This page has out of the box setup instructions for a Peplink B One router. The B One comes in three flavors, these instructions are for the B One model without a cellular data modem. As of April 2025, the B One sold for $300 US. For more about the router, see the page here on the B One.

This page is for someone using a Peplink router for the first time. Anyone upgrading from an older Pepwave Surf SOHO router can, with some difficulty, import the settings from the Surf SOHO to the B One. This is also covered on the B One page.

DRAFT DRAFT DRAFT This page is a work in progress DRAFT DRAFT DRAFT DRAFT

TOPICS BELOW
Starting Out,   Gather Basic Information,   Initial Hardware Connections,   Power Up,   First Connection To Router,   The Dashboard, Fixing Mistakes,   DNS,  

STARTING OUT   top

TERMINOLOGY: WAN refers to the Internet, it stands for Wide Area Network. LAN refers to the network of computing devices in your home/office. It means Local Area Network. If, for security reasons, you want to make define different groups of the devices in your home/office, each group is a VLAN, or Virtual LAN.

STRATEGY: As I describe on the setting up a new router page, I think it is best to make initial configuration changes to any new router while the new router is off-line (not connected to the Internet). Also, the first few times any new router goes online, it is safer for it to be sitting behind an existing router. To do this, connect an Ethernet cable from the WAN port of the new router to a LAN port of the existing router. Only when you are sure you have all your ducks in a row with a new router should it be placed directly on the Internet (connected to a modem or gateway). I think this is a much safer approach than the standard recommendation of connecting a router to the Internet first and figuring things out later.

The only requirement for configuring the Surf SOHO is a web browser. Any recent browser should be fine. You could use a phone or tablet, but a computer is better, both because typing is easier on a keyboard, as opposed to glass, and because the web interface is designed for a large screen. Any computer should work, even a Chromebook.

NOTE: There are many other ways to communicate with a Peplink router. Like everyone else, Peplink has a mobile app, but the last I looked it was pretty bare bones. They also have a cloud service called InControl 2. When you buy a new Peplink router you get free access to InControl2 for a year, after that, there is a yearly charge. InControl2 makes the most sense for people administering multiple Peplink routers. It is also the only way to migrate settings from an old Pepwave Surf SOHO to a a new B One. InControl 2 is completely optional and off by default. In addition, Peplink has their own remote control service that you can enable to let their techies get into your router. This only comes up if you report a problem to Peplink and their tech support asks you to enable it. Many routers support SNMP communication and Peplink does too. SNMP is off by default. Finally, Peplink offers a CLI (Command Line Interface) to their routers which is over my head.

One big difference between Peplink routers and consumer/ISP routers is that a Peplink router is secure out of the box. Whenever there is a choice, Peplink defaults to the secure option. Take UPnP, for example. The vast majority of routers ship with UPnP enabled by default. But, you are more secure with it off and Peplink has it off by default. Another very common router option with poor security is WPS. Peplink does not support WPS at all.

If you want to get a better feel for the B One than words and still pictures can provide, see Peplink B One Unboxing: High-Speed WiFi 6 Router with Dual WANs! by Peplink reseller West Networks on YouTube. More than just an unboxing, the video also shows using the web interface. Rather than the everyday Ethernet connection to the Internet, they first use a Mifi type device plugged into the USB port to get online, then they use Wi-Fi as WAN. You can ignore anything about SFC Protect or Speed Fusion Connect Protect.

GATHER BASIC INFORMATION   top

The first thing to do is to verify the model number and make note of the serial number and LAN side MAC address. All three should be on the cardboard box the router ships in, and also on a sticker on the bottom of the router. They can also be obtained from the router firmware once its up and running.

The B One model without a cellular modem is the B-ONE-T-PRM model. Setup instructions for the two B One models with cellular data modems will be similar but with additional configuration needed.

The sticker also says where the router was made (Taiwan in my case) and the hardware generation. As of April 2025, the only hardware generation is HW1. Peplink has a long history of hardware refreshes for their routers.

Serial numbers, in Peplink land, are needed to register the router with the Peplink cloud service, InControl2. Peplink routers can be used without their cloud service and there is no requirement to register your router with InControl 2. This is one of many things I like about the company. The last 4 characters of the serial number is also used as part of the default Wi-Fi network name (SSID) for the network created by the router when first powered on.

Finally, the sticker on the bottom of the router also shows the 8 character "AP Password". This is the password for the Wi-Fi network created by the router when it is first powered on. You may note, that just above this on the sticker, is the LAN MAC. FYI: the last 8 characters of the LAN MAC, if you ignore the dashes, are the default Wi-Fi password. In and of itself, the LAN MAC address is not all that important.
Note: If there is a circle in your AP Password, it is a zero, not the letter O (as in Oscar). If your eyesight is poor, it might also be the letter D (as in Deer).
Note: Any letters in the default Peplink Wi-Fi password should be entered in upper case, which is how they appear on the box and the sticker.

This is also a good time for planning. The router has a default password but you will be immediately forced to change it. Peplink requires that the router password be at least 10 characters long, and contain at least one lower case letter, one upper case letter and one number. Special characters are not required, not sure if they are allowed, but I would avoid them anyway. You can, optionally, also change the userid used to logon to the router, but that's later.

On the Wi-Fi side, you will also be forced to change the default password. WPA passwords can be from 8 to 63 characters long. I have more on this, but, in brief, pick a password that is at least 13 characters long. Here too, I would avoid special characters. You will also be given the chance to change the network name. There is advice here on choosing a network name (SSID). Bad choices here are not fatal, they can easily be changed later. And, the B One can create 16 different Wi-Fi networks, but that's for later.

It can also be handy to have the User Manual available. Both firmware and manuals for the B One series are available in the Support section of the Peplink website here. As of May 2025, the direct link to the B One User Manual for firmware 8.5.1 is here. That said, documentation is one of the worst things about Peplink. For example, they still refer to Pepwave in the User Manual despite that branding having been discontinued when the Surf SOHO was discontinued. The B Ones are Peplink devices. Another example: the B One, like all routers, has a pinhole reset button. The picture in the User Manual shows it on the back, not the front. Worse still, the picture is of a different router. So, take the manual with a grain of salt.

INITIAL HARDWARE CONNECTIONS   top

The first hardware thing that needs to be done out of the box, is to put the electric wire together. The router is quite international, it ships with prongs/adapters for four different countries/regions. The prongs for your country need to be slid onto the AC adapter.

The second thing to do is to screw the two Wi-Fi antennas to the back of the router. The antenna ports are clearly labeled.

The third thing is to get an Ethernet cable. Most routers ship with one, the B One does not. Even if you only use Wi-Fi to communicate with all your devices, an Ethernet cable is needed to connect the router to the box/thingy provided by your Internet Service Provider. This box might be a modem or combination modem/router (aka "gateway"). Ethernet cables vary in their speed, color and length. By and large, the variations are only for techies, any Ethernet cable should be good enough for the maximum 1 gigabit speed of the B One router.

An optional step is to get a surge protector or a UPS to protect the router from electrical disturbances. One surge protector that I can recommend is the Tripp Lite TLM626. It has 6 outlets and in April 2025 sold for about $50 US.

POWER UP   top

Looking at the front of the router, when first powered on, the status light is solid red and the Wi-Fi light is off. After maybe 15 seconds, the status light changes to a much brighter solid red, then another 15 seconds (give or take) and it changes to solid green. A few seconds later the Wi-Fi light turns on and is solid green. A couple times, I was looking at the back of the router when I plugged in the electricity and saw that both LEDs for the WAN2 port came on. They went off after maybe 10 seconds or so. There was, at the time, nothing plugged into any of the Ethernet ports.

If you search for nearby Wi-Fi networks at this point, you should see one named PEPLINK_xxxx, where, as noted above, the last four characters of the network name (SSID) are the last four characters of the router serial number. The Wi-Fi network is protected with WPA2 encryption and is WiFi 5 (aka 802.11ac). You can get the default password for this network in two places, both described above.

FIRST CONNECTION TO ROUTER   top

To use the web interface of the router, the device running the web bowser can either connect via Ethernet to one of the 4 LAN ports, or connect via Wi-Fi. As a rule, Ethernet is a bit easier because initially we will be making changes to the Wi-Fi network(s) created by the router. You don't want to change a tire while the car is running :-)

The first time you connect to the router, you will have to change both the password for getting into the router and the Wi-Fi password. You can (I would) also change the name of the Wi-Fi network.

Open your web browser of choice and navigate to

  https://192.168.50.1

Note that HTTP will also work. Out of the box, the router will automatically change insecure HTTP to secure HTTPS. You can change this behavior later, but I would not.

Your web browser will not be happy, but that is the fault of the browser(s), they all issue scary error messages for no good reason. I tested on Windows 10 in April 2025 and found:

1. Chrome and Brave and Vivaldi complained that "Your connection is not private".
   See a screen shot from Chrome version 129 on Windows 10.
   
   
2. Edge complained that "Your connection isn't private"
   
   
3. Firefox and the Mullvad browser both said "Warning: Potential Security Risk Ahead"
   See a screen shot from Firefox version 137 on Windows 10.

These errors are issued any time you access a device, any device, using an IP address. This is not a Peplink thing, or a router thing. Despite the errors, encryption is being used between the router and your device.

It takes 2 clicks to bypass these warnings. First, in all browsers, click on the Advanced button. Then, to proceed in Chrome based browsers, click on "Proceed to 192.168.50.1 (unsafe)". In Firefox based browsers click on the gray button that says "Accept the Risk and Continue". Whew.

If all goes well, you should see the Peplink router login screen shown below.

The default userid and password is the now classic "admin" and "admin", all lower case. After entering them, you are forced to change the Router password, as shown below. The current password, at this point, is still "admin". See my thoughts about router passwords.

Next, we are forced to make Wi-Fi changes, as shown below. At the least, the Wi-Fi password must be changed. See my thoughts about Wi-Fi passwords.

You can also, if you prefer, change the network name (SSID). I also have thoughts about chlosing a good network name.

If you are using Wi-Fi to talk to the router, you will be disconnected after making these initial Wi-Fi changes. The router does not tell you this, so I just had to :-) Log back into the router using the new Router password.

THE DASHBOARD   top

Next up is the Dashboard page, the main screen for the web interface.

Now that you are in, know that every page has a gray LOGOUT button in the left side vertical column.

The top WAN Connection Status section is where you go when the Internet isn't working. WAN1 and WAN2 are the two WAN Ethernet ports on the back of the router. The "No Cable Detected" status is because I was setting up the new router while off-line. My worst experiences with Peplink routers were when it did not detect a connected cable.

You also see here that an Internet/WAN connection can either be Priority 1, Priority 2 or Disabled. You only need to deal with priorities when the router has two or three concurrent Internet connections.

A typical use for a Wi-Fi as WAN connection is when you take the router to a hotel that offers Wi-Fi but no Ethernet. The B One can connect to the hotel Wi-Fi and protect all your devices from snooping. It might also be used in a RV park that provides Wi-Fi. I once used it when my main ISP failed and I connected another Peplink router to the Wi-Fi hotspot created by a cellphone. Or, if you use ISP1 and your neighbor uses ISP2 and your ISP1 suffers an outage, you might be able to connect to your neighbor's Wi-Fi network using the Wi-Fi as WAN feature.

The Wi-Fi AP section shows all the networks (SSIDs) created by the router. There is only one in this example, but the B One can create up to 16 Wi-Fi networks. This comes in handy both for using VLANs to segment your devices and also to give devices that support WPA3 their own network. The DallasCowboysFan network is being broadcast on both 2.4GHz and 5GHz. You can easily change this in the AP tab.

The tabs are the horizontal black stripe across the top of the screen: Dashboard, SF Connect, Network, Advanced, AP, System and Status. The Status tab will probably be your best friend. You can ignore the SF Connect tab for now and maybe forever.

In the Device Information section, the CPU Load is probably the most useful information. If all is well, it should be fairly low. Expect it to be high for a minute while the router is installing any configuration changes. If the CPU Load is often high, the router might be infected with malware (very unlikely), underpowered for the number of devices connected to it (specs allow for 150) or running the OpenVPN client software.

The Throughput shows how much data is coming into the router and how much is going out. More details on throughput are available in the Status tab, which has a Real-Time usage report that shows throughput for the last 5 minutes or so. Also available there are Hourly, Daily and Monthly bandwidth reports.

The final thing to take note of here is the grayed out Apply Changes in the top right corner. After making most changes there will be a gray SAVE button. Save means just that, it does not mean install or apply or do it. It takes some time to apply configuration changes and because of the way the SAVE and APPLY CHANGES buttons work you can make multiple changes before actually installing them. The down side is that you might forget to Apply/install your changes. If you don't notice the Apple Changes button lit up, the Dashboard page will warn you when there are un-applied (think pending) changes. If you change your mind and do not want to install/apply your pending changes, you can cancel them on the Dashboard page.

FIXING MISTAKES   top

There are three options for fixing configuration mistakes.

As noted above, if you have not yet applied the changes, you can go to the Dashboard page where there will be an option to discard pending changes.

The next option is restore the router settings as of the last time you backed them up. The process is quite simple, finding the file created by your last backup is probably the hardest part.

To make a configuration backup, go to the System tab, then Configuration in the left side vertical column. A screen shot is below.

Just click the gray Download button to download a new file on your computer with the current router settings/configuration. The file name will be in this format
yyyymmdd_bonehw1_serialnumber.conf

For example, a backup created on April 22, 2025 would have a name like
20250422_bonehw1_183579C152E2.conf

Should you ever need to restore a configuration backup, click on the Chose File button, then Upload the file to the router. When using this web interface, the burden of saving and finding the configuration backups is on you. If you use Peplink's optional InControl 2 cloud system, then configuration backups can reside in the cloud.

When to make a backup of the configuration settings is up to you. Windows makes Restore Points on its own, but Peplink backups are manual. Certainly if you make it to the end of this web page, you should make a backup. A great thing about Peplink routers is that before you update the firmware (the operating system of the router) it reminds you to make a backup of the current settings. I always appreciate the reminder.

Also shown above is the worst case scenario, where you need to restore the router to Factory Settings. As you can see, there is a button for this. I would suggest making a backup beforehand. Just in case. You never know.

Once you start the Factory Reset, you might as well close out your web browser. You will be disconnected from the router and the web interface no longer reflects what is really happening. The router re-starts as part of the Factory Reset. You can tell when it is ready again either from a solid green Status light or by scanning for nearby Wi-Fi networks. When it is ready, you will see the default PEPLINK_xxxx SSID again.

Note: The screen shot above is cropped. There is a fourth section at the bottom for "Upload Configurations from High Availability Pair". It can be ignored.

Actually, the real worst case is when you can not even logon to the router at all. For that, there is a pinhole sized Reset button on the front of the B One. It does not say "Reset", instead there is a circular white arrow. It is next to the Status and Wi-Fi lights. Press in the pinhole with a paper clip. Keep pressing for at least 10 seconds.

DNS   top

When it comes to security, perhaps the biggest increase in security for the smallest amount of effort, is provided by DNS. There is much information elsewhere on this site about DNS, so I will be brief here.

Computers on the Internet have numbers, not names. That this website appears to you as RouterSecurity.org is a top layer to make things easy for humans. Underneath, the computers on the Internet see this website is a thing at IP address 216.92.136.14. DNS is what translates the names we deal with, to the underlying IP addresses.

Every ISP provides a DNS service for their customers and it is typically your worst choice. Many other companies provide DNS services, often free, some paid.

There are two security aspects to DNS: secure vs. insecure communication and blocking bad stuff vs. not blocking anything.

There are two generations of DNS, the older generation uses insecure communication, the newer generation communicates securely. By default, Peplink still uses the older type of DNS. No doubt, your ISP does too.

Using DNS to block your access to bad stuff is a relatively new thing. The hard part is defining "bad stuff" as we all have different definitions. The most popular things to block, of course, are ads and trackers. Here you can see a screen shot of the Mullvad VPN client software (version 2025.3) for Android. Mullvad customers can block: ads, trackers, malware, gambling, adult content and/or social media. Those that don't like these choices, or don't want to use the Mullvad DNS service at all, can opt to specify their preferred DNS provider using the Custom DNS server option.

No DNS blocking can ever be perfect, but it is better to have some, than none.

Four secure DNS providers are pre-defined in a Peplink router (as of firmware 8.5), but the implementation is lame. Three of the DNS providers: Quad9, Cloudflare and OpenDNS offer multiple services, but Peplink does not show you this. Cloudflare, for example, offers one service that blocks malware, another that blocks both malware and porn and a third service that blocks nothing at all. Peplink only offers Cloudflare as a choice. Which service are you getting? Dunno. Google is the fourth DNS provider pre-defined in the router, but as far as I know they offer no blocking services along with their secure DNS. Makes sense, since advertising and tracking is how Google makes money.

With a little work, you can get both secure DNS and the blocking you want.

To configure DNS, go to the Network tab, then click on WAN in the left side vertical column. Peplink refers to the new secure generation of DNS as "DNS over HTTPS" and you will see that it is disabled by default. Click the pink pencil to bring up a window like that shown below.

First, click on the Enable checkbox.

Then, if all this is too much, for the Server, chose Quad9 as shown above. Then, click on the gray Save button and then the Apply Changes button.

I suggest Quad9 because it is the mostly likely company to offer blocking of bad sites/servers by default. You are done with DNS.

To pick your own level of DNS blocking, opt for the Custom URL on the Server line. This requires both the name of a secure DNS server and its IP addresses. A screen shot of entering this information is further below.

To use Quad9, with their malware blocking, enter a server of
https://dns.quad9.net/dns-query and IP addresses of 9.9.9.9 and 149.112.112.112

To use the Adguard DNS service that blocks ads, tracking and phishing, enter a server of
https://dns.adguard.com/dns-query and IP addresses of 94.140.14.14 and 94.140.15.15

There is more about this sort of thing on the DNS providers page.

All that said, my preferred DNS provider is NextDNS. While DNS blocking can never be perfect, NextDNS lets you easily make adjustments. Something blocked that should not be, you get your own personal Allow List. Something allowed that should be blocked? They have a Block List. They also offer optional logging which can be very valuable. And they support profiles, so that some of your devices can have different Allow/Block lists than other of your devices.

You can use NextDNS without an account, with a free account or with a paid account. I suggest opening a free account. The service is free up to a point. If you make too many DNS requests then you need a paid account. As of May 2025, the limit on free accounts is 300,000 queries/month and the entry level paid account is $20/year. I happily pay for the service.

You can sign up with NextDNS at their website. Or, if you prefer to kick the tires anonymously, they offer free accounts valid for 7 days. To get a free temporary account, click on the blue "Try it now" button on their home page. You should see a web page much like the one below.

To use this account on a Peplink router, write down the two IP addresses of the DNS servers marked in red above (yours will likely be different) and the green DNS-over-HTTPS server name. Your server name will have a different ending, the "e9b3eb" is a NextDNS account number.

The screen shot below shows where you enter this Custom URL information.

There are two options for the NextDNS server name. The one shown above, in this format
https://dns.nextdns.io/xxxxxx/
where xxxxxx represents the NextDNS account number works just fine.

However, NextDNS also lets you identify the specific device making each DNS request. This can come in handy when using their optional logging feature. To identify a Peplink router, use a server name such as
https://dns.nextdns.io/xxxxxx/mikeysb1router
You see an example of this in the screen shot above. Not to put too fine a point on it, but the xxxxx above is really a NextDNS profile ID. If you have just one profile, which everyone does at the beginning, then it can be thought of as an account number.

When you are done with DNS, you should see that the new, securely-communicating flavor is enabled, as shown below.

More to come . . .

DRAFT DRAFT DRAFT This page is a work in progress DRAFT DRAFT DRAFT DRAFT