can't see any device in a VLAN, do Network -> Network Settings. Click on the "Untagged LAN" network and make sure that Inter-VLAN routing is not enabled.
At this point, you have a single, totally isolated, guest SSID.
The Surf SOHO allows for more than one isolated SSID. Simply create another VLAN for the second network. The Surf SOHO can create a maximum of three SSIDs. One approach is to use one isolated SSID as a Guest network and to use another for IoT devices that don't need to access shared resources such as files, a network printer or a NAS device. IoT devices in this category might be a Roku box, an Apple TV or an Internet radio. In this case, the subnets might be
-- 192.168.68.x for the shared network (Ethernet devices and the non-isolated SSID)
-- 10.1.1.x for the IoT isolated SSID
-- 10.2.2.x for the Guest isolated SSID
The Surf SOHO has external, detachable antennas. The connectors are standard so you can replace the antennas. Or, for even better Wi-Fi you can add an AP to any router. Peplink has their own line of Access Points starting at $130, but they don't have any documentation about using their Access Points with the Surf SOHO.
Originally, the Surf SOHO could not schedule anything. When the ability to schedule things was first introduced in firmware 6.3 (December 2015), the number of things that could be scheduled was limited. As of firmware 6.3.2 (July 2016) the Wi-Fi can be scheduled, but individual SSIDs can not. The scheduling of individual SSIDs is in the works and is tentatively planned for firmware 6.4. Being able to schedule network(s) to turn themselves off at times when no one will be using them is a nice security feature.
The Ethernet ports on the Surf SOHO have orange and green LEDs which can be very helpful in debugging a connection problem. If something isn't working, the first thing to check is whether, at the Ethernet level, the two devices are talking to each other. The LEDs also indicate the speed the Ethernet port is running at. Fewer and fewer routers seem to offer this. And, the Ethernet ports are metal, not plastic. I also like that the Ethernet ports are dedicated to WAN and LAN use. Many of the latest consumer mesh Wi-Fi router systems have Ethernet ports that determine for themselves whether they are on the LAN or WAN side of things. I don't know how that works, but it strikes me as an accident waiting to happen.
Speaking of the new consumer mesh router systems, many support Bluetooth, which opens a whole new can of worms when it comes to security. Those that I looked into, fail to document exactly what Bluetooth is used for. The Surf SOHO does not do Bluetooth.
Like all router vendors, Peplink also offers a smartphone app and a cloud service. The smartphone app is relatively new and not nearly as full-featured as the web interface. Their cloud service, InControl2, has a nifty feature: remote access to the web interface. If you are willing to use a cloud service (I am hesitant) this means you no longer need to deal with Dynamic DNS for access to a router whose IP address may change at any time.
NOTE: The Pepwave Surf SOHO is not the same as the Pepwave Surf On-The-Go. (SOTG). They are, quite different. The Surf On-The-Go is a small travel router with a single Ethernet port. Its also much cheaper. I own the Surf On-The-Go and would not recommend it. I have traveled with it and it worked just fine. But the software/firmware it runs is very different from the mainline Peplink software. Different, and to me at least, worse.
Another benefit of Peplink routers is debugging. There are two features that aid the company in solving a problem. The first is a Diagnostic Report that you can generate. The router will download a small diagnostic file (about 200K) that you can attach to a problem ticket when requesting technical support. What a great system. If Peplink needs to look at your router to debug a problem, you don't need to give them a password, the router has a built in Remote Assistance feature. Needless to say, it is off by default.
I once upgraded an old Surf SOHO (hardware version 1) with a new one (hardware version 2). I backed up the configuration settings from the old one to a file (many routers do this) and imported the file to the new router. It worked fine. Both routers were running the same firmware version.
The supported DDNS providers are: dyndns.org, changeip.com, no-ip.org, tzo.com and DNS-O-MATIC. There is also an option for other providers using a custom URL, but others must support the DYN API. I tried to use dynu.com and it failed.
Back in 2014, a hacker found a flaw in Peplink software. It became news in November 2016 when the details were presented at a security conference. According to Lucian Constantin of PC World, the hacker "was impressed with how Peplink responded to his report and how the company handled the vulnerability." That's what you want in a router vendor. A Motherboard article by Andrada Fiscutean said basically the same thing:
The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw. "[We] worked directly with Amihai so that we could release a fix as quickly as possible," Eric Wong, evangelist at Peplink, said. The patch was soon available. Their commitment to security made the hacker trust them. At home, Neiderman is using a Peplink router, the one the company gave him as a thank you for notifying them.
And, the flaw was only exploitable because the Peplink routers were miserably deployed. Whoever was in charge, made at least three security mistakes configuring the routers.
Some other companies that produce professional grade firmware are Ubiquiti and pfSense. I say this based on what I have read, I have no personal experience using routers from these companies. A few years back, I would have also included Ruckus Wireless, but I think they are now limited to producing access points. They used to produce routers too. So far, I have been happy with Peplink and thus have not needed to experiment with other vendors.
The Surf SOHO is a bottom of the line Peplink product. Perhaps that's why its sold under the Pepwave name. Peplink has an online store on their website but they only sell their more expensive routers. The cheaper stuff is sold by a small number of Peplink partners. Of these partners, the only one I have used is 3G store.
In 2013, when I purchased my first Surf SOHO, it was hardware version 1. The Ethernet ports were Fast Ethernet (100Mbps) and it cost $130 without external antennas (the Surf SOHO has an internal 1dBi omnidirectional Wi-Fi antenna).
In hardware version 2, the Ethernet ports were upgraded to Gigabit Ethernet (see technical specs). For a while it was available for $159 without external antennas, but that didn't last. By and large it was $179 with external antennas. I speed tested a version 2 model. A computer directly connected to a a cable modem got the exact same speed when Ethernet connected to the router, about 112Mbps.
As of early July 2016, hardware version 2 had been discontinued and was no longer available. Hardware version 3 (identified as MK3) will upgrade the Wi-Fi from N to AC and the number of antennas from 2 to 3. It will also, finally, be concurrent dual-band. The maximum Internet speed will also be increased, up to 120Mbps, though as noted above, I have personally seen version 2 run at 112Mbps. Also new, a Kensington lock security slot. Pricing is expected to remain the same, roughly $180. See it at Amazon.
WHEN: Initially the new v3 Surf SOHO router was to have been available at the end of September 2016. As of early Oct. 2016, it was expected at either the end of October or early November 2016. As of November 7th it was expected at the end of November. In the US, it did become available sometime in late November 2016.
On Nov. 22, 2016, Peplink reseller 3Gstore, wrote that The New Pepwave Surf SOHO MK3 Has Arrived!.
An unboxing video of the new model is available from RV Mobile Internet.
As of late December 2016, however, it was both out of stock at Amazon and not yet available in Europe. I am told they should become available in Europe in January 2017. As of early January 2017, it is still out of stock at Amazon and 3G store and FrontierUS.
January 12, 2017: It is in stock at 3G Store.
If you need more horsepower than the Surf SOHO offers, the most logical upgrades in the Peplink line are the Balance One (roughly $500 with Wi-Fi built-in) and the Balance One Core (roughly $400 without Wi-Fi).
One reason to upgrade would be speed. The Surf SOHO maxes out at 100Mbps (soon to be 120Mbps), the two Balance One models support speeds to up 600Mbps (even higher for Windows machines). Another important feature is dual WAN. Both Balance One models support two concurrent Ethernet connections to two different ISPs. The Surf SOHO can only talk to one ISP at a time. This is a big deal, both in terms of speed and reliability. If one ISP fails, the router chugs along happily without it. When that ISPs connection is back up, the router gladly uses it again. From years of personal experience, I can attest that Peplink routers are great at handling multiple concurrent Ethernet WAN connections.
Both Balance One models come with 8 LAN ports which can be a big advantage to anyone interested in segregating LAN ports into VLANs - a really nifty security option.
The big difference between the Balance One models is Wi-Fi. The cheaper "core" model does not do Wi-Fi. However, the Wi-Fi on the more expensive model is limited. While it does support simultaneous dual-band, it does not support the latest AC flavor of Wi-Fi. It also does not support external antennas, which the Surf SOHO does. And, it is currently (Jan 2016) limited to creating the same three SSIDs as the Surf SOHO (although in response to a Forum question on this, Peplink said that they are planning on upping this to 16 SSIDs). And, perhaps the biggest limitation is that it does not support Wi-Fi as WAN, the ability to use a Wi-Fi connection as input rather than output. I have used this with a Surf SOHO, when the main ISP suffered a day-long outage. I turned on the hotspot feature in a smartphone as used the Wi-Fi coming out of the smartphone as input to the Surf SOHO. Worked like a charm.
Like the Surf SOHO, both Balance One models can use a USB based antenna, talking to a 3G/4G/LTE network. If you don't have a mobile device with a USB interface, smartphones running Android v4.x and later can be tethered to the USB port to provide LTE Internet access. Peplink touts this for failover on the Balance Ones but that is selling themselves short. The 3G/4G/LTE connection can also be used concurrently with a wired WAN connection, load balanced together. Peplink offers 7 different algorithms for load balancing multiple Internet connections
Both Balance One models can be used as a controller for multiple Peplink Access Points - they are designed for small business use. For home use, if your house is really big, this can be useful.
I would suggest that anyone needing to step up from a Surf SOHO opt for the Balance One Core and add an access point (or two or three) to it. Peplink APs start at about $130. Then too, an existing Wi-Fi router can also be used to provide Wi-Fi, just plug it into one of the 8 LAN ports (either turn off DHCP in the Wi-Fi router or insure its using a different subnet from the Balance One Core). Take this advice with a grain of salt however, I have no hands-on experience with either Balance One model.