NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX202 as an AP problem
I have a Billion BiPAC 8800AXL R2 as my main router. I have 2 SSID subnets set up lets call them ABC and ABC-Guest ABC uses 192.168.1.xxx and ABC-Guest uses 192.168.2.xxx allowing access to the In...
Hello Simon,
Dnomis wrote:
I have a Billion BiPAC 8800AXL R2 as my main router.
I have 2 SSID subnets set up lets call them ABC and ABC-Guest
ABC uses 192.168.1.xxx and ABC-Guest uses 192.168.2.xxx allowing access to the Internet but not the local ports.
When I use the WAX202 in AP mode it doesn't heed the restrictions from the main router and allows access to all subnets. Is this because it connects to the main router via one of the Ethernet ports on the BiPAC?
This is because these two networks and two subnets by default only exist on your router Wireless side, not on the LAN where the AP can connect to by default.
Going a little bit beyond of the Netgear community scope, your router only supports port based VLAN not tagged based VLAN.
So you can only isolate a port from the other ports. If you want to isolate your airports from the routers wifi/LAN ports, setup a 'Interface Grouping' and create a new group to isolate the port your Airport connects to as the WAN link
example below for isolating a guest wifi network
Example for a guest wifi network (it is the same for the LAN port isolation, just need to create a new rule)
1. Click on Interface Grouping
2. Click on 'Add'
3. Enter a 'Group Name' eg guest
4. Under 'Available LAN Interfaces' select your 'Guest Network' and click on the arrow pointing left, so the guest wifi network should now be added to 'Grouped LAN Interfaces'
5. Click on 'Apply'
6. Under 'Group Isolation' tick the box and click on 'Apply'
7. Click on 'LAN >> Ethernet'
8. Under 'Group Name' select your guest wifi group for this example I used 'guest'
9. Tick 'LAN Side Firewall' and click on 'Apply' (with this option enabled anyone connected to the guest wifi network, will not be able to access the routers web gui, they can only access the internet)
Said this: With a properly configured VLAN-capable switch - a simple Netgear Plus or Ethernet Easy Smart Managed Essentials Switch, you can configure an additional VLAN, define two LAN ports as access ports for each VLAN e.g. one for VLAN 1 [U]ntagged, PVID 1, one for VLAN 200 [U]ntagged, PVID 200 [and nothing else on these ports], then define a so called trunk port for the WAX as one for VLAN 1 [U]ntagged, PVID 1, plus VLAN 200 [T]agged [and nothing else on these ports]. Now configure the second ABC-Guest on the WAX associated to the VLAN 200.
That's all folks.
Many thanks for your reply. I am trying to get my head around the last part but I think I got lost around where the Trunk port was introduced...
I have tried to map it out on the attached picture but I think I got lost...
What am I missing?
I have tried to map it out on the attached picture but I think I got lost...
What am I missing?
There will be two different Ethernet links required, one will be the normal LAN, the other the Guest LAN.
ABC and ABC-Guest can't be on the same LAN port, because the BiPAC does not support a VLAN trunk. A dedicated port for the ABC-Guest is required, so a additional dedicated physical Ethernet link for the ABC_+-Guest is required - this is what the router does allow.
Many thank you for your help...
This is stretching my understanding a lot and I am struggling to get it to work in reality. I think I have bitten off more than I can chew...The WAX202 doesn't appear to allow me to set up and VLANs unless I put it into router mode which I didn't think I wanted to do?
Additionally once I have done this I need to repeat it all with a WAC104 if that is even possible...My full network was working ok with the 2 Netgear routers hard wired to the Billion and setup as access points using the same SSID and everything could see everything else ok as they were all on the same network, they could all access the internet etc. Admittedly the switch between access points wasn't as seamless as i would like but I expected that.
I don't need "guests" as such and it only got complicated when I started putting some "smart" devices onto the network and I read that it would be a good thing to segregate them so that if someone did manage to hack into one then they would not have access to my LAN. Which is where this all began...
I guess by far the easiest option would be to buy a mesh system and set it up on there... Time to go back to the drawing board I think...
Suggest to stay far away from these marketing[-ish!] Mesh systems, where most donßt support more than one LAN (and VLAN). Worst case, they also bring some other new "tech" and supposedly IEEE "compatible" features not fit for interoperability with the more common industry standards.
You currently have a router which does support two LANs and IP subnets - only on dedicated access ports, not on a single connection trunk. Same applies to the WAX202, the WAC104, ... -> https://kb.netgear.com/30611/How-do-I-create-multiple-SSID-s-to-operate-on-multiple-VLAN-s
An inexpensive Netgear Plus or Netgear Smart Managed Essential switch (new naming for these) model GSxxxE[nn] or MSnnnE[nn] and some brainwork is sufficient.
Good luck, and keep us posted please, we're happy to help!
-Kurt.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
