NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX620 Client Isolation Broken after Firmware Upgrade
Installed WAX620, immediately upgraded firmware to 9.5.4.6. Accepting all defaults. Set SSID name and password. Then enabled Wireless Client Isolation and disabled allowing access to the AP UI. I...
2 new issues surfaced when reverting back to the latest firmware.
1. I was able to connect from a wifi attached laptop to an SMB file server. I am seeing this with a mix of both IPv4 and IPv6 traffic. I am also seeing this with a mix of both Ethernet II and IEEE 802.3 ethernet headers. I would like to get a technical explanation of exactly how the client isolation works. The devices in a client isolated WLAN should only be able to ARP and send packets to the gateway router MAC, and receive packets from the gateway router MAC.
2. The Download Detailed Logs is not completing. From a Day Zero configuration, to the setting of the Client Isolation feature, the logs should have been nearly empty, yet I am not getting anything downloaded in the last 30 minutes. AP seems unresponsive upon checking.
Retired_Member wrote:
1. I would like to get a technical explanation of exactly how the client isolation works.
Client Isolation on business APs - by rule of thumb back to 1997 with the intro of 802.11 (yes, since I had installed the first "larger scale" WLAN networks some Lucent/NCR, later became Avaya - sigh, I'm becoming old) - was and is exactly RT*M:
"By default, client isolation is disabled for a WiFi network (SSID or VAP), allowing communication between WiFi clients that are associated with the same or different WiFi networks on the access point. For additional security, you can enable client isolation so that clients that are associated with the same or different WiFi networks cannot communicate with each other, except for communication over the Internet, which remains possible."
The scope was and is limited to each individual access point, does not span to any wired or wireless backhaul, and does not include the associated VLAN. And Internet means TCP/IP here - not a consumer router. Quote borrowed from the WAX6x0 User Manual.
Retired_Member wrote:
The devices in a client isolated WLAN should only be able to ARP and send packets to the gateway router MAC, and receive packets from the gateway router MAC.
What is the source of this fancy idea please? Reads to me like a description from consumer junk router guest network implementation by some odd L2 filtering.
If you need a Wi-Fi network SSID without access to other resources, like printers, SMB servers .... you make it a dedicated network (VLAN of course). Client Isolation does not provide an el-cheepo replacement for this.
Conclude: Nothing broken on the Client Isolation aording to my testing. Cancelling my call to RaghuHR herewith.
Before you jump onto my head, I'm aware Netgear does use different definition for Client Isolation on the Orbi Pro 6 systems:
"Client isolation prevents hosts and clients in the VLAN from reaching ports, hosts, and clients in the same VLAN, thereby increasing security."
Yes, looks like here we face some higher complexity in place on the L2 filtering. The classic definition of client isolation does come to it's limits where wireless backhaul, WDS, or Insight Instant Wi-Fi are coming into the game, and exceptions apply.
In case you don't like the Netgear Insight "is this device already registered?" query, please be also aware that Fast BSS transition aka. 802.11r we need to understand this requires more tech and config, Netgear only offers the config to the (same) mobility domain identifiers on the a management platform like Netgear Insight which allows to simplify this process to a single on/off control (nicked "Fast Roaming"). The primary advantage of 802.11r is with the 802.1x client authentication so saving a lot of four way handshakes, reducing the roaming delay by pre-authenticating clients with multiple target APs before a client roams to another AP. With 802.11r implementation, clients pre-authenticate with multiple APs. So, if you intend to deploy at least WPA2-Enterprise with seamless roaming, there is no way around Netgear Insight. The same applies to all cloud based managed wireless systems AFAIK.
That seemed like a strange answer to me, Schumaku. I've told you the steps to confirm it is a problem when changing from one firmware version to the latest 3. There is a clear regression to me when the feature gets worse with newer firware revisions. I have decided to return multiple of these WAX620s due to a security regression that I on behalf of my customers, will not accept. I have also closed the internal case.
If anyone else should find this post in the future, the steps are to reset the AP to the factor defaults, configure a basic configuration on the Zero Day configuration, then simply turn on the client isolation. Reboot. Connect an iPhone to the SSID. Then select anything to print... you should then browse printers and you should see any wired printer. This also will work for laptops that are connective to the SSID, you should be able to SMB mount any file server sharepoints on wired servers.
Best,
aqa
Retired_Member wrote:
That seemed like a strange answer to me, Schumaku.
That's how things are in a community. Take it like that: I don't believe in any L2+ tricks expecting to isolate WiFi traffic from not allowing access to the network, and just allow "Internet" - what can mean lot of different channels. What might be obviously easy on IPv4 proofs to become difficult when we face IPv6, probably paired with multiple routers. And even more fun if more internal IP subnet's are in the data path. How should an AP be able to detect reliably what is "Internet", and what are the local networks?
Retired_Member wrote:
I've told you the steps to confirm it is a problem when changing from one firmware version to the latest 3. There is a clear regression to me when the feature gets worse with newer firware revisions.
Well, I'm not Netgear, I'm not QA here - we're operating bunches of WAC5xx and WAX6xx all Insight managed and all strictly using dedicated VLANs for different security zones, so I can't care less. Of course it's possible there is a bug in the way of how Netgear has implemented and/or changed the code in the meantime. Some kind of packet inspection, based on the to me unknown logic.
One point we have in common: I would love to understand based on what design this featue is implemented. And where are the limitations.
Convinced Netgear with RaghuHR will check with engineering and report back.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
