NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Orbi Pro 6 - IOT Client Isolation
Hello,
I am looking the Orbi Pro 6 for a home use. It is the front runner for a new mesh network because of the 4 SSIDs (one being IoT).
I have been looking at the manuals and I see that there is client isolation within the Wireless 3/IoT SSID. But I have not been able to find out if this can this be disabled the isolation to allow IoT devices (like Sonos, TVs, Streaming devices, Video server, etc) to interact with each other within the Wireless 3 network. Question 1: Is there anyway to allow device on Wireless 3/IoT network to communication with each other?
Question 2: Also can you add firewall/configuration rules to allow devices on Wireless 1 and Wireless 2 to get to the Wireless 3/IoT devices, which still restricting acces from IoT to Wireless 1 & 2 network.
Thank you,
Frank
Yes, network discovery is verified. I use wireless 3 for my google home devices, set up through the google home app on my smartphone. With network isolation disabled and my iphone connected to wireless 3 I can see all the devices and set them up, and all the google home devices are found by and are controllable by the google home mini.
YMMV but with the google home devices on wireless 3 with client isolation disabled, you have network discovery.
Steve
18 Replies
Frank,
Frank-NYC wrote:But I have not been able to find out if this can this be disabled the isolation to allow IoT devices (like Sonos, TVs, Streaming devices, Video server, etc) to interact with each other within the Wireless 3 network.
What sounds interesting and is often propagated will often not work without loosing many features. Assuming it would be a plain IPv4 router, you can't use any Multicast based discovery (like Bonjour or UPnP SSDP) beyond of each network. Do you intend to change the wireless network if you intend to play music or a movie to a media player?
This wonderful security theory is workable only for IoT requiring no control from e.g. a mobile App on the same network, or where everything is handled and controlled over the Cloud.
I admit, I'm not up to speed on the current Orbi Pro firmware implementation. While there might be a control to enable/disable wireless isolation (over the complete SSID) for this network, there is certainly no simple firewall user firewall matrix config with three source and three destination networks where a user could allow or deny.
As well, I doubt there is any multicast routing between the three IP subnetworks, too.
I don't understand why the very basic controls and mandatory features are not available on these and many similar routers and mesh systems in this market segment.
-Kurt
Thanks for the reply Kurt, but maybe I should clairify my question and limit it to one point.
All of the following is related to Orbi Pro 6 Wireless 3/IoT SSID/Network. (or has one figured out a way to get an IoT friendly segment on another mesh network product?)
I am looking to add many types of IoT, media, automation, video on this SSID/Network and I am looking if it can be that those devices can talk to each other on that network.
For example:
-Cameras with NVR (camera send data over the internal network to the NVR/DVR)
-Sonos (unit with the HDMI input from the tv send data to other speakers for subwoofer/surround sound)
-IP remote or app control (control of the devices over the network, with all devices, even the mobile device with app on the Wireless 3/IoT SSID)
Can client isolation on Wireless 3/IoT SSID be disabled or is there a function "allow clients to talk to each other" on Wirelss 3/IoT?
Thanks again,
FrankFrank,
On the Orbi Pro WiFi 6 system, all LAN2...LAN5 have individual VLAN profiles (eg. the default IoT LAN3/VLAN 40) where you can configure the Wireless Isolation (along with the in my opinion much to simple "Netgwork Isolation") for example.
Orbi Pro WiFi 6 User Manual p.112 ff.
To question #1, the short answer is yes. It is possible within each SSID to toggle device isolation on/off and allow within that LAN devices to discover and interact with one another. I haven't played enough with the network isolation to determine if it operates one way to two way. Certainly when toggled on, devices on that particular LAN cannot access devices connected on the other LANs. Don't know (but suspect it the case) that being on also prevents devices on other LANs discovering devices on the LAN in question. Will have to check that.
Thanks Steve, but I agree that usually you can toggle the SSID client isolation, but the manual stating they can't see each other on Wireless 3 scares me. And I don't want to spend hundreds of dollars to find out the manual is correct.
Has anyone got devces on IoT to interact on the Pro 6 or any mesh network? Again this is a HOME network with very non techical users who will be adding non-PC devices wirelessly on and off as new devices come out. Trying to not just add them to the 'regular' or employee network.
I can say with confidence that on VLAN 2 all attached devices can see and communicate with one another when I turn off "client isolation" and same for VLAN #4 which is the guest network. I haven't tested this on VLAN #3 (which is default labled IOT) but the settings that control this are EXACTLY the same so will say with a lot of confidence that with client isolation disabled any client attached to any VLAN can see and communicate with any other client attached to that VLAN. So affirm that the answer to your question #1 is yes.
I checked on the network isolation and as I expected it is 2 way. In other words when network isolation is enabled say on VLAN #3 devices on VLAN #3 cannot see devices on VLANs 1,2,4 or 5 and the converse devices on VLANs 1,2,4 and 5 cannot see devices on VLAN #3. Doesn't matter if 1,2,4,5 have network isolation enabled or disabled they cannot see any VLAN where network isolation is enabled.
This folds back to your question "are there firewall settings" that might allow this which is well beyond my Orbi Pro WiFi 6 expertise at this point.
Frank,
Hope the below helps.
Everything on SSID 1 (admin) can see and (via app) talk to those on SSID3 (IoT). But not the other way around. So with SSID iphone, I can tell a irobot on SSID 3 to vacuum via the app on the phone. I can monitor and change my IoT Thermostat, etc. This is done via an iphone app where I have entered the IP address for each device, or physically on the IoT device where I can setup a fixed the IP address (Nexia Thermstat), or the decvice website that contains the same fixed IP address. All of these IoT devices have fixed addresses that I use from my reserved pool, i.e., below the starting point for the DCHP addressing. DCHP addressing normally starts at __.___.__.02. I start at 51 or 101 to allow me to assign 50 or 100 devices that will always have th esame iP address.
(Normally) Alexa Echo DOT etc (SSID IoT) cannot see an external speaker on SSID1 or broadcast to it. If on same SSID, speakers can be connected to various sats or the main router and play normally. A phone on SSID 1 can make changes to an Echo DOT on SSID IoT, but again that is because you ise an app that knows the IP address of the Echo DOT. I say (Normally) because I have not tried to look for app settings that would allow me to specify a IoT IP address. That probably wll not work, but have not tried - something to attempt in spare time.
Hardwire connections to devices and switches are all SSID1 by default. My TV, roku, sat receiver, AV receiver etc are all hard wired. My Echo DOT cannot see or communicate with them but my SSID wifi phones etc can stream or airPlat to any of them regardless which Orbi SAT or Router phone is connected to. My AV receiver has wifi, but terrible location so use wired that has been there for years. That locks all related wifi speakers to SSID1, or they will not be seen. but I do not want Alexa Echo DOTS etc anywhere near SSID1, so Echos ater IoT SSID. All mics and cameras on SSID1 off by default.
Sorry to resurrect an old thread, but I am not able to communicate from VLAN1 to VLAN3 with network isolation enabled only on VLAN3 and client isolation disabled (both network and client isolation disabled on VLAN1). I can, of course, control devices on VLAN3 through an app that communicates with the device through the cloud, but I am unable to ping the device from a device on VLAN1. I can communicate if I connect my device (phone/computer) to VLAN3.
Did you have to do anything extra in the settings to enable this functionality?
youngbru , This is the "network isolation" setting in VLAN setup. If you disable this though you lose the security you were probably hoping to keep.
The newer FW just released now allows mDNS rules. This allows only Multicast which most devices use for discovery/communication. I enabled this and created two rules for "all services" from VLAN 1 to VLAN 3 and another from VLAN 3 to VLAN 1. This allows all my HomeKit communication to be local now and keeps the network isolation I wanted for security.
I verified this by powering down my HomeKit hubs and my Phone on VLAN 1 could get status from everything on VLAN 3
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
