|Router Security||Pepwave Surf SOHO Router||
Website by |
In 2013, I couldn't take the security flaws in router firmware any more and went looking for a low end business class router hoping to find professionally done firmware without paying a huge price.
The first company I considered was Peplink. I had run across them in 2011 while looking for a multi-WAN router. That seems to be their specialty. At the time (2011) I bought their cheapest multi-WAN router (a Balance 20 for $300 without WiFi) and it had performed great for those couple years.
By 2013, the Balance 20 was no longer the cheapest Peplink router, the company had introduced the Pepwave Surf SOHO which offered WiFi at roughly half the price of a Balance 20 but could only talk to one ISP at a time. I gambled on it, was impressed with the security features, and have used it ever since. Note that the Surf SOHO is only a router, it does not include a modem.
To be clear, I am not selling this router. I am not selling anything. I have no connection to Peplink/Pepwave. The company has not contributed to this page at all. There are some links on this page for purchasing the router, but they are not affiliate links. My only relationship to Peplink is as a customer.
There are initial setup and configuration instructions here for the Surf SOHO.
|Why I recommend the Surf SOHO||Three Hardware Editions|
|Monitoring and Reporting||Three Inputs|
|Guest Networks||And ...|
|Closest Competition||Extending the Surf SOHO|
|Buying the Surf SOHO||More Horsepower|
I do not recommend the Surf SOHO for its speed (its rated for 120Mbps), price or Wi-Fi range. I recommend it for professionally written, well supported, reliable as heck firmware - without the slew of security problems that affect consumer routers. There is nothing sexy about it, in fact, it's somewhat ugly. There is even a Downsides section below (it has shrunk over time). At roughly $200, many routers are cheaper, but the price is an amazing bargain for a business class router. For example, the step up model is $500.
In May 2018, malware known as VPNFilter made headlines for infecting hundreds of thousands of routers. Perhaps you heard the oft-repeated recommendation to reboot your router to remove the malware. An FBI Alert said "The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers... " The phrase home and office routers is code for crappy routers. As you can see on the Bugs page of this site, consumer routers are buggy as heck. And, far too often, the bugs are not fixed. Peplink is not that. They are a step up. No one owning a Peplink router needed to restart it to remove malware.
I recommend Peplink, even though they do not share my focus on security. In fact, for a long time their Wi-Fi routers did not even offer stand-alone WPA2. The most secure option was a combination WPA/WPA2. You could not restrict access to just WPA2. This has since changed, it shows that their focus is not on security. But, it doesn't have to be. That's how bad consumer routers are.
Peplink is not a big name in routers. At a conference in the summer of 2015, I asked someone who had just given a presentation about routers what he thought of Peplink - and he had never heard of the company. This is a security feature in and of itself. Since Peplink routers are not used by millions of people, bad guys are probably not focused on finding their flaws.
A business oriented router includes a different set of features than consumer models.
For example, the Surf SOHO is capable of site to site VPN connections, something few consumers understand. It does this with PepVPN, which only connects to other Peplink devices (better security). I have used this to enable file sharing for a company with employees in different locations, and, to make file backups easier. Files can be copied from one location to another exactly the same way they are copied from one folder to another. The site-to-site VPN does not have to run 24x7 and it can be configured such that only one end can initiate the connection. Thus, if you use it for connecting to your parents to backup their files, you can insure that only your Peplink router initiates the connection, never theirs. All VPNs have overhead and the Surf SOHO is a low end device, so the PepVPN throughput is only 20Mbps (for the MK3 model as of 2021).
As a business class device, the Surf SOHO does not support WPS, which is great for security. WPS was the feature that turned me away from consumer routers in the first place.
Peplink actively maintains the firmware in their routers. Unlike consumer routers, they do not walk away from their older routers, thus requiring customers to buy a new router to get bug fixes. And, unlike higher end UTMs, there is no yearly fee to use their software/firmware. At one point, I had to pay to upgrade the Balance 20 router mentioned above from firmware version 5 to version 6, but that policy has since changed. And, Peplink at the time was still supporting version 5 of their firmware with bug fixes, I wanted a feature that was only offered in version 6.
When you buy a consumer router, you are buying the hardware. Router manufacturers aim to get the software (that is, firmware) as cheaply as possible. When you buy a Peplink router, you are buying the software. That's what they stake their claim on, its what they build their reputation on. They are not unique, this is common in business class routers. Peplink just happens to offer this in the Surf SOHO at a remarkably low price.
Also, the user interface on some business class routers is meant for networking experts, and anyone else would have a hard time dealing with it. Ubiquity is a great example of this. This is not true with Peplink/Pepwave, their user interface is just as easy for a non-techie to deal with as that on a consumer router.
On the security side, the Peplink firmware does a great job of locking down both local and remote administration as described on the Security Checklist page. Also, you can change the userid for administering the router. Many (most?) routers only let you change the password, not the userid.
And, Peplink has a GREAT feature: multiple firmwares. The router maintains two copies of the firmware, which takes almost all the risk out of both making configuration changes and upgrading the firmware. If something goes wrong, you can reboot the router to fall back to the way things were before the change. This feature alone is enough to recommend their product line.
The Peplink firmware is also very good at monitoring the network. Perhaps most importantly it has a detailed display of the currently connected devices. You can assign friendly names to devices (i.e. Harveys iPad) to make it easier to identify them. For wireless devices the router shows the signal strength of the connection and the SSID the device connected to. You can drill down on any particular device and see all of its connections (a.k.a. sockets) to the Internet. I have used this feature to verify that a VPN is doing what it is supposed to be doing, funneling all data to a single VPN server. If the Internet feels slow, the router displays the current bandwidth used by each device and also has many history reports of bandwidth per device. More on this below in the Monitoring and Reporting section.
Peplink offers unusually good technical support at the support forums on their website. The forums are are populated by people that understand the technology and intelligently respond to questions. This thread is an excellent example. The company had originally marketed their Balance One router as supporting Gigabit speeds, but when a customer inquired, they found Windows machines in their lab were getting 900Mbps and recent Mac OS X machines were only getting 700Mbps speeds. They came clean about this, admitted they were puzzled at first, and now sell the Balance One router as supporting 600Mbps speeds. I find the honesty extremely refreshing and it really makes me trust the company.
Peplink supports VLANs. As a rule, all the devices in your home share one network, referred to as a LAN or Local Area Network. The problem with this is that a device in your home may be malicious and try to corrupt other devices. Also, not every device in your home needs to share files or printers with all the other devices. VLANs let you logically separate the devices in your home into different groups. When I first tried to setup a VLAN in 2015, I found the documentation useless. That said, I asked for help in their online Forum and eventually was able to create a VLAN-isolated Wi-Fi network with their help. Thus, my Surf SOHO had one Wi-Fi network on the main LAN where devices can share printers and files and another Wi-Fi network where devices were isolated.
Originally, Peplink only supported VLANs for Wi-Fi networks but you can now also assign the Ethernet LAN ports to VLANs. That is, you can assign each LAN port to a different VLAN (screen shot is from firmware 6.3.2), or you can group LAN ports into VLANs.
All three hardware versions of the Surf SOHO run reasonably cool. Still, if you put your hand on the top, you can tell where the CPU is.
It can function as a VPN server using L2TP with IPsec (Advanced -> Remote User Access, in firmware 8, 7 and 6). Nobody thinks PPTP is secure, nonetheless it offers a PPTP based VPN server too. Starting with firmware version 8, it can also function as an OpenVPN server.
Privacy: A number of new routers require you to have an account with the hardware manufacturer. Peplink does not. Some routers can not be configured offline, Peplink routers can. Some routers phone home with assorted data to the hardware manufacturer. Peplink does not, as long as their InControl system is disabled.
The Surf SOHO can create isolated wireless networks, much like Guest networks, where devices can get to the Internet and nothing else. Much more on this below in the section on Guest Networks.
It supports both UPnP and NAT-PMP but each is disabled by default, which is the secure default. This illustrates how the Surf SOHO is a business class router vs. a consumer router. Consumer routers typically ship with UPnP enabled because it's cheaper - it avoids tech support calls. But, it is not as safe for the Internet at large. A huge reason that IoT is a security disaster, is due to UPnP being enabled by default. Google's second generation routers, Google Wifi have UPnP enabled by default - they are marketed at consumers. Ditto for the Ubiquiti AmpliFi mesh router system.
The Surf SOHO offers full control over DNS, yet another indication of its being a professional device rather than a toy. Typically, devices on a network are assigned DNS servers by the router. But, any computing device can be configured to use specific DNS servers. If, for example, parents configure their router to use DNS servers that block porn, the kids can change their computers to use other DNS servers that don't block anything. However, the kids computers still go through the router and the Surf SOHO sees their DNS requests and can, optionally, re-route them to the DNS servers the router is configured to use. This forces kids to hack into the neighbors Wi-Fi network :-) The feature that lets the router impose its DNS servers on all attached devices is called DNS forwarding and it is disabled by default. The page on configuring the Surf SOHO shows exactly how to enable this.
Forcing all connected devices to use known good DNS servers has another advantage: it can cripple some strains of malware. For example, this July 2020 article TrickBot variant 'Anchor_DNS' communicating over DNS discusses malware that communicates with its Command and Control server using DNS requests.
Update: Feb 13, 2020. DNS is changing. In the old days it was not encrypted, but the newer DoT and DoH standards are encrypting DNS. Cloudflare was the initial poster boy for encrypted DNS and NextDNS followed not long afterward. If a computer is using DoT or DoH for its DNS requests, the Surf SOHO can not force these requests anywhere. They appear as normal encrypted website traffic (port 443) to the router.
Prompted by my note, the subject of a router forcing the use of its configured DNS servers was discussed on Steve Gibson's Security Now podcast on Feb. 28, 2018. I blogged about the issue in more detail here: Routers can force their DNS servers onto all devices.
A nice Wi-Fi feature is the ability to limit the channels used by the automatic channel selection. On the 2.4GHz band, it is generally agreed that everyone wins when routers limit themselves to channels 1, 6 and 11. You can force this on the Surf SOHO by editing the list of allowable channels (see a firmware 7.0.2 screen shot). I have not tested how well the Surf SOHO picks Wi-Fi channels, but if it is making a bad choice on the 5GHz band, you can limit the channels there too.
Firmware 6.3, released in December 2015 added Wake On LAN (WOL). This is great for working on grandmas computer while she is sleeping. If you have given devices on your LAN friendly names, the Wake-on-LAN feature, thankfully, displays these friendly names so you don't need to keep track of the MAC address for each device.
Peplink does not support WEP. Some consumer routers continue to support this old and insecure method of Wi-Fi encryption. For example, a March 2018 review of the TP-Link Archer C3150 reported that it still supports WEP.
The Surf SOHO can create 16 wireless networks (SSIDs). Prior to firmware version 7.1, it could only create three SSIDs. Everyone does not need 16, but its nice to have as it offers a lot of flexibility for things such as isolating IoT devices. As a starting point, consider having one private WiFi network for trusted devices, a guest WiFi network for visiting humans and an isolated WiFi network for IoT devices. Also, someone who works at home would be safer in they had their own SSID that was isolated from the rest of their family. Perhaps have an SSID just for children that is scheduled to turn off at bedtime.
As a business class router, the Surf SOHO supports WPA2 Enterprise. While it is common to think that WPA2 is the best available Wi-Fi security, this is not true. WPA2 Enterprise is much more secure, but also more complicated. A longer discussion of WPA2 Enterprise is on the WPA and WEP page.
The web interface is not hard to use. Granted, this is a matter of opinion, but its not just mine. It is basically the same as the web interface of any consumer router, except that it offers some additional features. You can test drive the user interface at peplink.com/products/balance/live-demo. As of October 2017 the demo was of a very high end model, the Balance 710, running firmware version 7.0.2.
In March 2018, Brian Krebs wrote that Omitting the "o" in .com Could Be Costly. My first response was to create an outgoing firewall rule that blocked all access to an IP address Krebs identified as malicious. My second response was to ask in the Peplink Forum about blocking all domains that end with .cm. It turns out this is easy! All you have to do is enter "cm" in the Web Blocking feature (screen shot). Before this blocking was in place, chase-dot-cm was blocked by Firefox and Google safe browsing. After it was in place, the domain was blocked by the router.
Peplink routers do not spy on you. In March 2020, I verified that firmware 8.0.2 does not phone home with any data about anything. Details here. This is a drastic contrast with the Synology RT2600ac router which is constantly phoning home with data that Synology feels no need to explain. The difference is night and day.
Uploading a large file will not hog the Internet connection in such a way as other users are prevented from using the full available download bandwidth. This, thanks to an option called DSL/Cable Optimization (see screen shot from firmware 7.0.2). Likewise, I often download a 12GB file. No one on the LAN can tell. Nothing grinds to a halt.
The Surf SOHO has taught me not to blindly trust VPNs. The basic foundation of a VPN is that after a computing device establishes a connection to a VPN server, all data travels through the VPN tunnel. The Active Sessions feature of the router shows all the connections a given device has to the outside world. When the VPN is working as intended, there will be a single connection. However, I have seen devices make connections outside the VPN tunnel. I have also confirmed this using an outbound firewall rule, one that logs all new connections from a VPN-connected device (there should be none). Without these features, you are unable to audit that a VPN is working correctly.
Maybe you want an audit of everything someone connected to the router does. Or, maybe you want to see what an app or website is doing under the covers. URL Logging can do this. Simply put, it logs every URL visited by anyone connected to the Surf SOHO. Yes, this can be a flood of data and no one would want this on all the time. It is a bit hard to get this feature working as Peplink does not write this log to the internal Event Log, instead it sends the log data to an external syslog server. Rather than try to install a syslog server on one of my computers, I was able to send the log to a Synology NAS using the Synology Log Center app. From the NAS, I was able to download the log in either HTML or CSV format. Here is a screen shot of what the exported URL log looks like in HTML format. CSV format is easily imported into a spreadsheet where the data can be sliced and diced. I suspect that some routers with parental control features can probably do this too and perhaps even easier.
Buffer bloat is a somewhat technical topic, but suffice it to say, the Surf SOHO scores well when tested by DSL Reports. This report was run August 2018 on a hardware version 2 (more below) Surf SOHO, whose maximum speed is rated at 100Mbps. The maximum upload speed of the Internet connection was 10Mbps. The important point, however, is not the speed, but that the router got an A rating for BufferBloat (green circles at bottom).
The router admin interface is a normal, ordinary, boring website. It works with any web browser on any Operating System, even a Chromebook.
To see the reward for owning a Peplink router, see my April 2019 blog: Why i like my router, where I describe using assorted features in the router to respond to real world security issues.
Finally, Peplink makes it very easy to report bugs, which is a huge contrast from consumer router companies. You simply go to the support section of their website, then Contact Us, then "Open a Support Ticket". They also publish the link in their Release Notes. All that you need to provide is an email address and the serial number of your Peplink device. The router does not have to be under warranty to report a bug. A support contract is not needed either. From personal experience, I can say that they do respond to bug reports and that the responses are intelligent (again, unlike consumer oriented companies).
There are three hardware versions/editions of the Surf SOHO. The first two were very similar, the main difference being the speed of the Ethernet ports. On the first version the ports ran at 100Mbps, the second edition upped this to Gigabit Ethernet. The second edition was retired around July 2016. The third edition went on sale at the end of 2016.
The first two editions supported both the 2.4GHz and 5GHz frequency bands, but you could only use one frequency band at a time. And, they maxed out at Wi-Fi N. The third edition added Wi-Fi ac, concurrent dual band Wi-Fi and a Kensington lock security slot.
The WAN speed rating was increased from 100Mbps in version 2 to 120Mbps in version 3. I speed tested a version 2 model many times and saw it run at 112Mbps, the exact same speed as the modem without the router being connected. And these were real tests with the router implementing a host of features. Some vendors quote speeds with all features disabled which is not realistic.
Peplink refers to the first version as HW1 and the second as HW2. Makes sense. For whatever, reason, the third version is known as MK3. Beats me why.
The picture at the top of this page shows the front of the third edition (MK3). Here is the rear view of the first two editions. There are two RP-SMA antenna ports and the USB port is only used for WAN antennas. The Wi-Fi Signal Strength only applied to the Wi-Fi as WAN feature. Here is a picture of the rear of the third edition. There are now three antennas instead of two and the Wi-Fi signal strength LEDs have been removed. In all cases, the Ethernet ports are metal rather than plastic and they all have small LEDs that indicate the link speed.
To see which hardware version a specific Surf SOHO is, logon to the router, go to the Status tab, click on Device in the left side vertical stripe and look for "Hardware Revision" and model number. Hardware versions 1 and 2 are labeled as such. Version 3, however is also labeled as version 1 (last verified with firmware 7.0.2). Version 3 actually identifies itself by MK3 in the Model field. Stooopid it is.
All three hardware versions have internal Wi-Fi antennas. The specs for the MK3 edition do not mention the internal antennas. The first two editions had a configuration option for using either the internal or external antennas. This was removed in the MK3 version.
The internal antennas on the first two editions were 1dBi omnidirectional. On the MK3, the external antennas are 3x3 MIMO. All three antennas send and receive on both bands.
On the MK3 edition, each SSID has its own frequency band profile. That is, for each SSID, you can specify if it lives only on the 2.4GHzband, only on the 5GHz band, or, on both frequency bands. This was not an issue with the first two versions as they only supported one frequency band at a time.
As noted above, the feature that can limit the Surf SOHO to channels 1, 6 and 11 on the 2.4GHz band (when it is allowed to dynamically choose the channel on its own) is only available on the MK3 edition.
Update: Aug 29, 2018 The feature is now also available on the second generation Surf SOHO (HW2).
The Surf SOHO offers an outgoing firewall with fully customizable rules. In April 2018 researchers reported that a Samsung Smart TV would phone home to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook - even though they had not signed in or created accounts with any of these services. An outgoing firewall can create rules that prevent the TV set from communicating with services it is not using.
Some IP addresses are reserved for internal use only. The most famous are those that start with 192.168. Others start with 10 and 172.16. These reserved IP addresses are not allowed on the real Internet, so you might think that requests for them would not be allowed out of the Surf SOHO. But, Peplink allows it because their routers are used in very complex networks.
In a simple environment, with a single Peplink router directly connected to a modem, outgoing firewall rules can prevent communication to any of these normally private IP addresses. In firmware 7, go to Advanced -> Access Rules (in the Firewall section) -> Outbound Firewall Rules. Create three rules where the Protocol is any, the source IP and Port is Any Address, the Action is Deny and for Destination IP and Port, chose Network. The three different networks would be: IP: 10.0.0.0 Mask 255.0.0.0 (/8), IP:172.16.0.0 Mask 255.240.0.0 (/12) and IP: 192.168.0.0 Mask 255.255.0.0 (/16). Here is a screen shot of this. To know if these rules are ever invoked, you can enable Event Logging.
The one exception might be if you want to access the modem via the ever popular IP address 192.168.100.1. To allow this, create a firewall rule that sits above these three (they are evaluated top down). This is shown in the screen shot. I blogged about this in Feb. 2015: Talk to your modem and Using a router to block a modem.
See the technical specs for the MK3 edition.
The Surf SOHO does a good job of showing you what's going on.
This starts with the list of attached devices all shown on one screen making it easy to spot anything out of the ordinary. The router lets you assign friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. It shows which SSIDs wireless devices are connected to and the signal strength from the point of view of the router. You also see the current upload and download bandwidth used by each device. One thing is missing however, whether a wireless client is using the 2.4GHz or 5GHz frequency band. This information is shown in the Peplink cloud service InControl2, on higher end Balance routers that have embedded AP controller software and in Peplink Access Points. InControl2 also shows whether a client is using Wi-Fi g, n, ng or ac. Still, it's a lot of useful information in one place.
There are, however, two things missing. As of the third generation (MK3) of the Surf SOHO a single SSID can exist on both Wi-Fi frequency bands. The display of client devices does not show which frequency band is being used by each client device. To see that, you need to use InControl2. Also missing are the currently used Wi-Fi channels (one on each frequency band).
If one device sparks interest, you can drill down to see all the Internet connections it currently has, although this is not as easy as it could be. One use of this feature is to insure that a VPN connected device is, in fact, only communicating only the VPN server. Another use is to check that a mobile device doing online banking has an encrypted connection to the bank. Or, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits.
The Surf SOHO also does a great job reporting on bandwidth usage.
In the live Current bandwidth report (see screen shot) the display moves from right to left. The vertical axis changes, dynamically, as needed. The router always displays the average and peak download speed (green) and upload speed (blue). This sample report shows the receiving end of a large file transfer. The sending site has a maximum upload speed of 20Mbps, the receiver's maximum download speed is about 100Mbps. The file transfer takes a couple hours. This graph shows that the file transfer is performing very well, the receiver is averaging over 18Mbps of incoming data and the data flow is fairly constant. The peak download of 48Mpbs was probably due another computer at the receiving site briefly downloading something.
The Current Bandwidth report can also help verify that you are getting the speed you pay for from your ISP. For example, here is a current bandwidth report taken just after uploading a very large file. The average upload speed was 14.14Mbps with a max/peak speed of 16.57Mbps. If the expected outbound speed of this Internet connection was 20Mbps then it is performing fine. However, if the expected speed was much higher than 20Mbps, then there is a problem, perhaps with the sender, perhaps with the receiver. Curious techies can also run Internet speed tests and compare the results to the Current Bandwidth report. In this case, start the Current Bandwidth report just before running the speed test.
This report is for the entire router. The Client List page in the Status tab shows the current bandwidth for each client. The list auto-refreshes every 10 seconds or so and the numbers shown are for the previous 10 seconds.
Reports on historical bandwidth usage are provided Hourly, Daily and Monthly.
Hourly reports are provided for the last 24 hours. When you first view the report, you see the number of bytes uploaded and downloaded by the router, a summary across all devices. In this example, the download bandwidth spikes at 9PM and 10PM because someone was viewing streaming video. From here, if you click on a specific hour, the report shows the IP address and MAC address of each device connected to the router, along with the number of bytes that device uploaded and downloaded in the hour. If you hover the mouse over the MAC address, it displays the name of the company that made the network adapter.
Daily reports are available for the last month. The initial report provides data both as a graph and as a table. It shows, for each day, the number of bytes uploaded and downloaded by the router. There is also a monthly total. Clicking on a day (screen shot) shows the IP address and MAC address of each device connected to the router, along with the number of bytes that device uploaded and downloaded that day.
The report can be sorted by any column, in this example it is sorted by the number of bytes downloaded. The device at IP address 192.168.1.44 downloaded 2.96 gigabytes that day and only uploaded 32 megabytes. It's a Roku box. The next biggest downloader was IP address 192.168.1.182 which downloaded 433 megabytes and uploaded 1.42 gigabytes. That device was a computer making file backups to the cloud. Like the Hourly report, if you hover the mouse over the MAC address, it displays the name of the company that made the network adapter.
The Monthly Bandwidth report goes back at least two years. For the last two months, you can see bandwidth usage by client for the month. With the InControl2 cloud service, bandwidth usage by client is available for more than two months. I'm sure how far back it goes.
All the bandwidth reports are made more useful thanks to consistent IP address assignment. Even without forcing a marriage between a MAC address and an IP address, the Surf SOHO consistently assigns a device to the same IP address.
The Surf SOHO can email you about a limited number of error conditions. The only error I have been notified about, so far, is when the ISP goes off-line and when it comes back on-line. With a single WAN connection, the off-line message can't be sent until it comes back on-line, unless you set up automatic fail-over. Still, it is useful to know about outages, though its much more helpful on a multi-WAN device such as the Peplink Balance series where the message goes out immediately via the still-working WAN connection. The emails can be sent using any email address. Here is a screen shot of configuring the Surf SOHO to be an email client.
The Surf SOHO can also monitor a WAN connection for total monthly usage. You tell it the monthly bandwidth allowance (in MB, GB or TB) and the day of the month when the cap resets and the router will email you when usage hits 75% and 95% of this limit. Here is a screen shot of the Bandwidth Allowance Monitor Settings. If desired, the router will cut off the WAN connection when the monthly limit is reached.
For real network professionals, the Surf SOHO is able to create pcap files all by itself. This seems to put quite a strain on the CPU usage (no surprise) so its best used sparingly. These are standard pcap files that can be read by Wireshark. It makes one pcap file for LAN side traffic and one for the WAN side. For debugging a problem, this is the ultimate tool.
It supports a feature Peplink calls "WiFi as WAN" that lets the router use a WiFi network as input. At first, I thought nothing of the feature. Then, one day, my ISP went down for the good part of a day. What to do? In the old days I would connect a single important laptop to a smartphone WiFi hotspot, but now I had more devices that needed to be online. And, some of them were Ethernet connected to the router. So, I fed the Surf SOHO the WiFi hotspot from a smartphone and it worked great. When the phone had to leave the premises, I fed the router from a different smartphone. This allowed many devices to share the smartphone hotspot and none of them had to change in any way at all. They talked to the router before, during and after the ISP outage in exactly the same way (be it Ethernet or WiFi). Interestingly, the "WiFi as WAN" feature causes the router to use WiFi for both input and output concurrently.
Of course a smartphone gets its Internet access from a 3G/4G/LTE network as do assorted MiFi type devices. Likewise, the Surf SOHO can use 3G/4G/LTE for Internet access, without a smartphone. Peplink supports many cellular antennas that can be plugged into the USB port of the router. In addition, you may be able to plug an Android phone into the USB port of the Surf SOHO for wired tethering. The Android phone has to support this, something that can be tested using a computer before trying it on the router. Wired tethering should be faster than feeding the router Wi-Fi from a smartphone, but I have not tried this. And, I think this is only possible with Android, iPhones would have to feed the router with Wi-Fi.
The Surf SOHO lets you define the three inputs in priority order. For example, it can be configured to use a wired ISP normally, and, should that fail, to fall back to a Wi-Fi network for Internet access and, if thats not available, fall back to a 3G/4G/LTE network. What the Surf SOHO does not do, is two different Internet sources at the same time (a feature called multi-WAN). Most Peplink routers support this, but they cost more than the Surf SOHO.
Thanks to the multiple input, the Surf SOHO makes a great travel router (its not all that big). The WiFi as WAN feature can connect the Surf SOHO to Wi-Fi offered by a hotel. All your devices are much safer connecting to the Surf SOHO rather than directly to the hotel network. And, if a hotel offers Ethernet, all the better. It is also popular with RV owners, both for the 4G/LTE Internet access and for the Wi-Fi as WAN which can connect to the network at an RV park.
In August 2020, I learned there is a fourth input to the Surf SOHO: you can plug a USB/Ethernet adapter into the USB port. I learned this from reading the Peplink Forum, this feature is not mentioned in the Surf SOHO user guide. I have tested this on a second generation (HW2) model only. The Surf SOHO only allows one active WAN/Internet connection at a time. So, when a USB/Ethernet adapter is plugged in, the USB input is put in Standy mode. See a screen shot. When I unplugged the main WAN connection, the status for the USB connection changes to Connected (screen shot) and the router remains online.
In August 2016, I blogged about an experience using Wi-Fi as input to the Surf SOHO.
In June 2017, John Hagensieker wrote about connecting a router running DD-WRT to a cellphone hotspot: iPhone Tethering with Router with DD-WRT.
No product is perfect and the Surf SOHO has its downsides.
A bug was introduced in firmware version 8 and it still exists in version 8.1.1 which was released in January 2021. When you clicked the Apply Changes button in firmware 7, you were always taken to the Dashboard screen. In firmware 8, this was no longer true, the message that the changes were successfully applied appeared on whatever page you were on. However, this message is pre-mature. After being told that the changes were applied, if you visit the Dashboard page you will see that they are in still in-progress for about 20 seconds or so. And even after the dashboard page says the change has been applied, you will see the CPU usage remains at or near 100% for a bit. Until CPU usage goes down on the Dashboard page, the safest thing to do is wait.
If your Internet connection is faster than 120Mbps, the Surf SOHO is probably not for you. That said, routers do not have a single speed rating, much depends on the features that are enabled. For example, Doug Reid of SmallNetBuilder.com found that enabling Smart queue QoS, slowed down the throughput of a Ubiquiti EdgeMAX EdgeRouter Lite from 940 to 120 Mbps. Routers can also employ Cut Through Forwarding to artificially inflate their speed rating. Since Peplink does not compete on speed, their speed self-rating is likely to be conservative. In February 2019, someone in the Peplink Forum reported that their Surf SOHO speed tested at 190 Mbps. Still, for connections of 200Mbps or higher, see the More Horsepower section below.
When upgrading a cable modem, I did some detailed speed tests with a second generation Surf SOHO (speed rating of 100Mbps). Speeds vary all the time, even minute to minute, so any such testing is of limited value. That said, using Fast.com, a computer tested at 91Mbps down through the router and a gigabit switch and tested at 120Mbps when directly connected to both the old and new modem. I know, I should not have tested through a switch, but I had the network to myself. At DSL Reports, the computer tested at 102Mbps through the router and switch vs. 114 directly connected to each modem. At Speedtest.net it tested at 97 connected to the router and switch, vs. 117 connected directly to each modem. So, it seems the speed rating of 100Mbps for the router is spot on. In all cases the upload speeds were identical, 11 or 12Mbps.
Peplink devices, the Surf SOHO included, do not offer file or printer sharing based off the USB port. The routers have a USB port, but it is used for a 3G/4G/LTE antenna to provide Internet access. On some Peplink routers the USB port can be used with a USB/Ethernet adapter to provide a second wired Internet connection (not sure if the Surf SOHO supports this, the Balance 20x does). I consider the lack of file sharing a plus because I only want a router to do routing. Some may consider it a minus.
When it comes to VPNs on routers, there are two things to evaluate: server and client software. For a long time the Surf SOHO could only serve as a VPN server running L2TP with IPSec and the long-disgraced PPTP. It was not until firmware version 8 that it could also function as an OpenVPN server. One nice feature is that the VPN server can limit VPN clients to a specific VLAN.
It was not until firmware version 8.1.1 (released in January 2021) that the Surf SOHO could function as an OpenVPN client. It costs $20 to add the OpenVPN client feature. However, an OpenVPN client requires a non-trivial amount of computing horsepower. According to this March 2021 Peplink Forum posting the Surf SOHO does not have the horsepower necessary for achieving much more than 10 Mbps with an OpenVPN connection using AES-256 encryption. A higher end Peplink router, the Balance One, can be expected to run at 28 Mbps down and 24 Mbps up. In my tests of the OpenVPN client software on a Synology RT2600ac, my Ethernet speeds were around 19 Mbps down. Other routers that can function as a VPN client are listed on the Resources page.
There is no WireGuard VPN client for the Surf SOHO.
Rate limiting, aka Bandwidth Control is very limited. The Surf SOHO has a single knob to tweak for limiting bandwidth usage. You can set a maximum download and a maximum upload speed that applies to every device on the network. Higher end Peplink routers let you put network devices into one of three groups: Manager, Staff, and Guest. No limits are placed on Manager devices, and there are separate limits for Staff and Guest devices. A screen shot from firmware 7.1 shows this, along with Group Bandwidth Reservation, another feature missing on the Surf SOHO.
Because the Surf SOHO has no dedicated Guest network feature, it is missing some restrictions other routers can put on Guest users, such as limiting the time they can use the network. However, it can limit the time the Guest network exists, all SSIDs can be scheduled.
For the longest time, I was under the false impression that the Surf SOHO could not log blocked incoming connection attempts. On routers that do, I find this very interesting data. Turns out that incoming firewall rules only apply to forwarded ports. So, you have to first forward ports, then, you can make a firewall rule that logs incoming connections. When I did this, I forwarded ports to a LAN side IP address that did not exist.
There is no Wi-Fi on/off button on the Surf SOHO. You can disable Wi-Fi, if desired, but you use the web interface to do so. For more, see the page on Initial Configuration of the Surf SOHO.
On the MK3 (third) hardware version of the Surf SOHO, the web interface is confusing in the way it identifies the hardware version. In the Status section (Device sub-section) it identifies itself as "Hardware Revision 1". You have to check the Model field to look for the MK3.
The MK3 edition has a WiFi LED on the front panel that blinks all the time. I find it annoying. It blinks slowly to indicate that Wi-Fi is enabled but there are no wireless clients, and it blinks continuously to indicate wireless data transfer. Tape may be your friend.
The Surf SOHO does not have an internal speed test that tests the speed of your Internet connection.
The Surf SOHO is blind to traffic between LAN devices. I noticed this while transferring a very large file from one device on my LAN to another device on the LAN. The Surf SOHO showed nothing about the file transfer. The file transfer caused CPU usage to spike, however. This may be normal with routers, I am not sure.
Another blindness issue has to do with devices connected to the router. The list of these devices is incomplete, it only shows those that are using the Internet. Devices that only send data on the LAN do not appear. I have a NAS device on my LAN and it almost never shows up.
The Surf SOHO is a single device and any single device will have a much more limited Wi-Fi range when compared to a mesh router system. Peplink does not make a mesh router system. That said, there are two ways that owners of any single router can increase their Wi-Fi range.
Most vendors do worse, but still, the Peplink documentation is poor. While it is extensive, in terms of the number of pages, it is amazingly devoid of information. To me, its 300 pages of "Enter your name in the Name field" repeated over and over and over. It lacks background information and an explanation of concepts. It is documentation for experts. Not that consumer routers are any better. Sadly, their interest in documentation is going downhill. In the old days, Peplink updated their documentation regularly and they keep it in sync with changes to their firmware. No more. Sometime in 2017 they gave this up. Updates to firmware v7 were never added to the User Guide. For about 2 years the User Guide for firmware 7 remained at Jan. 2017. As of May 2019, after the release of firmware v8, the manual is still for v7 but its now dated Jan. 2019 and its unclear what, if any, changes were made to the manual or which edition of v7 it applies to. And, there is no updated manual for firmware v8. The higher end Balance routers did have their User Guide updated for firmware v8 in April 2019, but its marked as a Draft.
In January 2021, someone wrote to tell me that they could not use the Surf SOHO to connect to the Internet. The reason has to with IEEE802.1Q and IEEE802.1P, subjects that I do not understand. I was told that the Surf SOHO supports IEEE 802.1Q for Internet access using a PPPoE WAN connection. However, it does not support IEEE 802.1P which some ISPs use to also provide telephony and TV through the Internet. This person eventually purchased a Draytek Vigor2865. Some background: 802.1p Class of Service (Peplink Forum) and How do I set up a bridge for a VLAN tag group on my Nighthawk router? (Netgear KB).
There is a bug in firmware earlier than version 7.2. The maximum password length was 32 characters (not documented by the way). If you entered 34 characters, it used the first 32 and did not tell you about the two it ignored. As of firmware version 7.2 the maximum password size is being removed, whatever that means.
Copying large files puts a huge strain on the CPU. Sometimes I need to copy a large file (about 15 gigabytes) from one device on my LAN to another and this causes a huge spike in CPU usage, which can be seen on the Dashboard. Specifically, I copy from a Windows machine with an SSD connected to a dumb switch plugged into LAN port 1. Sometimes I copy to a NAS with mechanical hard drives plugged into a dumb switch that is plugged into LAN port 2. Or, I will copy the file to a NAS with SSDs that is plugged into yet a third dumb switch that is plugged into LAN port 3. All devices run a gigabit speeds. While the file is being copied to the NAS with the mechanical hard drive, the copy runs at about 67 megabytes/second (says Windows) and the router's CPU is around 80% busy. When the file is copied to the NAS with SSDs, the copy runs at about 103 megabytes/second (or 824 megabits/second) and the router CPU is 100% busy. On the other hand, I did large file copies for years and never noticed the strain on the CPU because Internet access never seemed affected. And, at least the router shows the CPU information, not all routers do. I am pretty sure that if the source computer and the destination NAS were attached to the same switch, the router would not see the file transfer and its CPU usage would remain low. But, I have not tested this. (June 2020, Surf SOHO MK3)
Its great that you can backup all the current router settings to a file. The downside is that the file can only be restored to a Peplink/Pepwave router of the same model. The Surf SOHO is a bottom-of-the-line device from Peplink. If you use one, and later want to upgrade to something faster, there is no way to copy the current settings from the Surf SOHO to the new router. Even within the Balance line, you can not copy the settings file from a Balance 20, 30 or 50 to a Balance 20x. You can however, copy the settings from an older hardware generation of the Surf SOHO to a newer hardware generation.
Perhaps the worst thing about Peplink routers are the problems connecting some models (the Surf SOHOincluded) to some cable modems. The initial problems were with Arris modems. See Surf SOHO MK3 fix with Arris /Motorola SB modems? (March 2018) and
Surf SOHO MK3 never finishes connecting to cable modem if modem reboots (June 2018) and SB6121 Cable Modem (Jan. 2017).
I have experienced this myself on two different Surf SOHO routers. In one case, turning off auto-negotiating of Ethernet speeds fixed the problem. In the other case, I tried so many things, I'm not sure what got it working. Worse still, the problem is intermittent, it does not always happen. I eventually switched to a Netgear cable modem.
Update: Aug. 21, 2018. The Netgear cable modem is also vulnerable to this problem. But, there is finally a fix for this. At the end of this Peplink forum item is a link to firmware with a fix. The direct link is here.
Update: Sept. 30, 2018. The Peplink fix is only for the latest hardware edition of the Surf SOHO (HW3). My router is the older second generation. For anyone who also has an older router, the problem does exist there too. The work-around for me has been to reverse the normal sequence of events. That is, to power on the router first and the modem second. In this case expect the WAN status to be: no cable detected -> checking connectivity -> Obtaining IP address -> Connected. I tested with firmware v7.1.1 build 3102.
Update: Dec 16, 2019: I got burned by this again. A Surf SOHO (hardware version 2) was connected to a Netgear modem and upgraded from firmware 7.1.2 to 8.0.1. After the mandatory reboot it would not talk to the modem. Rebooting back to firmware 7.1.2 did not help. Power cycling the modem, did not help. Other tweaks did not help. What fixed this was powering off both devices, powering on the Surf SOHO first, getting a "No cable detected error" and then powering on the modem. THREE full years and the problem still exists. Another suggested work-around is to put a dumb switch between the router and the cable modem.
Update July 12, 2021: People are still having this problem, the latest reports on the Peplink Forum show the Balance 20x to also be buggy. I consider this fatal, that is, it is an excellent reason not to use a Peplink router. When a Peplink router is new, it needs to be tested with whatever modem you have. Boot the router first then the modem, then reverse it and make sure it works all the time. I am told that cable modems might reboot themselves in certain problem situations, so you really want to be sure the two connect up. If you have any issue with the two pairing up, return the router. This is a sinkhole of trouble that no one should have to deal with.
Recent Updates: Firmware version 8.1 was a huge release with many changes. One change for the Surf SOHO was the addition of WPA3 for third generation (MK3) models. WPA3 is not available on the older hardware generations. Firmware 8.1 also introduced a second Event Log, one dedicated to Firewall related events. Firmware 8.1.1, released in Jan. 2021, added mesh capability.
Perhaps my favorite feature is that Peplink maintains two copies of the firmware, so you can always re-boot a Peplink router to the previous version of the firmware.
Just as important is that the company is great about maintaining old firmware. This is a H-U-G-E contrast with consumer routers that are typically abandoned. For example, in January 2018, the latest firmware for the TP-Link Archer C9 router was released October 2016. In contrast, Peplink still releases bug fixes for their firmware version 6, well after version 7 was released. Good thing too, as the first generation Surf SOHO can not run the version 7 firmware.
Unlike some other business class routers, you do not have to pay a license fee to continue to use the Peplink firmware. It's free forever.
The Peplink firmware is mature and relatively bug free. It has bugs, of course, but they are all minor. And, I say that as someone using their routers for many years. They have never, in the time I have been paying attention, had a big serious glaring security flaw.
Peplink routers can run for years without needing to be re-booted. Installing updates requires a reboot, so you many not want to run a router for a year or more without a reboot, but you can. In part this reflects the maturity of the software, but it also shows that there has not been a need to install a critical bug fix.
Like many routers, those from Peplink can backup the current settings to a file that you download. To backup the current settings at any time in either firmware 7 or 8, go to System -> Configuration -> Download Active Configurations. This downloads a very small .conf file. The file name starts with yyyymmdd, then the Peplink model number, then the serial number of the device. A really nice thing that Peplink does is to always remind you to make a backup of the current router settings before it installs new firmware See a screenshot. All routers should do this.
Peplink routers do not self-update, you have to logon to the router (or use InControl2) and click a button (System tab -> Firmware) to check for new firmware. In years past, with firmware version 6, this has failed to detect newer available firmware. This is probably fixed by now (firmware 8.1), but I am not sure as I use the Forum often, so I am always aware of newer firmware. If there is new firmware, and you say to install it, the router will then, on its own: download it, validate it, install it and reboot itself. The latest firmware can be found at peplink.com by clicking on Support in the top right corner, then looking for the link to Firmware Downloads.
I have yet to see a router vendor that documents their firmware upgrade procedure. See the Firmware Updates page for screen shots of the process of upgrading the firmware on the Surf SOHO. I have little experience with Peplink's online administration service, InControl2. That said, it can schedule and automate firmware updates (screen shot).
Some routers can self-update, and there is a list of those I know about on the Resources page. None of the routers I have seen self-update very well. It is as if everyone was still beta testing the feature. For example, Google Wifi reboots itself in the middle of the afternoon, how dumb is that? My gripes with the way routers self-update are on the Firmware Self-Updating page. While non-techies may be better off with a self-updating router, I prefer one that is updated manually.
While maintaining two copies of the firmware is a great feature, you can not download a newer firmware to use later. Whenever new firmware is downloaded, the router automatically reboots and uses it. That said, the only real downside is the router reboot, because you can always reboot it back into the firmware you were using just before the last update. Again, InControl2 is different.
In October 2017 when the KRACK flaw in WPA2 made news, Peplink issued a Security Advisory on day one: Security Advisory: WPA2 Vulnerability (VU#228519). The normal Wi-Fi access point functions of their routers were not affected by this vulnerability. However, routers that support Wi-Fi as WAN were affected. Fixed firmware was released in about two weeks. All router vendors, but one, responded to the KRACK flaw in some way; at the least, they issued a press release saying they were researching the issue. The lone holdout was Apple.
This is a good news bad news story. The good news is that, if configured correctly, the Surf SOHO offers the best possible security for a Guest Wi-Fi network. The bad news is: getting to that point is hard. Or, rather, it was hard for me, but I have documented the necessary steps to hopefully make it easy for you.
By the "best possible security" I mean that guest users can see the Internet and nothing else. That is, devices on the Guest network are totally isolated from all other devices connected to the router. If an IoT device, connected to what passes for a Guest network on the Surf SOHO, gets hacked, it can not infect or spy on anything else. Any malicious device on a well secured Guest network can not even detect that other devices are connected to the same router. Specifically:
The details of configuring this type of network isolation on the Surf SOHO, used to be here, but were moved on December 15, 2017 to the new VLAN page. Guest Wi-Fi networks offer some network isolation but to do this right requires VLANs, an advanced feature not found on consumer routers. The new VLAN page starts with an introduction to the concept of VLANs, followed by instructions for configuring them on the Surf SOHO.
March 9, 2020: Peplink will update the Surf SOHO with a fix for the pppd buffer overflow flaw in firmware 8.1. According to Peplink, on their platform, the threat to the general public from this bug is basically non existent.
The Surf SOHO has external, detachable antennas that use a standard connector providing two upgrade options. Obviously, you can replace the antennas. Or, less drastically, using an RP-SMA Female to RP-SMA Male cable you can simply move the antennas away from the router.
The front of the Surf SOHO has two small and dim lights. The back has two fairly bright lights on each Ethernet port. These lights are great to have, I would not want a router without LED lights on its Ethernet ports, but in a dark room some people may find them a bit too bright. There is no way to dim or disable the Ethernet LED lights.
Originally, the Surf SOHO could not schedule anything. When the ability to schedule things was first introduced in firmware 6.3 (December 2015), the number of things that could be scheduled was limited. As of firmware 6.3.2 (July 2016) the Wi-Fi could be scheduled, but individual SSIDs could not. The scheduling of individual SSIDs is now available in firmware version 7.0. Being able to schedule network(s) to turn themselves off at times when no one will be using them is a nice security feature.
Here is a screenshot of a custom schedule that I defined, one that turns off at 1am and back on at 6am. You do this at System -> Schedule. Here is a screenshot of the definition of an SSID that is assigned to this schedule.
New consumer routers make it easy to pause Internet access for children. You either list the attached devices and kick them off-line one at a time, or you assign all the devices belonging to children to a group and pause that group. The Surf SOHO can not do this, per se, but you can get the same effect by assigning children to their own SSID. Then, you can either schedule the availability of that SSID or manually disable it as needed.
The Ethernet ports on the Surf SOHO have orange and green LEDs which can be very helpful in debugging a connection problem. If something isn't working, the first thing to check is whether, at the Ethernet level, the two devices are talking to each other. The LEDs also indicate the speed the Ethernet port is running at. Fewer and fewer routers seem to offer this. And, the Ethernet ports are metal, not plastic. I also like that the Ethernet ports are dedicated to WAN and LAN use. Many of the latest consumer mesh Wi-Fi router systems have Ethernet ports that determine for themselves whether they are on the LAN or WAN side of things. I don't know how that works, but it strikes me as an accident waiting to happen.
Many of the new consumer mesh router systems, support Bluetooth, which opens a whole new can of worms when it comes to security. Those that I looked into, fail to document exactly what Bluetooth is used for and I have not seen one that lets you disable Bluetooth. The Surf SOHO does not do Bluetooth.
Like all router vendors, Peplink also offers a smartphone app and a cloud service. The smartphone app is relatively new and not nearly as full-featured as the web interface. Their cloud service, InControl2, has a nifty feature: remote access to the web interface. If you are willing to use a cloud service (I am hesitant) this means you no longer need to deal with Dynamic DNS for access to a router whose IP address may change at any time.
NOTE: The Pepwave Surf SOHO is not the same as the Pepwave Surf On-The-Go. (SOTG). They are, quite different. The Surf On-The-Go is a small travel router with a single Ethernet port. Its also much cheaper. I own the Surf On-The-Go and would not recommend it. I have traveled with it and it worked just fine. But the software/firmware it runs is very different from the mainline Peplink software. Different, and to me at least, worse.
Each Peplink router has a unique serial number burned into the device. Even if the router is factory reset, its serial number does not change. This serves to prevent theft. If the device is registered with InControl2, then it will show up in the owners account when the thief connects it to the Internet. Its public IP address can be given to law enforcement to track it down. From here. Only question is what if the thief disables InControl2?
Another benefit of Peplink routers is debugging. There are two features that aid the company in solving a problem. The first is a Diagnostic Report that you can generate. The router will download a small diagnostic file (about 200K) that you can attach to a problem ticket when requesting technical support. What a great system. If Peplink needs to look at your router to debug a problem, you don't need to give them a password, the router has a built in Remote Assistance feature. Needless to say, it is off by default.
I once upgraded an old Surf SOHO (hardware version 1) with a new one (hardware version 2). I backed up the configuration settings from the old one to a file (many routers do this) and imported the file to the new router. It worked fine. Both routers were running the same firmware version.
The supported Dynamic DNS (DDNS) providers is a bit confusing. Definitely supported are dyndns.org, changeip.com and no-ip.org. A forum posting from December 2016 says that TZO is also supported, but I did not see it listed in Firmware 7.1.1. On the flip side, firmware 7.1.1 says that DNS-O-MATIC is supported, but it is not mentioned in the forum posting. There is also an option for other providers using a custom URL, but others must support the DYN API. I tried to use dynu.com in April 2016 and it failed for me. However, in August 2018, two people confirmed on the Peplink Forum that dynu does work if you specify a URL of api.dynu.com/nic/update.
The Surf SOHO lets the admin user be logged on twice. Each login and logout is reflected in the Event log. This may be a bad thing, but it might also come in handy if the first logon is legit and connection to the router was lost for some reason. A second logon from somewhere else would be allowed.
The Peplink cloud system for managing their products is called InControl2. It is totally optional and can be disabled at any time. A new Surf SOHO includes a one year warranty and a one year subscription to InControl2. Any Peplink device under warranty includes access via InControl2. After the first year you can extended access just to InControl2, without extending the warranty for $29 for 1 year (SKU ICS-012) or $49 for 2 years (SKU ICS-024). While the Surf SOHO is under warranty, you can extend the warranty. Not all Peplink devices allow InControl2 without being under warranty. Those that do: Balance One and Core, Balance 20, 30, 50, MAX BR Series, MAX On-The-Go, AP One Series, AP Pro FusionHub Essential and FusionHub Pro.
Back in 2014, a hacker found a flaw in Peplink software. It became news in November 2016 when the details were presented at a security conference. According to Lucian Constantin of PC World, the hacker "was impressed with how Peplink responded to his report and how the company handled the vulnerability." That's what you want in a router vendor. A Motherboard article by Andrada Fiscutean said basically the same thing:
The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw. "[We] worked directly with Amihai so that we could release a fix as quickly as possible," Eric Wong, evangelist at Peplink, said. The patch was soon available. Their commitment to security made the hacker trust them. At home, Neiderman is using a Peplink router, the one the company gave him as a thank you for notifying them.
And, the flaw was only exploitable because the Peplink routers were miserably deployed. Whoever was in charge, made at least three security mistakes configuring the routers.
Are bad guys using your Wi-Fi network? Peplink routers, including the Surf SOHO offer lots of details for looking into this after the fact. For one thing, every attempted login to the web interface of the router is logged in the Event log, whether it worked or not. Included in this log is the source IP address. You can also enable DHCP logging, which should provide an audit trail of every device connecting to the router. The log includes the MAC address of the device. There is also an Access Point log that shows every device connecting and disconnecting from all the Wi-Fi networks created by the router. This log too, includes the MAC address of the router client.
FYI: From the Peplink Forum (August 2019). The manual fails to mention that the reset button serves two purposes. If you press it for 5-10 seconds, the admin password is reset (green status light starts blinking). Press it longer than 10 seconds for a factory reset (not sure what the lights do).
FYI: From the Peplink Forum Peplink rocks! Total satisfaction July 22, 2017.
VPN: As of January 2019 and firmware is 7.1.2, the router could function as a VPN server supporting both PPTP and L2TP with IPsec. Firmware version 8.0 was released in early 2019 and it added the ability to also function as an OpenVPN server. See Configure Remote User Access using OpenVPN. In late 2020 or early 2021, another new firmware release added the ability for the router to function as an OpenVPN client. However, there is a $25 charge for the OpenVPN client.
The Peplink announcements page includes security advisories.
An unboxing video of the MK3 model, and a review, is available from RV Mobile Internet. They like it for "great support for tethering cellular modems and hotspots over USB." Another unboxing video for the MK3, this one from 5Gstore (previously known as 3Gstore), is from December 2016: Surf SOHO MK3 Hardware Version 3 Unboxing and Overview. They also did Pepwave Surf SOHO - User Interface Overview back in 2013 with Firmware version 6.
Here is my one concession to everyone's interest in Wi-Fi speed. On a net connection that peaks at 108Mbps, I can get 40Mbps from a Surf SOHO version 2 on the 2.4GHz band with a standard 20MHz wide channel. A Surf SOHO v3 (MK3), running Wi-Fi ac on the 5GHz band, with a narrow 20MHz channel, tested at 62Mbps. With a wider channel, and a device that supports the wider channel, speed on the 5GHz band would increase. Many speed tests are done with two LAN side devices, these were done with the Speedtest.net Android app from the Internet. Your mileage will vary. Heck, my mileage varies.
This topic has been moved (and expanded) to the Secure Routers page.
Like every single-device router, the Wi-Fi range of the Surf SOHO is limited. While many other router vendors offer mesh networking (multiple Wi-Fi devices working together to form a single large network) Peplink does not. A posting on the Peplink Forum in July 2020 offered two suggestions for extending the Wi-Fi range of the Surf SOHO.
The first option is obvious, add one or more wired Access Points (AP). Peplink offers a number of different APs with prices starting at just over $100 US. Higher end Peplink routers can control one or many Peplink Access Points using controller software built into the router. However, the Surf SOHO does not offer controller software so the router and the AP need to be configured individually. More at these 2020 Forum posting: Surf SOHO MK3 and AP One Mini and AP One as a wifi extender for SOHO MK3?. The latter posting suggests that the the LAN port of the router needs to be TRUNK ANY and that the router needs to be the only DHCP server (AP should be in Bridge mode). There are two options for talking to a Peplink AP: over the LAN using its LAN side IP address and the web interface inside the AP, or, Peplinks cloud service InControl2.
Either way, there yet another decision, whether to use only the Wi-Fi from the AP or to use both the Wi-Fi from the Surf SOHO and from the AP. In the latter case, the AP would have to be configured from scratch with the same SSIDs and same VLANs as the Surf SOHO. And, if the AP is using VLANs, it needs to be connected to a Trunk LAN port on the Surf SOHO. For more on Trunk LAN ports see the VLAN page.
The second option is to disable the Wi-Fi on the Surf SOHO and connect a mesh system to a LAN port of the router. In the Forum posting someone recommended the Aruba InstantOn line of Access Points. Like Peplink APs, these too have an internal web interface for configuration. There is also an Aruba mobile app. The AP12 seems to be the mid-tier model. It sells for about $150 US with a power cord (NOTE: by default Aruba InstantOn APs do not ship with a power cord, some retailers bundle one in). Note that even with local Wi-Fi disabled on the Surf SOHO, the WiFi-as-WAN feature can still be used.
To this, let me add that the Ruckus unleashed line of Access Points is very much like the Aruba InstantOn in that each AP has an internal web interface for configuration. I am no expert on either of these AP lines, but it seems that you can start with a single AP and then add more, if needed.
Peplink and Pepwave routers are sold by Peplink partners many of whom do not put prices on their web site. The only partner that I have used and feel comfortable recommending is 5G store (this is not an affiliate link). They sell single devices to the public and publish prices for the lower end models (up to about $700 or so). Then too, there are Peplink Authorized eTailers. The difference between a partner, reseller and eTailer is a mystery to me.
It is also available from Amazon which sold it for years without being an official licensed Peplink partner. Sometime in 2020, Amazon became a Peplink partner. Still they would not be my first choice as they can't even keep up with the specs. For years now Amazon has listed the router as being capable of 300Mbps speed which was never true. They also list very old specs that were true years ago, but are no longer valid. For example, the LAN ports are said to be 100MB when they are gigabit. It also lists the router as only doing WiFi N, years after it was upgraded to WiFi ac. In June 2018, Amazon offered the MK3 edition of the Surf SOHO with no antennas (it needs three) and suggested adding a pair of antennas for more money. 5G Store always sold it with three antennas. And, 5Gstore offers tech support.
In 2013, when I purchased my first Surf SOHO, it was hardware version 1 and it cost $130 without external antennas. Hardware version 2 was initially available for $159 without external antennas, but that didn't last. By and large it was $179 with external antennas. Hardware version 3 (the current MK3 edition) was initially $180 (give or take) when it was released late in 2016. That didn't last long, it soon went up to $200 with three external antennas. The price has been stable for a very long time. One exception, due to the pandemic, was around May 2020 when prices spiked and it was hard to get. You can see on this graph from CamelCamelCamel.com that the price doubled at the time.
One reason to upgrade from a Surf SOHO would be speed. As noted earlier, the Surf SOHO MK3 (hardware version 3) is rated at 120Mbps by Peplink. That said, Peplink is conservative in their speed ratings. Still, even if you find it can run at 140Mbps or 150Mbps, that will still be too slow for some people. Not many people, but some.
Another reason to upgrade is for wider Wi-Fi coverage. There is a limit as to how large an area a single router, any router, can cover. The higher end Balance line of routers includes controller software for managing Peplink Access Points (APs) but the Surf SOHO does not. So, for a long time I wondered about using a Peplink Access Point with the Surf SOHO. It was not addressed in any documentation that I had seen. Until January 2020, when I ran into this posting on the Peplink Forum. Someone asked about connecting a Peplink AP via Ethernet to the Surf SOHO and configuring both the AP and the Surf SOHO with the same SSIDs and passwords. The response, from a well-known expert, was that this works fine and devices should seamlessly connect to whichever device has the stronger signal. Its not mesh, but it can extend the Wi-Fi range. I hope to test this soon...
I am no expert on the 84 different routers offered by Peplink. That said, probably the best step up is the $400 Balance 20x (available at 5G store) which is rated at 900Mbps. As a member of the Balance line, it comes with added features such as multiple concurrent Internet connections, Access Point controller software and the ability to limit bandwidth to certain devices. If a single wired Internet connection is not sufficient, the USB port can be connected to a USB-Ethernet adapter. Peplink says it can handle up to 60 concurrent devices.
The Balance 20x includes a 4G/LTE modem, which can serve as a backup Internet connection. This can be especially useful for remote monitoring, of perhaps, a vacation home when you are not on vacation. There are cheap 4G/3G data plans that are speed limited. This would be perfect for reporting a burglary, a flood or cold weather that might freeze the pipes even when the main Internet connection has failed. Connect the Balance 20x to a UPS and you can be warned of remote trouble even if the power goes out.
On the downside, it has only two Wi-Fi antennas (the Surf SOHO has three). But, if you need to extend the Wi-Fri range with Peplink Access Points, it does have the controller software. It also does not support the Wi-Fi as WAN feature (the Surf SOHO does). Wi-Fi as WAN lets the router use a Wi-Fi connection as input rather than output (granted, not the most accurate terminology). I have used this feature when my main ISP suffered an outage. I turned on the hotspot feature in a smartphone as used the Wi-Fi coming out of the smartphone as input to the Surf SOHO. Worked like a charm and my Ethernet connected devices kept on chugging. So you would not think the 20X is a good choice for an RV, but see this first look from an RV perspective: Peplink Balance 20X Router – An Intriguing New Option for Mobile Users (July 2020).
The cheapest step up is the $300 Balance 20, which is currently rated at 150Mbps (again Peplink is conservative in their ratings). But, the Balance 20 does not do Wi-Fi. However, it supports two concurrent Internet connections, something the Surf SOHO does not. An older Balance 20 model had two WAN ports, the latest one has three. You can pay extra to activate the third WAN port to support three concurrent Internet connections. From years of personal experience, I can attest that Peplink routers are great at handling concurrent Ethernet-based WAN connections. The older version of the Balance 20 was $300 when I first purchased it in 2011. The newer version is the same price (as of August 2020) for faster hardware with additional functions. My 9 year-old router is still chugging. It has been in continuous service all this time. The Balance 20 is sold at 5G Store.
The Peplink Balance line of routers specialize in dual-WAN, that is, concurrent usage of two independent connections to the Internet. In July 2018, someone identified only as MJB87, wrote this posting Recent dual-WAN experience: Asus vs. Cisco vs. Peplink at the SmallNetBuilder Forum. It compared the dual-WAN experience of the Asus AC68U, the Cisco RV340W and the Balance 20.
One warning: if you are considering upgrading from a Surf SOHO to any model in the Peplink Balance line, be aware that you can not take the file with a backup of the Surf SOHO configuration and import it into a Balance router. All the configuration changes that were made to the Surf SOHO will need to be re-created manually on the new Balance router.
All the Peplink routers support wireless Internet access via a 4G/LTE antenna plugged into the USB port on the router. If you don't have a mobile device with a USB interface, smartphones running Android v4.x and later can be tethered to the USB port to provide 4G/LTE Internet access. I have not tried this. Peplink touts this for failover on the Balance Ones but that is selling themselves short. The 4G/LTE connection can also be used concurrently with a wired WAN connection, load balanced together.