NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX620 Client Isolation Broken after Firmware Upgrade
Installed WAX620, immediately upgraded firmware to 9.5.4.6. Accepting all defaults. Set SSID name and password. Then enabled Wireless Client Isolation and disabled allowing access to the AP UI. Intention is a guest only WAP. No other settings done.
Connected to SSID via an iPhone. Verified it was connected to the WAX620 SSID.
- Within Mail app, I can print emails to a wired printers (Brother, HP and Canon).
- Within Airport app, I can see/connect/manage all AirPort devices.
- Within Nest and Ring apps, I can connect/manage all devices.
I downgraded firmware to 9.5.4.3 and 9.5.3.4 and found the feature is also broken.
I downgraded firmware to 9.5.2.5 and the feature works properly.
I am not comfortable using any of the 3 most recent versions of firmware, nor am I comfortable using such an old firmware version after so many security updates.
8 Replies
Hi Retired_Member
Sorry to hear your issues. Could you please help us in providing your network toplogy. I assume it is very simple by looking at your description. But I want to make sure we understand your network topology and how the devices are connected. Please share the logs ( you can download and save it from the monitoring page) when you see the issue.
Thanks,
Raghu.
2 new issues surfaced when reverting back to the latest firmware.
1. I was able to connect from a wifi attached laptop to an SMB file server. I am seeing this with a mix of both IPv4 and IPv6 traffic. I am also seeing this with a mix of both Ethernet II and IEEE 802.3 ethernet headers. I would like to get a technical explanation of exactly how the client isolation works. The devices in a client isolated WLAN should only be able to ARP and send packets to the gateway router MAC, and receive packets from the gateway router MAC.2. The Download Detailed Logs is not completing. From a Day Zero configuration, to the setting of the Client Isolation feature, the logs should have been nearly empty, yet I am not getting anything downloaded in the last 30 minutes. AP seems unresponsive upon checking.
Retired_Member wrote:
1. I would like to get a technical explanation of exactly how the client isolation works.
Client Isolation on business APs - by rule of thumb back to 1997 with the intro of 802.11 (yes, since I had installed the first "larger scale" WLAN networks some Lucent/NCR, later became Avaya - sigh, I'm becoming old) - was and is exactly RT*M:
"By default, client isolation is disabled for a WiFi network (SSID or VAP), allowing communication between WiFi clients that are associated with the same or different WiFi networks on the access point. For additional security, you can enable client isolation so that clients that are associated with the same or different WiFi networks cannot communicate with each other, except for communication over the Internet, which remains possible."
The scope was and is limited to each individual access point, does not span to any wired or wireless backhaul, and does not include the associated VLAN. And Internet means TCP/IP here - not a consumer router. Quote borrowed from the WAX6x0 User Manual.
Retired_Member wrote:
The devices in a client isolated WLAN should only be able to ARP and send packets to the gateway router MAC, and receive packets from the gateway router MAC.
What is the source of this fancy idea please? Reads to me like a description from consumer junk router guest network implementation by some odd L2 filtering.
If you need a Wi-Fi network SSID without access to other resources, like printers, SMB servers .... you make it a dedicated network (VLAN of course). Client Isolation does not provide an el-cheepo replacement for this.
Conclude: Nothing broken on the Client Isolation aording to my testing. Cancelling my call to RaghuHR herewith.
Before you jump onto my head, I'm aware Netgear does use different definition for Client Isolation on the Orbi Pro 6 systems:
"Client isolation prevents hosts and clients in the VLAN from reaching ports, hosts, and clients in the same VLAN, thereby increasing security."
Yes, looks like here we face some higher complexity in place on the L2 filtering. The classic definition of client isolation does come to it's limits where wireless backhaul, WDS, or Insight Instant Wi-Fi are coming into the game, and exceptions apply.
In case you don't like the Netgear Insight "is this device already registered?" query, please be also aware that Fast BSS transition aka. 802.11r we need to understand this requires more tech and config, Netgear only offers the config to the (same) mobility domain identifiers on the a management platform like Netgear Insight which allows to simplify this process to a single on/off control (nicked "Fast Roaming"). The primary advantage of 802.11r is with the 802.1x client authentication so saving a lot of four way handshakes, reducing the roaming delay by pre-authenticating clients with multiple target APs before a client roams to another AP. With 802.11r implementation, clients pre-authenticate with multiple APs. So, if you intend to deploy at least WPA2-Enterprise with seamless roaming, there is no way around Netgear Insight. The same applies to all cloud based managed wireless systems AFAIK.
Hi RaghuHR,
Thank you for your quick attention. I have filed case 45523248. I have since duplicated the problem on 3 other WAX620s.
The network topology picture is simple to describe. I have an external router connected to a Netgear GS116 then another Netgear GS305P then finally to the WAX620. All wired devices are connected to the first switch except the WAX620.
I have reverted to firmware version 9.5.2.5 as that was the last version the client isolation feature worked. I did not collect logs when I was on version 9.5.4.6.
It is very easy to duplicate. The configuration is nearly all defaults. When I tested on the various firmware versions, I always reset the configuration to factory defaults, and then did my minimal configuration and testing. Simple test was printing a Netgear support page from an iPhone 13 to a wired-only Brother MFC-L8900CDW.
Again, the firmware version is the only change for this feature to work or not.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
