NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Guest isolation not supported in AP mode?
The good news: Guest access works. The bad news: You can't do guest isolation in AP mode, apparently - the option is greyed out. That makes it rather useless, unfortunately - why is this? ...
This is not unique to the Orbi. An AP has no way of isolating guest traffic on your internal network. It would have to do something like put it in a VLAN to send to the router but the router would also have to support VLANs.
I thinks this warrants some discussion. If client A tries to talke to client B, both on wifi, what happens? The frames don't go directly from A to B via radio (ignoring ad hoc mode wifi). They go to the access point / wireless router. If that access point is an Orbi in AP mode, the Orbi could either deliver the frames, or just send them out the wire and let the downstream router decide what to do with them. I don't know which one it does, and I can't test it since I'm still looking into buying or not... Ideally I would want the Orbi to offer either behavior as an option.
Assuming the Orbi doesn't simply deliver the frames, the next question is: what will the downstream router do? If it is acting as a simple layer 2 / layer 3 device, it will deliver the frames. A and B are on the same layer 2 segment, so they should "see" eachother normally. However, if the downstream router is a firewall, it may be able to actually apply policy and not transmit the frames back out the interface, or perhaps bump the decision to layer 3 and only do so if the hosts in question match an ACL, etc...
I don't know without testing, but I expect the abstract scenario will give different results for different APs and different down-wire routers. Does anyone have more info on this?
In short I don't think this is a simple "no AP can do this" issue.
Well AP mode isolation nice to have yes but from what I have just discovered Orbi doesn't even do proper isolation in router mode.
See my post here: https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-guests/m-p/1221867#U1221867
fbg wrote:
I thinks this warrants some discussion. If client A tries to talke to client B, both on wifi, what happens? The frames don't go directly from A to B via radio (ignoring ad hoc mode wifi). They go to the access point / wireless router. If that access point is an Orbi in AP mode, the Orbi could either deliver the frames, or just send them out the wire and let the downstream router decide what to do with them. I don't know which one it does, and I can't test it since I'm still looking into buying or not... Ideally I would want the Orbi to offer either behavior as an option.
I would not expect the Orbi to simply send frames out the wire. It's possible that the downstream router will not even see the traffic, so it won't be in a position to isolate guest traffic.
Instead, I would expect the Orbi determine whether client A is on the guest network and either forward or drop the traffic accordingly at the base station. Netgear has a couple of ways they could implement this. A sensible way would be to have the satellite put guest traffic into a VLAN when sending over the Wi-Fi backhaul connection. The VLAN tag would clearly mark guest traffic. The base station could then look at the destination address of the traffic. If it's on the same subnet, then the traffic is dropped. If it's not local, then it sends it to the router to be forwarded to the Internet.
TheEther wrote:
fbg wrote:I thinks this warrants some discussion. If client A tries to talke to client B, both on wifi, what happens? The frames don't go directly from A to B via radio (ignoring ad hoc mode wifi). They go to the access point / wireless router. If that access point is an Orbi in AP mode, the Orbi could either deliver the frames, or just send them out the wire and let the downstream router decide what to do with them. I don't know which one it does, and I can't test it since I'm still looking into buying or not... Ideally I would want the Orbi to offer either behavior as an option.
I would not expect the Orbi to simply send frames out the wire. It's possible that the downstream router will not even see the traffic, so it won't be in a position to isolate guest traffic.
Instead, I would expect the Orbi determine whether client A is on the guest network and either forward or drop the traffic accordingly at the base station. Netgear has a couple of ways they could implement this. A sensible way would be to have the satellite put guest traffic into a VLAN when sending over the Wi-Fi backhaul connection. The VLAN tag would clearly mark guest traffic. The base station could then look at the destination address of the traffic. If it's on the same subnet, then the traffic is dropped. If it's not local, then it sends it to the router to be forwarded to the Internet.
using the vlan tag would it also overcome the issue in ap mode as well ?
The VLAN tag could be used in either router or AP mode. It merely serves to easily identify guest traffic. How much extra work the base station needs to do in order to handle the guest traffic depends on whether it is in router or AP mode. In AP mode, the Orbi could apply the sorts of checks that rhester72 described several posts above. In addition, the it could also support an advanced mode whereby it doesn't strip the VLAN tag but, instead, forwards it to a router that understands VLAN tagging. The router could, then, enforce the traffic segregation. This is how some enterprise-class networking gear work.
