NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBR750 (AX4200)
I am converting my network to pfSense. I plan to have 3 networks - the main LAN, an IoT vlan, and a Guest vlan. I was able to set up those vlans in Orbi. However, I do not want to use Orbi as the rou...
So then, the second part of the question is what do I need to accomplish my goal? The Orbi is my only WiFi access device. And I want the pfSense to segregate the devices. So what do I need to do? If I place a managed switch between Orbi and pfSense, can I get there?
This may be a topic best raised on a pfSense user forum.
When operating as a 'router', Orbi AX systems block devices on the guest WiFi from communicating (a) with each other, and (b) with the primary network (wired and WiFi). They connect only to the internet. (Personally, I preferred the original Orbi system which allowed the user to choose whether 'guests' could communicate with each other and with the primary network ... or not. I thought of "Guest WiFi" in terms of (a) temporary, (b) could be changed to a different SSID/password without affecting any 'permanent' devices, and (c) could be disabled at any time without affecting permanent devices. I would find it really irritating to have guests over and say, "oh, no. YOU can't print because you are on the Guest WiFi." So, I would let them communicate and change the password after they left. But.... Netgear went with what they thought appealed most to customers. ..... or what some programmer decided at the time.)
I would have to get out an RBR750 and set it up again, but my memory is that even in AP mode, the Orbi assigns guest WiFi devices to a different IP subnet. Once traffic leaves the Orbi WAN port, it would take an experiment to see what they can communicate with. IoT... no chance.
Did an experiment with an RBR750, configured with a Guest WiFi network. This router is connected to my primary network (also an Orbi) and because the primary network defined 192.168.1.x for the LAN subnet, this RBR750 switch to use 10.0.0.x for its own LAN subnet.
- When a device connected to the Guest WiFi network, it was assigned an IP address of 10.0.1.x, i.t. a different IP subnet. This device was not able to communicate with anything on the primary network.
- Switched the RBR750 to Access Point (AP) mode. When this happened, every device on the primary network of the RBR750 was assigned an IP by the base router in the 192.168.1.x LAN subnet. This is what we expect to happen with AP mode. However, a device connected to the RBR750 Guest WiFi remained in the 10.0.1.x subnet. It could not communicate with any devices on the primary network. Not devices connected to the RBR750, but also not devices connected to the base network.
My conclusion remains the same:
- When an Orbi AX system in AP mode is connected to a network (router, firewall, whatever) devices on the primary and IoT network will receive IP assignments from the network DHCP server. Devices connected to the Guest WiFi network will be assigned IPs in a different LAN subnet and will be segregated from the primary network.
- Thus, keeping Guest WiFi devices segregated is "no problem". Separating devices on the primary network from devices on the IoT network cannot be done with the Orbi AX product. The pfSense firewall might be able to accomplish something in terms of using the DHCP server to assign IPs based on MAC address:
- Devices in the primary network could be assigned IPs in one IP subnet, for example 192.168.1.x, with subnet mask 255.255.255.0 and devices in the IoT network could be assigned IP's in 192.168.2.x, with subnet mask 255.255.255.0
- If a device attempts to 'scan' its IP subnet, it will find only devices in that group of devices.
- It might be possible to create rules in pfSense to prevent devices in one subnet from communicating with devices in the other subnet.
The "bottom line" (to me) remains that this is a topic for pfSense experts.
Here is what I am confused about. When I select Enable VLAN/Bridge Setup and then By VLAN Tag Group (see image below) in the Advanced/Advanced tab. what does that mean? If I assign the Guest WiFi to VLAN 10 and to Port 1, what does that mean? Does it mean that it is segregating the data packets going from the WiFi connection logged in to the Guest network to port 1 of the Orbi? Since the Orbi has 3 network ports (other than WAN), and the VLAN has 3 ports to be assigned, it seems like that is what it is saying. So if I inserted a managed switch between the Orbi and the upstream router (pfSense) and I connect port 1 of the Orbi to port 1 of the managed router, would Orbi only transmit its data packets coming from the Guest network through port 1 of the Orbi and thus also through port 1 of the switch? If that is correct, then I should be able to add the tagging at the switch, if it isn't already tagged.
Additionally, the latest manual which I can download from the Netgear site specifically calls this a VLAN Tag Group as well. That indicates to me that Orbi is tagging the container for the data packets.
So I am still confused what is happening when I set this up.
Thanks for all your help with this.
Mike
AE8U wrote:
Here is what I am confused about. When I select Enable VLAN/Bridge Setup and then By VLAN Tag Group (see image below) in the Advanced/Advanced tab. what does that mean?
The key is to click on the little "Help" arrow at the bottom of the screen. It says essentially what the User Manual says on page 74:
This has absolutely nothing to do with creating VLANs on the internal network. It is a means to support IP televisions for specific Internet Service Providers. If the ISP says, "To enable IPTV, the customer must enable VLAN xxx" then that is the only way to get IPTV to work.