NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access ...
CliffP wrote:
I have Orbi on latest firmware and set in Router mode, not AP mode.
I connect to the guest network on my iPhone and then use the Fing app (https://www.fing.io/) and can see every single device--i.e. it's useless as a guest network. :(
You can see devices with Fing. So what? If you try to ping or connect to any devices from a client connected to the guest WiFi, you will find that you cannot.
Not true. I'm able to connect to any number of devices that use Bonjour. Other posts show similar flaws in the security.
And "so what"? The first step of hacking into a system is know what targets are availble. The product says it hides guest users from each other. So what is that it doesn't do that.
I can confirm that this is still an issue with firmware version V2.1.2.18.
Signed into the guest network and using Fing I can see ALL devices on my regular home network. In the Guest Network settings, "Allow guests to see each other and access my local network" is unchecked.
To clarify, am I correct that, as of January 2018, the Guest network still has the various shortcomings described above, but only when operating in AP Mode? And that, when using the Orbi in "router mode" (i.e., as your main router), the Guest network operates as it should (isolating main network resources, including making them invisible to guests on the Guest network)? Thanks for the clarification.
No, the issue still exists when in Router mode too.
That's a shame. After all this time, I'd assumed that Netgear would have been able to fix this and totally isolate the Guest network, as they've done on the last several Netgear routers I've used.
It's a deal breaker for me. A secure, isolated Guest network is critical. I was just doing my final research before running out to Costco to buy the RBK50 with two satellites to set up this weekend. Now I'll have to reassess.
To be fair, the devices in my guest network sit in the same IP range as my regular network. However, I would still expect them not to be able to see the devices in my regular network.
Or maybe I'm doing it wrong?
Will a Netgear engineer pick this issue up? This is an issue that is across many threads and affects many users and seems to not have been resolved for some time. Guest Network is essentially rendered useless.
Our support team would like to troubleshoot this issue with you if you would like to work with them please send me a PM with your name, email, and phone number.
DarrenM
wrote:Our support team would like to troubleshoot this issue with you...
This is a design failure. Nothing the customer support can fix.
Business and advanced home users expect correct isolation of the work and the guest network. VLANs are not introduced since yesterday, and are not rocket science. And again for the records, this is nothing new with Orbi for Business, with Orbi, ... the issue exists as long Netgear does offer this highly questionable "design" on earlier routers, Nighthawks inclusive.
Very sad.DarrenM -- thanks for the post and for the interest in resolving this. If you read back through the posts, you will see what the issue is, so I am not sure I could add to it by directly communicating with you via PM or phone. If I am mistaken, however, and if you would like to contact me by PM, please PM me and I will respond with my phone number and email address to discuss the problem with you. I'd like to see this issue resolved in a firmware update. As it is now, I (and others) see this as a critical flaw that must be corrected.
Any help is welcome. I opened a support case on this in March, shortly after I bought the unit. I have been informed from time to time that engineering is working on it. I did not return the RBK50 on that assurance.
1. Unfortunately, I'm experiencing the same thing with the guest network seeing everything on my local network. I understand if you uncheck the option about the guest network not accessing each other they are supposed to not have access, but still is there a way if you're logged in to the guest network be able to ping devices on the local network? If so that's a security vulnerability.
2. My girl brings her law office laptop home and it is connected to the local network, I don't want the guest network to be able to have any access to her work computer or really even to see it... I can put in front of the ORBI my other router Asus rt-ac88u which I just need a little help understanding how to set it up that way and I greatly appreciate if you guys can explain if there's a workaround if I implement my Asus rt-ac88u in front of the ORBI.
- I think when it's in router mode it does NOT properly segment network I will be checking because I am in process of setting up iot devices and this would really skew me
All,
Thank you for your choosing Orbi Pro and your loyalty with Netgear. I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.
Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.
This FW update can be found below.
Download Orbi Pro Firmware 2.1.4.8 with Client isolation
Orbi Pro Product Management
NaderA wrote:
All,
Thank you for your choosing Orbi Pro and your loyalty with Netgear. I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.
Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.
This FW update can be found below.
Download Orbi Pro Firmware 2.1.4.8 with Client isolation
Orbi Pro Product Management
This is the Orbi “non” Pro forum. Would love to see an isolation solution for the home products.
Yeah, I appreciate that you state that you read them all and take them seriously, but I agree you misunderstand. Isolation is supposed to be an option on non-Pro and that's what this thread is about. There is a checkbox in our settings, and it's worthless.
I have devices that I do want to totally isolate from my PC and files, and non-Pro is supposed to do this - but it's another bug that has been unresolved.
MY guess is that you fixed the bug for the Pro because many have a business requirement to isolate traffic, and you probably don't want to get sued.
If you really are reading all these messages, perhaps you can put a new, general thread up explaining to everyone on these forums that you understand how upset your user base is about the overall lack of quality in your firmware (and QA), and what you plan to do to fix it, and what the timeline is.
NaderA wrote:
All,
Thank you for your choosing Orbi Pro and your loyalty with Netgear. I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.
Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.
This FW update can be found below.
Download Orbi Pro Firmware 2.1.4.8 with Client isolation
Orbi Pro Product Management
I don't understand why the FW link takes you to a page on salesforce.com.
I, too, would appreciate it if Netgear addressed the problem for the non "pro" Orbis
100% agree. Security is *NOT* a business perk. It's a market requirement, period, and if you don't grasp that, your competitors do.
- I posted it a while back that I was dissatisfied about guest network able to access the local network but I just want to clarify with this new patch, Orbi firmware update v2.1.4.16 does it fix the issue now? Any clarification on this would be helpful and beneficial for future customers.
BIG9MM wrote:
I posted it a while back that I was dissatisfied about guest network able to access the local network but I just want to clarify with this new patch, Orbi firmware update v2.1.4.16 does it fix the issue now? ...I updated to FW 2.1.4.16 today by clicking on the update message on the RBR50 main Web GUI page and then electing to install all automatically. It proceded and completed. The sattelite took a few extra minutes to complete, but it eventually sinced up with no manual intervention.
It seems to be working more-or-less as well as it was prior to the fw upgrade:
1) The Prosafe Plus utility will no longer brieach the guest network wall to let me reconfigure switches (note: Also upgraded to 2.7.2)..
2) My IP scanner tool still shows devices on the main network -- both IP and MAC addresses)
3) A number of devices are missing from the connected devices displays where they used to appear. Sattelite shows 1 device (> zero). I would exoect to see the remaining devices split between the 2 ORBIs.
Hello,
I've just updated to v2.1.4.16 firmware on my home Orbi system. I've been recommended by cyber security professionals that I isolate smart devices in my home on their own separate network. The responses here seem to indicate that Orbi is not taking this seriously for non-pro users - can anyone confirm if they have made the necessary changes to ensure our security in this latest firmware?
Thank you.
You just installed the latest version. Can't you confirm for us?
As of 11/25/18 - the problem still exists. Although I'm in AP mode - realizing that it's not actually separating the two networks is enough for me to return this device.
User00 wrote:
As of 11/25/18 - the problem still exists. Although I'm in AP mode - realizing that it's not actually separating the two networks is enough for me to return this device.
As you see form reading this thread, Netgear does not intend to change this for the consumer class Orbi system.
schumaku wrote:
As you see form reading this thread, Netgear does not intend to change this for the consumer class Orbi system.
FWIW, I opened a ticket with Netgear explaining the issue and asking if this was by design or a bug. They asked me to send them my config and they will put it in their test environment to confirm. To me, if that would allow one engineer to see the problem in action and then be able to fix it - i'll keep the setup.
Of course, now as I'm in the process of changing the SSIDs and passwords of the config - I ran into another weird bug - where the satellite only seems to sync the base password, but not the WiFi settings unless I perform a factory reset.
So for me, fixing these two issues (and maybe adding an option to remotely reboot the satellite without having to upload a firmware) - then you have a decently solid product.
So response from Netgear support (had to be escalated) was that because the SSIDs are indeed on the same network - the broadcast NMAP/Fing traffic cannot be prevented. However, because they are blocked from actually making any connections to those devices then that's sufficient for Guest isolation. If you are able to make a connection to any device, then they'll investigate further.
So while, it's not necessarily a deal breaker for some - I wish they would mention this on the product page without having the users discover it on their own.
