We're ready to put some real security on the VisionNet M505N modems we have re-purposed into a WAP for both isolating our IoT devices and a guest wireless network. Just like before, later settings will differ based on how you are using the modem (whether for IoT isolation or guest wireless). I'll start with the basic settings for both, and include an extremely helpful 'hidden' page you can use to your benefit.
In fact, since you now have a functional configuration that hasn't been set up for restricting your own access, we are going to cover that 'hidden' page. While still connected to the modem, navigate to the address "http://[modem IP address]/customermain.html". Click on the 'Backup Current Settings' button. It reports when it is finished (it is only a matter of seconds).
You've just written the current configuration of the modem to be the default (down to the username, password, and wireless settings). To revert to this state (if you would mess up the configuration, and lock yourself out of the modem) just hold the reset button in for five seconds, and release. Otherwise, you have to do a 90-second reset to revert back to the true factory settings (and losing all of your configuration).
Of course, that sets the modem to default management accounts. To change the passwords for those accounts, click on the 'Management' menu item, then select 'Management Accounts'. The page describes the accounts very well, typically the default password for the "admin" account is "0123456789", and the password for the "support" account is also "support". The "support" account works from the "WAN-side" whereas the "admin" account is for the modem's LAN.
Next is the "Access Control List". From the same 'Management' menu item, and select 'IP Restriction'. Generally I first 'Add' the range of IP address(es) I am currently on to the modem, then 'Enable Access Control Mode'. Keep in mind that you can set the M505N externally (using the "support" account) by setting the appropriate IP address range(s).
You need to turn on which management services (like HTTP or SSH) in 'Access Control' from the same 'Management' menu item. If the "ppp0" column doesn't show, click on the drop-down box at the top of the chart. It shows which modem interface services are accessible from the LAN (even to turn them off if you only manage the WAP externally) and "WAN" (the DMZ interface of your pfSense firewall). Remember you can fast-reset the modem if you mistakenly cut off your own access.
'Apply/Save' any changes you make, and remember if you have a working configuration you want to save as a default, access the 'hidden' page. In the next part I will start to cover the IP and URL filtering you can use, stay tuned!