NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access many resources on the main network.
My setup is as normal Wireless setup and I have also created a Guest Network. Note under Advanced -> Guest Network I have DISABLED "Allow guest to see each other and access my local network". This would indicate to me that the Guest Network would be isolated fromt the main network.
However I noticed when I connect to the Guest Network I get an IP address in the same range as the main network which is already strange. The usual way to seprate a Guest network is to have a separate IP range. Orbi doesn't do that as it doesn't seem to have a separate DHCP server for Guest Network.
Now having the same IP segment I noticed that some trickery is done that prevents TCP connection to main network. For example if from the Guest Network I want to ping a system on the main network it times out. So Netgear does something to block standard layer 3 TCP connections.
However I have a number of devices that use Bonjour (mDNS) services on my main network, for example my printer and my file server use it. Now even when I am connected to the Guest Network I can still see these devices and CONNECT to them!
I am not sure what to think about this but this is a major security hole. People would assume that a Guest Network is separate from the main network but what I can see right now the Orbi Guest Network has only a partical sepration that is not really a Guest Network at all!
117 Replies
- You can ask to get the beta firmware. I've tested it and it seems this issue is resolved in the new version.
I would love to test this Jeremy - who should I contact? Their regular support department?
- There is a pinned post about joining. Check that out and ask to be added to the beta program. It isn't immediate but perhaps state in your post you want to test a specific issue that may be resolved that you are currently having issues with. Hopefully they will add you quickly with that.
Fyi this was one of the first things I tested when I got the new firmware, as I have other posts about this topic as well. Would love to hear you confirm you also think it is corrected.
Yes that would work. Make sure your switch is a NON managed switch. Orbi doesn't seem to like Managed switches. :smileyfrustrated:
As good as Netgear Orbi may be and the fact it retains its #1 spot does not excuse them from the privacy that guest network should have, This is over a one year old problem so it looks like it will never be fixed. I know 1st hand that customers have spoken to Netgear support on the phone then the issue goes silent with no fix. I tested Orbi just over a year ago and I was blown away with the coverage and performance but advertising and supporting a guest network that is not isolated from the main network is unexceptionable, In fact even in my own testing I contacted Netgear over a year ago and asked them why did the guest network get an IP in the same range as the main network and that went unanswered. buyer beware. You can read the complaints here
It's really all about managed expectations. If all you need is coverage for no more than 2 SSIDs with one of them as a "trusted" guest - then the Orbi is really a great product. If you need the true separation between clients and networks - then you'll just have to look somewhere else. Somehow, I don't think anyone is going to print that on the box though....
- I went into a large corporate business today that I noticed had some Orbi Pro attached to the wall. There was one locked network and one with a guest label (no password). I viewed this threat a little while ago so I decided to check. I managed to access their computer network and view some pretty sensitive sales and personnel data. Now I have no use for any of that so I didn’t look any further into it but Pretty scary stuff
dan801 wrote:
I went into a large corporate business today that I noticed had some Orbi Pro attached to the wall. There was one locked network and one with a guest label (no password). I viewed this threat a little while ago so I decided to check. I managed to access their computer network and view some pretty sensitive sales and personnel data. Now I have no use for any of that so I didn’t look any further into it but Pretty scary stuffAre you talking about the Orbi or the Orbi Pro? I did think it was fixed on the Orbi Pro.
Just got off the phone with a support engineer. He claims since a guest network is a different SSID key they are different networks? I am skeptical since nodes on my guest network are assigned IP's that I have defined on my LAN (10.0.0.2 - 200). I was hoping to have a guest network in the default IP range (192.168...). Has anyone gotten this configured successfully?
Also was told by Level 2 support that the Guest Network is only there as a means to provide guests access to my network and that the guest network cannot be segmented from the LAN.
- Netgear does deploy some L2 isolation for the standard vs. the guest network on these consumer devices. All systems are run from the same DHCP in the same subnet. The isolation can be cobsidered "good enough" for consumer applications. On Orbi Pro a few enhancements have been implemented, ebahxibg the isolation. Still it's not intended to serve dedicated VLAN and dedicated subnetworks and DHCP pools.
Not amused Netgear support engineers are not able to explain this in a few words.
I have read this thread and understand little of it so I ask for assistance. I have a 3500 s.f. home, a rental unit about 150' away and an RV (sometimes used for guests) about 75' away. I want to allow internet access to the rental and RV but isolate my home network. From reading this thread, it would appear the RBK60 Pro is the best way to accomplish this. Or stay with the RBK53? I have access to both models as well as an EX7500 extender.
Also, if I go with the RBK60 or RBK53, would there be any security issues extending the range to the rental and guest RV without using the Orbi outdoor satellite? If not, what is the recommendation?
TECman51,
First of all let me clear up a few things. The RBK5X and RBK6X family have the same radios but the 60 family is designed for small business applications (mounting, software features, etc). So from the standpoint of wireless connectivity you are going to be in the same boat with both and the 6X and 5X family DON'T talk to each other so don't try to mix them.
With Orbi, the radio and product design are really optimized to generate a very high quality backhaul (from satellite to base station, or satellite to satellite) and the client facing radios are tuned to limit cross over interference between the satellites and base station. In simple terms for best performance, make sure you can see the base station or a satellite from wherever you want good performance, and make sure the line between the satellites and the base station is as clear as possible.
In open air (without obstructions) we have seen Orbi's perform well at more than 500' of separation, so your distances are not a problem. What will need to be considered is the type of walls and the number of walls between the base station and the satellite. For best results place the base station on the side of your home which faces your guest house and RV. Similarly place the satellites in each of those units nearest to the house. Metal walls are particularly challenging so you may want to place it near a window (not low-e hopefully) in the RV.
With regards to isolation, this is where there is a difference between the RBK5X and SRK6X. Orbi Pro uses SSID access as a basic way to isolate traffic and access within an Orbi network. On Orbi Pro you can set up three different "networks" using a Management, Employee, and Guest SSID. The "Guest" SSID will send all traffic out the WAN port, so it will not have access to local assets on the other SSIDs or the hardwired ports on the base station and satellites. The same is true of the "Employee" SSID. The "Management" SSID allows access to all devices on the hard ports and the other SSIDs. The RBK5X products and all other "Orbi" products, does not offer this isolation. Guest SSID is just a different set of credientials to get access to your whole network.
One last bit of insight. Orbi Outdoor works with both the RBK5X (and other Orbi products) and the SRK60 (Orbi Pro products). It is similar in internal design as the 5X and 6X and can help you if penetrating walls as well as outdoor obstructions is an issue getting to your guest house and RV.
Hope this helps.
john
This is where I felt like I got robbed. When I bought the Orbi I assume the gest network would isolate the Chromecast from streaming Chromecast media to my home network, unfortunately, anybody on the guest network access can stream anything over on top any of my TVs. Now turning off guest network not allowing each other to see each other will not allow them to stream their chrome cast device to the TVs that’s on the guest network. Another downside is I set up a printer network for the guest network wirelessly and no one can see the printer on the guest network if I don’t allow devices to be seen by each other on the guest network. Without having a Orbi pro I find the guest network not straightforward and very hard to configure for privacy and convenience for the guest network.
- Activated the guest mode and uncheck the "Allow guests to see each other and access my local network". Now on guest wifi, can not open the routers login page, but all connected devices to the main wifi are visible by NetAnalyzer app on android.
- Visible by NetAnalyzer app on android, yup no new news at all. That is why they put out the Orbi PRO version I believe.
Vahik wrote:
Activated the guest mode and uncheck the "Allow guests to see each other and access my local network". Now on guest wifi, can not open the routers login page, but all connected devices to the main wifi are visible by NetAnalyzer app on android.Yes - however you won't be able to establish e.g. TCP or UDP connections for example beteen the different networks. This was explained in this thread before several times. Scroll back to about Messge #57 - there is even a reply from johngm on the subject. https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-guests/m-p/1540059/highlight/true#M26848 Netgear does not intend to enhance things towrds a full VLAN-like isolation on the consumer routers (Nighthawk, Orbi). Only the Orbi Pro systems will get (or have received already) some enhancements.
All the guest WLAN, the standard WLAN and the LAN are sharing the same L2 infrastructure including the very same TCP/IP subnetwork and DHCP server with DHCP pool and more. With the isolation feature for the guest network enabled (that's all there is implemented!), the individual guests can't communicate with other devices on the guest network or with devices on the standard (W)LAN. In no way this is providing a complete L2 isolation bottom up.
