NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX214v2
Just bought 3 of these for my home which has solid walls. It seems a new model with little info on Netgear and I am not sure if 214v1 advice remains good. - such as same SSID for all 3 Advice...
First place to start: TEST THE GUEST NETWORK
WAX214v1 had it implemented correctly... But, if the WAX214v2 is done anything like the WAX220 (very likely), then your Guest Network will be able to communicate with your internal network, such as logging to 192.168.1.1...
Next, watch out if you're running a switch with DHCP snooping. For some reason, the WAX220 won't let a client connect on your internal network once you have a Guest Network enabled, unlike the WAX214v1. It appears to trigger some blocking with the Snooper on the switch.
This all likely stems from Netgear's poorly developed firmware, specifically with the L2 Isolation.
Retired_Member wrote:
WAX214v1 had it implemented correctly... But, if the WAX214v2 is done anything like the WAX220 (very likely), then your Guest Network will be able to communicate with your internal network, such as logging to 192.168.1.1...
Translating this rant to laymen terms. Under some unknown conditions, it appears the controls for Client Isolation and the related Client Isolation Exceptions remain invisible. The Client Isolation does however work as designed if enabled. Guest devices (locally NATed from a private IP subnet - different from the classic wax214/218 design) will not be able to reach the local LAN subnet eg. like the ubiquitous 192.168.1.1 or 192.168.0.1 of many consumer routers in use behind the guest network.
Retired_Member wrote:
Next, watch out if you're running a switch with DHCP snooping. For some reason, the WAX220 won't let a client connect on your internal network once you have a Guest Network enabled, unlike the WAX214v1. It appears to trigger some blocking with the Snooper on the switch.
None of the WAX2xx or for the sake 6xx does care or change the RFC DCHP, potentially breaking a switch with DHCP snooping enabled. Please provide the exact reports or log entries for further analysis (instead of scaring other customers here).
Retired_Member wrote:
This all likely stems from Netgear's poorly developed firmware, specifically with the L2 Isolation.
L2 isolation feature exists on the WAX214v2, v1.0.2.2 or WAX220, v1.0.3.0 similar to the screenshot above), and works in my testing as expected. Not that I'm a Netgear voice or carrying such a hat. The real issue here seems to be the two controls are hidden in the Web browser under some conditions unknown to me.
schumaku wrote:
Retired_Member wrote:WAX214v1 had it implemented correctly... But, if the WAX214v2 is done anything like the WAX220 (very likely), then your Guest Network will be able to communicate with your internal network, such as logging to 192.168.1.1...
Translating this rant to laymen terms. Under some unknown conditions, it appears the controls for Client Isolation and the related Client Isolation Exceptions remain invisible. The Client Isolation does however work as designed if enabled. Guest devices (locally NATed from a private IP subnet - different from the classic wax214/218 design) will not be able to reach the local LAN subnet eg. like the ubiquitous 192.168.1.1 or 192.168.0.1 of many consumer routers in use behind the guest network.
Retired_Member wrote:Next, watch out if you're running a switch with DHCP snooping. For some reason, the WAX220 won't let a client connect on your internal network once you have a Guest Network enabled, unlike the WAX214v1. It appears to trigger some blocking with the Snooper on the switch.
None of the WAX2xx or for the sake 6xx does care or change the RFC DCHP, potentially breaking a switch with DHCP snooping enabled. Please provide the exact reports or log entries for further analysis (instead of scaring other customers here).
Retired_Member wrote:This all likely stems from Netgear's poorly developed firmware, specifically with the L2 Isolation.
L2 isolation feature exists on the WAX214v2, v1.0.2.2 or WAX220, v1.0.3.0 similar to the screenshot above), and works in my testing as expected. Not that I'm a Netgear voice or carrying such a hat. The real issue here seems to be the two controls are hidden in the Web browser under some conditions unknown to me.
Avoid a repost, so I'll link my related replies:
Test was pretty straight forward - Plugged WAX214v1 in, connected to a Guest Network, tried to access router admin page and was denied. Plugged WAX220 in, connected to a Guest Network there, tried to access router admin page and was successful. Did the same thing but with toggling DHCP Snooping on/off on a GS308T switch. Not exactly sure why the WAX220 only works if I turn off DHCP Snooping, but maybe it's something to do with the Guest Network's DHCP server and L2 Isolation since that's the big difference between the WAX 214 and 220.
The WAX220's Client Isolation is working fine... the L2 Isolation is not, nor is even visible. I can absolutely connect to 192.168.1.1 with a Client connected to the Guest Network on the 220, but not the 214v1. Just tried it again as I posted this.
The original firmware for the WAX220 has the L2 Isolation option visible, but updating it to any other version removes it. Reverting back to the earliest version of the firmware posted on the Downloads page does not restore that option.
Many thanks for you comprehensive responses and apologies for the late response due to continued login problems, related in some part to having 2 devices logged in at the same time, but Netgear support are puzzled why.
My system is all simple unmanaged devices, with no guest account. The heart will be a Zyxel 2010 2x10g / 2x2.5g / 8x1g switch with the 2.5g Virgin router connected to a 2.5g port and the four WAX214v2's via a Netgear 5-port 1g POE+ 83W max switch
A future upgrade when a 10g router is available would also be WAX220 (or other locally managed 2.5g AP) connected to a 5-port 2.5g POE+ NETGEAR Switch - when they finally decide to release one.
Comment / advice would be much appreciated...TomP
Retired_Member wrote:
WAX214v1 had it implemented correctly... But, if the WAX214v2 is done anything like the WAX220 (very likely), then your Guest Network will be able to communicate with your internal network, such as logging to 192.168.1.1...
This all likely stems from Netgear's poorly developed firmware, specifically with the L2 Isolation.
The last reply before I stop this thread: The L2 Isolation feature as known from the WAX214/218 ...
L2 Isolation
To prevent WiFi and LAN clients on the same access point from communicating with
each other, select the Enable radio button. By default, this option is disabled. If you
enable L2 isolation, clients can still communicate with each other over the Internet.
If you enable L2 isolation, to exclude a device from L2 isolation, enter the MAC address
of the device in a Whitelist field. You can exclude up to three devices....is not available on the WAX214v2 or WAX220.
The default config listed (the only place the feature is mentioned) does show the L2 Isolation Disabled.
Client Isolation
To prevent WiFi clients that are associated with the same or different WiFi networks
on the access point from communicating with each other, select the Enable radio
button. By default, this option is disabled. If you enable client isolation, WiFi clients
can still communicate with each other over the Internet.
Note: If L2 isolation is enabled, the Client Isolation radio buttons are disabledIt's not about Netgear having the L2 Isolation implemented right or wrong.
Would be nice to hear from Netgear team about this missing functionality to avoid similar future disappointing customer communication. DavidGo
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
