NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Clarification of Network Isolation SXK80
If I have the Router and Hub operating in AP mode what does the Network Isolation checkbox for VLANs actually do? The user manual of the SXK80 says "Network isolation, also referred to as network...
Assuming the SXK80 operates like the SXK50, the network isolation tickbox installs ebtables rules that prevent communication to or from the isolated network and any other network the Orbi is attached to.
Unfortunately, this happens even in AP mode where VLANs shouldn't have IP addresses or any knowledge of IP networks that are attached to them.
Worse, the client isolation tickbox does something similar. IP based rules are installed that prevent WiFi clients on the isolated network from communicating with VLAN based clients on the same VLAN.
There is unfortunately no way to disable this (IMO erroneous) behavior and is why I'm highly likely to abandon the Orbi Pro in favor a brand like Ubiquiti which has far less nanny-like behavior.
I've come from the opposite direction, having previously used a Unifi UAP-AC-PRO but wanted to upgrade to a mesh with dedicated wireless backhaul.
Your explanation helps, I can take a look at the dumped ebtables with and without the tickbox to see what it's up to.
I seem to have all kinds of strange behaviour - wired hosts on subnet A can reach a wired host in subnet B (intentionally allowed via a firewall). But as soon as I try doing the same from the same host on subnet A but over Wi-Fi it doesn't work...there's loads of TCP re-transmissions, so I'm wondering if there's still some filtering or table issue.
I'm hoping I might be able to get OpenWRT up and running on these. If I can do that, it should get rid of a lot of the hidden (and broken) magic the Netgear firmware seems to be doing. I'd rather stick to stock, but there's just too much hand holding in a supposedly pro product.
WillowU wrote:I seem to have all kinds of strange behaviour - wired hosts on subnet A can reach a wired host in subnet B (intentionally allowed via a firewall). But as soon as I try doing the same from the same host on subnet A but over Wi-Fi it doesn't work...there's loads of TCP re-transmissions, so I'm wondering if there's still some filtering or table issue.
This unpredictable behavior is exactly why I was digging into the Orbi's behavior. Even when network isolation is disabled, a station on my LAN WiFi is unable to communicate with a station on the IoT WiFi if they are both associated to the SXR. However, when the LAN station is associated to the satellite it can communicate with the IoT device through the wired backhaul.
This is because the SXR obtains layer 3 addressing for all VLANs (even when it is only providing layer 2 connectivity) and has to install protective rules to prevent traffic from flowing between subnets on those connected interfaces. Because these rules are layer 3 rules they also prevent traffic from being forwarded to the upstream router.
In my opinion AP mode is fundamentally broken and unfit for its intended purpose because there is no way to disable this behavior.
100% agree.. AP mode is completely broken.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
