NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access many resources on the main network.
My setup is as normal Wireless setup and I have also created a Guest Network. Note under Advanced -> Guest Network I have DISABLED "Allow guest to see each other and access my local network". This would indicate to me that the Guest Network would be isolated fromt the main network.
However I noticed when I connect to the Guest Network I get an IP address in the same range as the main network which is already strange. The usual way to seprate a Guest network is to have a separate IP range. Orbi doesn't do that as it doesn't seem to have a separate DHCP server for Guest Network.
Now having the same IP segment I noticed that some trickery is done that prevents TCP connection to main network. For example if from the Guest Network I want to ping a system on the main network it times out. So Netgear does something to block standard layer 3 TCP connections.
However I have a number of devices that use Bonjour (mDNS) services on my main network, for example my printer and my file server use it. Now even when I am connected to the Guest Network I can still see these devices and CONNECT to them!
I am not sure what to think about this but this is a major security hole. People would assume that a Guest Network is separate from the main network but what I can see right now the Orbi Guest Network has only a partical sepration that is not really a Guest Network at all!
117 Replies
If you're in AP mode, it's (currently) going to behave exactly as you describe, which is long-known and has been announced as to be fixed in a future update. If you're in router mode, you're the first to report such a thing.
Rodney
Yep I do think I am in Router mode: according to this:
And as I said I did un-tick the box to allow the Guest Network access as seen here:
Yet connected to the Guest Wifi Network I can print on my printer (via Airprint) and can access my file server which are both hardwired into the Orbi. I cannot ping them or access them via HTTP browser but I can see them via Bonjour (mDNS) advertising in my Finder sidebar and connect to them by clicking on them.
It sounds like the Orbi forwards multicast IP packets between the guest and main networks, even when the isolation box is selected, but blocks other IP traffic between these zones. I'm just guessing. I would agree this is a bug. I wonder if this was done to support some services that use broadcast or multicast, like DHCP or uPNP? If so, I would like to see configuration options / check boxes to allow or block specific broadcast and multicast traffic from leaking between guest and primary networks.
Even if the Orbi forwards IP multicast between guest and main networks, that doesn't explain why access to the printer and file server are permitted. Hopefully, Netgear will investigate and respond soon.
I would hope in router mode all connections to the guest SSID would provide a separate subnet, i.e. 192.168.10.xxx and assign IPs. That would provide direct access to the internet thru the router but prevent any connectivity to the normal LAN. I know with FiOS here and having to keep their router in the loop, when I tested google wifi (they don't allow bridge mode and mesh and have a locked in 192.168.86.xxx LAN) I could not access my FiOS local LAN.
From what i can see the Orbi today provides an IP address for the guest clients in the same IP range as the main network 192.168.1.0/24. It must be as there is no way I have found in the GUI to define a separate IP range or DHCP server settings for the Guest Network. Other routers I have had usually have that option.
It's might be possible to do a Guest Network in the same IP address range but it becomes very hard. It also assumes a pure Orbi setup and all traffic goes always through the router. If you have for example a semi-intelligent switch in such a configuration it learns IP addresses and could forward traffic in the same subnet without involving the router and that would circumvent all the policies.
The cleanest way IMO is to use a separate IP adddress range, e.g. 172.16.X.X for the Guest Network because then all traffic between the main and guest network has to go through the router to be routed probably and that's where you have a single point of control.
I was considering purchasing this for my office. I need to be able to have a guest network without the guests possibly being able to access and/or see the other devices hooked to the network (e.g. printers, servers, etc.). Has this been fixed or is it still a possible security issues?
It works as expected in AP mode in the latest firmware, unless you have an IPv6 network presence (which the filter completely ignores).
I believe it's worked properly in router mode for several releases now, so as long as you are IPv4 only, I think you should be fine with guest isolation.
Rodney
Running lastest firmware 1.11.0.20. (July 2017). Guest Network is basically broken. Not isolated at all from the main wifi network. Using Orbi as an access point (AP). Apparently, some of the other Netgear routers are able to isolate the guest network can do this even when used as an access point (AP). Please, Netgear Fix This.
Are you running dual-stack with IPv6, by any chance?
A few releases back, they finally had IPv4 blocking working in AP mode, but not IPv6. Those without a dual-stack setup would have seen guest isolation to be working fine.
Rodney
Hi rhester72
Sadly I am not. Just a plain IPv4 home network with a pretty normal range of home wifi devices. When I check my router/internet modem, all devices are connecting via IPv4 addresses. To the best of my knowledge, I am not actively using IPv6 in my home network.
Just a reminder that I having this issue with the Obri system being used as a WiFi access point (AP) and NOT as a router.
I have a new Orbi and see the same problem with the current s/w (2.1.1.16).
My Orbi is in AP mode sitting behind a Cisco RV325 router that provides better security, plus VLANs used for wired IOT devices (amazingly I have three of these).
I enabled a Guest network and did NOT check the "enable guests to see...". I connect to the Guest network with my phone and run a scan and I can see all the devices on the primary network. Access to some devices was blocked (e.g., Epson printer), but access to other devices (e.g., router) was possible.
This is NOT a secure Guest network. Odd, because certainly NetGear knows how to do this right. It could be done with VLAN tagging from the primary router, it could be done with a separate address space entirely (e.g., 10.x.x.x), etc.
Netgear has a real opportunity to meet a very real consumer need:
a) primary wifi network for home users.
b) guest wifi network for general use (that works as advertised, but not as implemented)
c) secure secondary wifi network for IOT devices which isolates every device from every other device and from the primary network.
d) secure wired network (at least one port which can be connected to switch) for wired IOT devices (pool, garage door opener, window shades, etc.) isolated from all other devices and networks.
These are de facto VLANs, though I understand that they can't be presented as VLANs for consumers. But that is the need and certainly Netgear has the ability to provide the functionality and then package it as something more consumer friendly.
But for now they have not done that and the Guest network is not secure.
I have raised this concern to engineering about the guest network. BIG9MM if you want to use another router in front of the orbi system you would just need to set orbi in ap mode.
https://kb.netgear.com/31218/How-do-I-configure-my-Orbi-router-to-act-as-an-access-point
DarrenM
- Can Orbi and Orbit Pro in AP mode support a proper VLAN set-up with multiple SSIDs mapped accordingly, with both the wired and the wireless backhaul?
Considering Insight 4 is supposed to support these devices soon: How will Orbi and Orbi Pro APs be integrated with a capable Insight/Smart Managed Pro VLAN switches and the low cost WAC505/510 access point VLAN infrastructure offering correct network isolation then please?
What routers does Netgear suggest for such environments - considering all Orbi, Orbi Pro and Nighthawk are suffering from these problems - and still (after years and years of customer requests!!!) not support industry standard tagged VLAN?
Insight does make it possible to set-up, manage and expand such an environment with ease. Netgear has everything required to fulfill this very basic requirement - except of routers.
Deploying a different router without VLAN-SSID mapping on Orbi does not solve the issue. The KB entry is ok for flat networks only and does in my opinion not apply to an environment requiring proper isolation.
Netgear has all design and engineering capabilities for switching and wireless access in home, SOHO, and SMB - including a nice Insight management system. Just the Nighthawk and Orbi/Orbi Pro are still stuck on the first home router design limitations from 25+ years when Netgear introduced the first ZyNOS based router to the market. Worth noting: That router had capable IPsec VPN capabilities for a VPN server and a VPN client. And it had the ability to add WAN-LAN firewall filtering rules. Capabilities silently lost since. And the community is full with requests for these features. It's just that the people in charge apparently don't care about real world requirements.
Just like the broken (and impossible to achieve) pure Layer 2 guest network isolation. Should Netgear be interested in a product line manager - I'm available.As much as I too would like to see features like this, they are definitely focused more on the 'prosumer', whereas Netgear's products are clearly and squarely aimed at the "set it and forget it" consumer market. I'd very seriously doubt you will ever see things like VLAN splitting (outside of that required for WAN support in select European markets) included in the product. Just my $0.02.
Darren, thank you for being a champion for us in regards to feedback to Netgear engineers, however I found a thread with the same issue / complaint and you raised it to engineers back in December of 2016. Have there been any updates or communication with you since that time regarding this issue? At this point, we all know that Netgear either doesn't have a fix, plan on fixing, or doesn't take this community seriously.
Thanks again
I think at this point all we are getting is lip service with no action if this was raised a year and a half ago and still nothing has been done about it.
- When will this issue be fixed? Unacceptable for any router or access point.
- Wow, was literally about to go and buy this system. Glad I read this, I’ll be looking elsewhere - guest and IOT devices should have *no* capacity to communicate with my trusted systems
- The first wave to be released are only for the RBR50 and RBS50, which is used in the RBK50 and RBK53 (Costco) kits.New beta FW avaialble. Get it while its hot of the press:Might fix this issue...
What do you mean 'Might fix this issue...'
Nothing in release notes suggests it would?
- Right I feel like that statement can be deceiving either it addresses the issue that's been questioned for a very long time or it don't.? Is it fixed in the FW or not? I don't get why this issue keep getting avoided. Make no sense and in my eyes is kinda unprofessional for the issue to not be taken care if yet with no updates as to what type of progress is being made to fix this concerning issue. There is literally a option to not show guest network the devices and it completely counterdicts that option. Would love a valid responce or explanation or even some status update. Thanks
OK - I am hoping for some (possible) help here... I am very concerned about this. I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed. in all cases, the networks are IPV4 only, and IPV6 is disabled. All of the units have the absolute latest firmware to-date (2.1.4.16). At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X. I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet! I was pretty shocked. I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.
This is completely unacceptable - and this is at all 12 locations. Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices. And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure. Again - IPV4 ONLY, in ROUTER mode. Is there a fix here? I am already running firmware 2.1.4.16. The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous. I loved these so much, that I also bought this for my own home, and for friends' homes. One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated! Ugh..... now what?
If anyone has any ideas or advice, it would be so very much appreciated... more than you know. Thank you very much in advance for any help you can give...
I see there was mention of this issue being resolved in the PRO version. Not sure if this has populated to the Home version. I presume you are using the PRO version? Or Home? It's not recommended to use Home products in a business setting. Things test to lead to products not working as well for the Business environment. Business envrionments need more than Home class products for safter and secure operations. You may need to look into better business solutions for your needs if your using a Home class system. If your concerned about this, you'll need to disable the Guest Network feature on your systems.
Mister-Mike wrote:
OK - I am hoping for some (possible) help here... I am very concerned about this. I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed. in all cases, the networks are IPV4 only, and IPV6 is disabled. All of the units have the absolute latest firmware to-date (2.1.4.16). At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X. I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet! I was pretty shocked. I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.
This is completely unacceptable - and this is at all 12 locations. Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices. And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure. Again - IPV4 ONLY, in ROUTER mode. Is there a fix here? I am already running firmware 2.1.4.16. The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous. I loved these so much, that I also bought this for my own home, and for friends' homes. One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated! Ugh..... now what?
If anyone has any ideas or advice, it would be so very much appreciated... more than you know. Thank you very much in advance for any help you can give...
Hello! Well, I wish I was advised to buy the Pro. The offices are small, only a couple of users each.... and I was ready to purchase whatever was recommended. No one mentioned a Pro system. So now I will need to look into upgrading... however I can't believe there isn't an answer to this. Because - regardless, this is also completely unacceptable in ANY home environment. An isolated guest network is just that - an isolated guest network, whether in a home or wherever. I am not opposed to buying Pro versions, but I need some type of stopgap/workaround in the meantime if possible...
Mister-Mike wrote:
OK - I am hoping for some (possible) help here... I am very concerned about this. I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed. in all cases, the networks are IPV4 only, and IPV6 is disabled. All of the units have the absolute latest firmware to-date (2.1.4.16). At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X. I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet! I was pretty shocked. I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.
This is completely unacceptable - and this is at all 12 locations. Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices. And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure. Again - IPV4 ONLY, in ROUTER mode. Is there a fix here? I am already running firmware 2.1.4.16. The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous. I loved these so much, that I also bought this for my own home, and for friends' homes. One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated! Ugh..... now what?
If anyone has any ideas or advice, it would be so very much appreciated... more than you know. Thank you very much in advance for any help you can give...
If I understand what you wrote correctly, you have Orbi in Router mode behind another router, with the 192.168.0.x subnet on the WAN side of Orbi.
If so, the behavior you report is not a glitch with NETGEAR. The behavior is as expected, and is due to the way you have Orbi setup.
Guest isolation pretains only to the LAN side of Orbi and does not affect traffic heading to the WAN side of Orbi. The PRO would behave no differently. Also, Orbi's guest isolation only pertains to wireless clients, not wired machines.
If you want to maintain two separate networks, then you need a router that supports multiple subnets and IP-based firewall rules to control traffic between subnets. If your current router doesn't support this, you could buy a cheap router that does and run the Orbi in Access Point mode behind that.
Thank you for that insight/explanation...
So, if I am understanding you correctly... then the following scenario WOULD work, or? As follows:
- A cable modem coming into the building, in Bridge Mode / Pass-Thru mode.
- The modem connected to the WAN port of the ORBI (yellow "Internet" port)
- a small gigabit switch connected to one of the ports in the back of the ORBI (1 thru 4 - any port)
- the switch, connecting to several PC's in the home via Cat5e/Cat6 Ethernet
- The ORBI in ROUTER mode, provided all IP assignments / DHCP assignments
- Then, create a GUEST network in the wireless settings.
In this scenario, with only the ORBI providing all routing, and the only thing behind the ORBI is a cable modem in Bridge Mode, providing zero routing... then anything on the LAN wired through a small switch, then connected to one of the ports on the back of the ORBI. In this scenario, would the guest network be able to "see/interact with" the wired devices?
If this is the case, I can easily implement this type of setup (these are VERY small places - just a couple users, one single room etc.).
Thank you again for the clarification!
