NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

PM_13's avatar
PM_13
Tutor
Feb 14, 2021

Netgear AP Mode

Hi,

 

Need some input on this one before I put this into action:

 

I have two SSIDs running on Orbi router say "Home" and "Guest" and I deselected the option that allows machines on "Guest" to see each other. Thereafter I put the Orbi router in AP mode and plugged it into one of the ports of PfSense which is running two VLANs:

VLAN10: Home (only static assignment in subnet 192.168.10.x)

VLAN20: Guest (runs its DHCP subnet 192.168.20.x)

 

If there are no firewall rules that allow these subnets to talk to each other than is it possible to isolate "Guest" network from "Home" network?

Thanks,

 

Pankaj

3 Replies

Sort By
  • CrimpOn's avatar
    CrimpOn
    Guru
    Feb 14, 2021

    Orbi has no VLAN capability.  In AP mode, every device that connects will send a DHCP broadcast that the Orbi will send "out the WAN port" looking for a DHCP server.  There will be nothing to distinguish which SSID the DHCP request came from.  And thus no way for the PfSense to know which IP subnet to assign.

     

    The ability the Orbi has to prevent devices on the Guest SSID from reaching other devices is limited to the Orbi.  It is not based on IP subnet, as the Orbi has only a single DHCP pool of IP addresses.  (On the newer AX products, I have a vague impression that the Guest SSID actually does have a separate IP subnet - which makes more sense.)

     

    Is the concern that the Orbi Guest isolation mechanism may not function correctly?

    • alokeprasad's avatar
      alokeprasad
      Mentor
      Feb 14, 2021
      CrimpOn wrote:

       

      The ability the Orbi has to prevent devices on the Guest SSID from reaching other devices is limited to the Orbi.  It is not based on IP subnet, as the Orbi has only a single DHCP pool of IP addresses. 

      So, with the Orbi in AP mode, when there are devices connected to the Orbi (its ethernet ports or WiFi) and devices connected to some other router.

      The devices connected to the Orbi's guest network will "not see" other devices connected to the Orbi, but will have access to devices (PC's NAS's) connected directly to the router?

      • CrimpOn's avatar
        CrimpOn
        Guru
        Feb 14, 2021
        alokeprasad wrote:
        So, with the Orbi in AP mode, when there are devices connected to the Orbi (its ethernet ports or WiFi) and devices connected to some other router.

        The devices connected to the Orbi's guest network will "not see" other devices connected to the Orbi, but will have access to devices (PC's NAS's) connected directly to the router?

        That is one concern.  I am not confident that there is any mechanism within the Orbi to limit what Guest devices can do once their packets leave the Orbi.  The other concern remains, i.e. that Orbi has no capability regarding VLAN. Every packet from the Orbi will come from the same IP subnet with no VLAN tag, and no way to distinguish one from another.