NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access ...
What do you mean 'Might fix this issue...'
Nothing in release notes suggests it would?
Right I feel like that statement can be deceiving either it addresses the issue that's been questioned for a very long time or it don't.? Is it fixed in the FW or not? I don't get why this issue keep getting avoided. Make no sense and in my eyes is kinda unprofessional for the issue to not be taken care if yet with no updates as to what type of progress is being made to fix this concerning issue. There is literally a option to not show guest network the devices and it completely counterdicts that option. Would love a valid responce or explanation or even some status update. Thanks
We have purchased several of the "Pro" routers and satellites. We have been struggling with this issue for several days - until we came across this thread. Clearly the Orbi does NOT support the functionality claimed and more worryingly seems to have zero commitment to addressing it or getting it fixed. This is not acceptable as a "business" product - we will be moving away from Netgear completely based on this issue - I tried to contact Netgear for support (even before I saw this thread) which went so far and then my call was disconnected by the support representitive. We have had similar issues with other purportedly enterprise solutions which arent enterprise - ReadyData 5200 - Layer 3 switches M6000 chassis and this is the final straw.
EcoFuelEngineerwrote:We have purchased several of the "Pro" routers and satellites. We have been struggling with this issue for several days - until we came across this thread. Clearly the Orbi does NOT support the functionality claimed and more worryingly seems to have zero commitment to addressing it or getting it fixed. This is not acceptable as a "business" product - we will be moving away from Netgear completely based on this issue - I tried to contact Netgear for support (even before I saw this thread) which went so far and then my call was disconnected by the support representative. We have had similar issues with other purportedly enterprise solutions which aren't enterprise - ReadyData 5200 - Layer 3 switches M6000 chassis and this is the final straw.
You might bring to to the Business GM attention by adding a post on the Connect With The SMB GM forum. I would hope johngm can join this discussion. Certainly not what he does expect to read from the loyal Netgear customer base.
Bad news! I just received a response to a support case on the guest netowrk that I opened about a year ago. This is from a level 2 tech passing on an engineering response:
"After verifying this with the engineering team, they said that this is not a bug and this is by designed. Orbi does not block arp packets for guest network. It means when customer is using arp scan tools, it would show the devices connected to the Orbi but it would only allow arp to go through. Other users could not access the main network or send files to the main clients."
Implications to me
1) The device is designed to always allow "guests" some visibility into the main network. I don't know enough about the ARP protocol to know how much information is transfered and if all the information that IPScanner finds comes through the ARP protocol.
2) The design implementation is flawed because Netgear's Prosafe Plus Utility has no problem reaching switches on the main network when run from a computer on the guest network.
3) A fix is not likely in the near term with the current set up because neither the tech nor the engineering team seems to have paid attention to the portion of my case that said the Prosafe Plus Utility reaches through to the main network. They don't think there is a problem.
Sorry that you haven't gotten a response on this sooner and thanks to shumaku for forwarding it on to the "Connect with the SMB GM" area which I am regularly monitoring.
Next let me start by saying I am sorry that you had a bad experience with a support representative. We take the quality of the support experience very seriously here at NETGEAR and if you can provide any information on the specifics of the call or a ticket number I would be happy to investigate and get back to you.
With regards to the concerns you have about OrbiPro, OrbiPro uses SSID isolation to provide a secure guest, employee and management domain. Within both the base station and satellites, OrbiPro will assure that all guest and employee SSID traffic is exclusively routed to the Internet through WAN port on the base station. This effectively prevents a person on the guest WiFi (or the employee Wifi for that matter) from being able to “snoop” or penetrate the traffic traversing the hardwired ports or the management Wifi. The current firmware does block all Layer 3 and unicast traffic from being bridged or routed between the guest, employee and management network. So communication between wireless stations is effectively blocked. Clients within the Guest network are also blocked from communicating with each other, so client isolation is supported. I recently became aware that the current 2.1.3 release does, however, allow multicast and broadcast discovery protocols (UPnP, bonjour, LLDP) to bridge across SSID’s. While this doesn't permit any traffic snooping or network penetration, it violates your privacy by unintentionally allowing guests to see some of the devices that are on your management network. This is a defect and we will immediately fix it in our next release of the code.
As I mentioned above, I am sorry that you had a bad interaction when you attempted to contact us and make us aware of the issue with this product. Myself and my entire team are strong advocates for the power and effectiveness of tools like this community versus the traditional (and largely inefficient) models built around call centers. I hope that you give NETGEAR another chance and utilitize our communities to get the most out of your NETGEAR products.
John
- John thankyou for taking the time to reply. I need to say that my original message was posted in a moment of extreme frustration. The equipment was purchased on the premise that it could do what we wanted and we have 3 orbi pro routers and 6 satellites for various sites so to discover via this thread what we were hoping to achieve isn't possible was really frustrating. We have also experienced serious network disruption when we enabled the guest portal because we have some legacy telephony kit in the 192.168.1.x subnet which seemed to reset every time the guest portal was enabled. Which knocked out the phones of 200 people ! You can imagine it did not make us flavour of the month.
Add to this the experience with the Indian call centre from an agent who clearly had no idea of anything we were talking about it all wound up in my frustrated post for which I apologise.
What I need is a conversation with someone who understands the product and it's capabilities and can help us incorporate it into our existing setup. Do you think you could connect me to that sort of resource? More for a high level network design conversation than anything else ?
Thank you for your reply
Sincerely
Nigel Hoar
