RBR750 (AX4200)

AE8U
Aspirant
Nov 21, 2024
So then, the second part of the question is what do I need to accomplish my goal? The Orbi is my only WiFi access device. And I want the pfSense to segregate the devices. So what do I need to do? If I place a managed switch between Orbi and pfSense, can I get there?
- CrimpOn
  Guru - Experienced User
  Nov 21, 2024
  This may be a topic best raised on a pfSense user forum.
  
  When operating as a 'router', Orbi AX systems block devices on the guest WiFi from communicating (a) with each other, and (b) with the primary network (wired and WiFi). They connect only to the internet. (Personally, I preferred the original Orbi system which allowed the user to choose whether 'guests' could communicate with each other and with the primary network ... or not. I thought of "Guest WiFi" in terms of (a) temporary, (b) could be changed to a different SSID/password without affecting any 'permanent' devices, and (c) could be disabled at any time without affecting permanent devices. I would find it really irritating to have guests over and say, "oh, no. YOU can't print because you are on the Guest WiFi." So, I would let them communicate and change the password after they left. But.... Netgear went with what they thought appealed most to customers. ..... or what some programmer decided at the time.)
  
  I would have to get out an RBR750 and set it up again, but my memory is that even in AP mode, the Orbi assigns guest WiFi devices to a different IP subnet. Once traffic leaves the Orbi WAN port, it would take an experiment to see what they can communicate with. IoT... no chance.
  - CrimpOn
    Guru - Experienced User
    Nov 21, 2024
    Did an experiment with an RBR750, configured with a Guest WiFi network. This router is connected to my primary network (also an Orbi) and because the primary network defined 192.168.1.x for the LAN subnet, this RBR750 switch to use 10.0.0.x for its own LAN subnet.
    
    When a device connected to the Guest WiFi network, it was assigned an IP address of 10.0.1.x, i.t. a different IP subnet. This device was not able to communicate with anything on the primary network.
    
    Switched the RBR750 to Access Point (AP) mode. When this happened, every device on the primary network of the RBR750 was assigned an IP by the base router in the 192.168.1.x LAN subnet. This is what we expect to happen with AP mode. However, a device connected to the RBR750 Guest WiFi remained in the 10.0.1.x subnet. It could not communicate with any devices on the primary network. Not devices connected to the RBR750, but also not devices connected to the base network.
    
    My conclusion remains the same:
    
    When an Orbi AX system in AP mode is connected to a network (router, firewall, whatever) devices on the primary and IoT network will receive IP assignments from the network DHCP server. Devices connected to the Guest WiFi network will be assigned IPs in a different LAN subnet and will be segregated from the primary network.
    
    Thus, keeping Guest WiFi devices segregated is "no problem". Separating devices on the primary network from devices on the IoT network cannot be done with the Orbi AX product. The pfSense firewall might be able to accomplish something in terms of using the DHCP server to assign IPs based on MAC address:
    
    Devices in the primary network could be assigned IPs in one IP subnet, for example 192.168.1.x, with subnet mask 255.255.255.0 and devices in the IoT network could be assigned IP's in 192.168.2.x, with subnet mask 255.255.255.0
    
    If a device attempts to 'scan' its IP subnet, it will find only devices in that group of devices.
    
    It might be possible to create rules in pfSense to prevent devices in one subnet from communicating with devices in the other subnet.
    
    The "bottom line" (to me) remains that this is a topic for pfSense experts.

Forum Discussion