Router Security Surf SOHO Sample Configuration Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
NOTE: I gave a presentation on Defensive Computing at the HOPE conference (July 2022) that was based on my Defensive Computing Checklist website.

NOTE: A config file from the 2nd generation of the Surf SOHO can not be used on a 3rd generation model.
Until I have a spare third generation model, this page is useless.
This page is also incomplete as I learned this while creating the page.

There is a long description on this site of the Pepwave Surf SOHO router. There is also a long page describing the initial configuration of the router. This page exists to offer a downloadable configuration file for the Surf SOHO. For anyone new to the router, this can serve as a more convenient starting point.

==> Download Configuration file <==

The configuration file was created using firmware version 8.1.3 which was the latest in September 2021 when it was created. It should not be used with older firmware.

More importantly, it was created on a second generation Surf SOHO (HW2) and thus should only be used on a second generation model. It should not be used with the third generation (MK3) models.

It is always best to save the current configuration before uploading a new one. To do this go to the System tab -> Configuration -> Download Active Configurations.

This configuration will certainly work for LAN side access to the router. However, it has default values for the Internet connection, so you will have to change the WAN options. The one parameter I changed is to force the Internet connection to use Quad9 for DNS ( and rather than DNS servers from the ISP.

Getting access to the router initially is described on the initial configuration page. To install this sample/starter configuration:

  1. Go to the System tab
  2. Click on Configuration in the left side vertical column
  3. In the Upload Configurations section, click the gray Browse... button and navigate to the downloaded configuration file
  4. Finally, click the gray Upload button and wait for the router to reboot

To access the router, with this configuration, from the LAN side:

  1. The IP address of router is
  2. Access is limited to HTTPS (no HTTP)
  3. The port number is 22555

Putting this all together, the URL is:

Remote access to the router if off. The DHCP range is through


To login to the router, the admin user is "baberuth" and the admin password is "1927newyorkYankees". There is also a read-only user defined. The userid is "readuser" and the password is "23baseballBATS".

After logging in as Babe Ruth, the dashboard will look like this:

Dashboard for sample/starter Surf SOHO configuration


As shown above, there are three Wi-Fi networks (SSIDs). They all use WPA2 Personal.

NAME: yankeesprivate PASSWORD: 88greenlightBULBS88
This is the private network and it is shared with all the LAN side Ethernet ports. The subnet is 192.168.55.x.

NAME: GuestsIoTshared PASSWORD: 44Yellow44basketballs
This is for both IoT devices and Guest humans. Devices on this SSID are allowed to see each other. This is assigned to VLAN number 11 and the subnet is 10.11.11.x.

NAME: GuestsIoTisolated PASSWORD: 77redbaseballCAPS77
This too is for both IoT devices and Guests. However, devices on this SSID are not allowed to see each other. This is assigned to VLAN number 22 and the subnet is 10.22.22.x.

Actual Guests (people) belong in the GuestsIoTisolated SSID. Whenever possible, put IoT devices there too. If, however, you need to communicate with an IoT device over the LAN, then that device needs to be in the GuestsIoTshared SSID. Neither of the Guest/IoT networks can see anything in the private network. They are also blocked from access to the router.

The Wi-Fi channel should be automatically chosen by the router. That said, I limited the available channels on the 2.4 GHz band to just 1, 6 and 11. The HW2 is only one frequency band at a time, so I don't know what to expect for the 5 GHz frequency band.

The GuestsIoTisolated SSID is turned off at 3AM every day and then back on at 3:30AM. This was done just to provide a sample of scheduling things. Wi-Fi itself can be schedule (not just one SSID) as can firewall rules.


There are some Local DNS records that block a few ad/tracking domains such as,, and The blocking is done by forcing the domains to resolve to IP address zero. Here too, this is mostly as a demonstration of how the feature works. One innocent domain, is also blocked, to provide a sample of what happens when a domain is blocked by DNS. Nothing against the city of Atlanta or CraigsList.

A similar feature, Content Blocking is also used to block some ad/tracker domains. Whereas DNS blocking is specific, Content Blocking is generic. For example, is blocked with Content Blocking. This blocks anything that ends with It would, for example, block:, and Another difference is that DNS blocks all access to the target domain/subdomain. Content blocking only blocks website HTTP/HTTPS access. if was an email server, access to it would be allowed.

The most extreme example of generic blocking is when we block "cn" and "ru". This blocks every website in China and Russia. The sample also blocks websites ending in "cm" and "xyz" because they are frequently used by bad guys.


Along with VLANs, support for outbound firewall rules is one of the best things about the Surf SOHO. There are 7 active and one inactive firewall rules, as you can see below.

Outbound firewall rules

The rule CableModemMaybe is assigned to IP address which is used by a number of cable modems. If you have a modem that is addressable by IP address you can use a firewall rule to either block access to it from the LAN or, at the least, audit all access to the modem.

The next three firewall rules (they all start with Block) block access to three groups of internal-use-only IP addresses. No packet of data should ever leave the router destined for one of these IP addresses. Yet, I see it all the time. Blocking these IP addresses has not been a problem for me and I have done it for years. Sometimes this happens so often, that I disable the logging.

The next three rules (they all start with My) are focused on the source IP address rather than the target. This configuration uses three subnets (192.168.55.x and 10.11.11.x and 10.22.22.x) and any data leaving the router from one of these subnets is allowed. The final rule (Invalid-source-IP) blocks and logs whatever is left. Nothing should be left. Yet . . .


Some minor things:

Page Created: September 22, 2021      
Last Updated: November 16, 2021 9PM CT
Viewed 657 times
(2/day over 370 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Copyright 2015 - 2022