NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Retired_Member's avatar
Retired_Member
Jan 02, 2022

WAX620 Client Isolation Broken after Firmware Upgrade

Installed WAX620, immediately upgraded firmware to 9.5.4.6.  Accepting all defaults.  Set SSID name and password.  Then enabled Wireless Client Isolation and disabled allowing access to the AP UI.  Intention is a guest only WAP.  No other settings done.

 

Connected to SSID via an iPhone.  Verified it was connected to the WAX620 SSID.

  • Within Mail app, I can print emails to a wired printers (Brother, HP and Canon).
  • Within Airport app, I can see/connect/manage all AirPort devices.
  • Within Nest and Ring apps, I can connect/manage all devices.

I downgraded firmware to 9.5.4.3 and 9.5.3.4 and found the feature is also broken.

I downgraded firmware to 9.5.2.5 and the feature works properly.

 

I am not comfortable using any of the 3 most recent versions of firmware, nor am I comfortable using such an old firmware version after so many security updates.

Security

8 Replies

  • RaghuHR's avatar
    RaghuHR
    NETGEAR Expert
    Jan 03, 2022

    Hi Retired_Member 

     

    Sorry to hear your issues. Could you please help us in providing your network toplogy. I assume it is very simple by looking at your description. But I want to make sure we understand your network topology and how the devices are connected. Please share the logs ( you can download and save it from the monitoring page) when you see the issue.

     

    Thanks,

    Raghu.

    • Retired_Member's avatar
      Retired_Member
      Jan 03, 2022

      Hi RaghuHR,

       

      Thank you for your quick attention.  I have filed case 45523248.  I have since duplicated the problem on 3 other WAX620s.

       

      The network topology picture is simple to describe. I have an external router connected to a Netgear GS116 then another Netgear GS305P then finally to the WAX620. All wired devices are connected to the first switch except the WAX620.

       

      I have reverted to firmware version 9.5.2.5 as that was the last version the client isolation feature worked.  I did not collect logs when I was on version 9.5.4.6.

       

      It is very easy to duplicate.  The configuration is nearly all defaults.  When I tested on the various firmware versions, I always reset the configuration to factory defaults, and then did my minimal configuration and testing.  Simple test was printing a Netgear support page from an iPhone 13 to a wired-only Brother MFC-L8900CDW.

       

      Again, the firmware version is the only change for this feature to work or not.

    • Retired_Member's avatar
      Retired_Member
      Jan 03, 2022

      2 new issues surfaced when reverting back to the latest firmware.


      1. I was able to connect from a wifi attached laptop to an SMB file server. I am seeing this with a mix of both IPv4 and IPv6 traffic. I am also seeing this with a mix of both Ethernet II and IEEE 802.3 ethernet headers. I would like to get a technical explanation of exactly how the client isolation works.  The devices in a client isolated WLAN should only be able to ARP and send packets to the gateway router MAC, and receive packets from the gateway router MAC.

       

      2. The Download Detailed Logs is not completing. From a Day Zero configuration, to the setting of the Client Isolation feature, the logs should have been nearly empty, yet I am not getting anything downloaded in the last 30 minutes.  AP seems unresponsive upon checking.

      • Retired_Member's avatar
        Retired_Member
        Jan 03, 2022

        I scrolled through the logs on the Monitoring -> Logs page. There was not much there so the Download Detailed Logs should have succeeded. One surprising item was the logs from a cloudAgent service that is "phoning home" even though I have selected local management. This is tracking my customers WAPs and will be a deal breaker if I cannot disable ALL external connections from the WAP.

         

        Can someone show me documentation on what traffic is sent from the WAX620 to the Internet or Netgear? It is inconvenient for me to put a sniffer between the AP and the router.  Enabling a true firewall to drop all traffic from the AP would be a performance killer on the network for all traffic.

         

        Jan 3 10:56:14 cloudAgent[13958]: Agent : Sending device mode 2 acknowledgement to cloud..
        Jan 3 10:56:13 cloudAgent[13958]: Agent : JSON Sending in case of registration = {"serialNo":"6LK21XXXXX","model":"WAX620","xDeviceId":"V9JA99XXXX","deviceType":"AP","fwVersion":"9.5.4.6","sendPendingCmd" : "0" ,"macAddress":"80-CC-9C-XX-XX-XX"}
        Jan 3 10:56:13 cloudAgent[13958]: Agent : Device registered with xCloud
        Jan 3 10:56:12 cloudAgent[13958]: Agent : Connected response 0 from xagent.
        Jan 3 10:56:12 cloudAgent[13958]: X_Handler_init started
        Jan 3 10:56:12 cloudAgent[13958]: Agent : Sending empty token first time
        Jan 3 10:56:12 cloudAgent[13958]: Agent : Sending device mode 2 acknowledgement to cloud..
        Jan 3 10:56:12 cloudAgent[13958]: Agent : Standalone INSIGHT mode API Response : 0
        Jan 3 10:56:12 cloudAgent[13958]: GET MODE API Response : { "status": 0, "system": { "basicSettings": { "cloudStatus": "0" } } }

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More