NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access ...
OK - I am hoping for some (possible) help here... I am very concerned about this. I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed. in all cases, the networks are IPV4 only, and IPV6 is disabled. All of the units have the absolute latest firmware to-date (2.1.4.16). At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X. I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet! I was pretty shocked. I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.
This is completely unacceptable - and this is at all 12 locations. Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices. And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure. Again - IPV4 ONLY, in ROUTER mode. Is there a fix here? I am already running firmware 2.1.4.16. The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous. I loved these so much, that I also bought this for my own home, and for friends' homes. One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated! Ugh..... now what?
If anyone has any ideas or advice, it would be so very much appreciated... more than you know. Thank you very much in advance for any help you can give...
Mister-Mike wrote:
OK - I am hoping for some (possible) help here... I am very concerned about this. I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed. in all cases, the networks are IPV4 only, and IPV6 is disabled. All of the units have the absolute latest firmware to-date (2.1.4.16). At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X. I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet! I was pretty shocked. I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.
This is completely unacceptable - and this is at all 12 locations. Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices. And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure. Again - IPV4 ONLY, in ROUTER mode. Is there a fix here? I am already running firmware 2.1.4.16. The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous. I loved these so much, that I also bought this for my own home, and for friends' homes. One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated! Ugh..... now what?
If anyone has any ideas or advice, it would be so very much appreciated... more than you know. Thank you very much in advance for any help you can give...
If I understand what you wrote correctly, you have Orbi in Router mode behind another router, with the 192.168.0.x subnet on the WAN side of Orbi.
If so, the behavior you report is not a glitch with NETGEAR. The behavior is as expected, and is due to the way you have Orbi setup.
Guest isolation pretains only to the LAN side of Orbi and does not affect traffic heading to the WAN side of Orbi. The PRO would behave no differently. Also, Orbi's guest isolation only pertains to wireless clients, not wired machines.
If you want to maintain two separate networks, then you need a router that supports multiple subnets and IP-based firewall rules to control traffic between subnets. If your current router doesn't support this, you could buy a cheap router that does and run the Orbi in Access Point mode behind that.
Thank you for that insight/explanation...
So, if I am understanding you correctly... then the following scenario WOULD work, or? As follows:
- A cable modem coming into the building, in Bridge Mode / Pass-Thru mode.
- The modem connected to the WAN port of the ORBI (yellow "Internet" port)
- a small gigabit switch connected to one of the ports in the back of the ORBI (1 thru 4 - any port)
- the switch, connecting to several PC's in the home via Cat5e/Cat6 Ethernet
- The ORBI in ROUTER mode, provided all IP assignments / DHCP assignments
- Then, create a GUEST network in the wireless settings.
In this scenario, with only the ORBI providing all routing, and the only thing behind the ORBI is a cable modem in Bridge Mode, providing zero routing... then anything on the LAN wired through a small switch, then connected to one of the ports on the back of the ORBI. In this scenario, would the guest network be able to "see/interact with" the wired devices?
If this is the case, I can easily implement this type of setup (these are VERY small places - just a couple users, one single room etc.).
Thank you again for the clarification!
Your isolation requirements aren't clear to me. But, yes, in the scenario you described, any wireless client connecting to the Orbi's guest SSID would be blocked from interacting with the rest of the Orbi LAN--both wired clients and wireless clients connected to the Orbi non-guest SSID. This assumes guest isolation is enabled on Orbi (and working as designed.)
I am running fw 2.1.4.16 on an RBR50 in AP mode. When I run an IP scanner from a Windows 7 computer on the guest wireless network, it "sees" most (all?) devices on the wired LAN side of the RBR50. I have not been able to connect to them the way I could with previous versions of the fw, but I can detect their presence, their IP addresses, and their MAC addresses. I have not done an exhaustive connection test I don't know enough to devise an exhaustive test.