NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

fsubob's avatar
fsubob
Aspirant
Jan 28, 2018

Orbi - Isolate Guest Network & Tagged Uplink

Hello, I realize this isn't officially supported but I've made some progress and was hoping someone might know the configuration element I am missing.  I mostly need help with identifying the naming ...
Installation
fsubob's avatar
fsubob
Aspirant
Jan 28, 2018

Bottom line:  I can't confirm that vlan tagging is enabled at the kernel level.  

 

I have been able to correct a few other mistakes and figure a few things out.

 

brctl show br1   
bridge name     bridge id               STP enabled     interfaces
br1             8000.8c3bad2bbfd8       no              ath02
                                                        ath11
                                                        eth0.1003
                                                        eth1.1003

ath02 and ath11 are the guest network logical interfaces.  Eth0 appears to be the WAN port and eth1 is the LAN port.  I was able to create these units off eth0/1 with vlan tag 1003.  The isolation part of my requirement seems to work.

 

 

 

Create:
ip link add link eth0 name eth0.1003 type vlan id 1003

Verify:
ip -d link show eth0.1003

33: eth0.1003@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP mode DEFAULT 
    link/ether 8c:3b:ad:2b:bf:d9 brd ff:ff:ff:ff:ff:ff
    vlan id 1003 <REORDER_HDR>

 

When my wifi client connects, I can see the client's mac address in the correct isolated bridge domain.  That's good news.

brctl showmacs br1
port no mac addr                is local?       ageing timer
  4     8c:3b:ad:2b:bf:d8       yes                0.00
  3     8c:3b:ad:2b:bf:d9       yes                0.00
  2     92:3b:ad:2b:bf:da       yes                0.00
  1     98:01:a7:XX:XX:XX       no                28.13
  1     9a:3b:ad:2b:bf:d8       yes                0.00

However, I don't think my DHCP requests are being passed out eth0 as expected.  Also, for some reason WPA security does not work either.  

 

Checking if tagging is enabled at the kernel level:

 

root@RBR50:/# lsmod | grep 8021q
root@RBR50:/# 

root@RBR50:/# modprobe 8021q
kmod: failed to find a module named 8021q

 

 

 

 

  • fsubob's avatar
    fsubob
    Aspirant
    Jun 10, 2018

    Does anyone know if Netgear finally fixed this?

     

    Apple's Airport system has been doing this for years and now with it discontinued I can't find any mesh systems that support true guest isolation.

     

    I don't necessarily need the uplink port to support tagging but at least true isolation within the WLAN network would work - with differnet IP subnets.  Not the filtering they do today that doesn't even filter arp and broadcast/multicast packets (from what I've read).