NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Re: Orbi RBR750 Wifi Guestnetwork and VLAN.
Hi G4Net, I was FW/SW engineer focus on protocols on L2/L2 management switch development and switched to WiFi AP design 20 years ago. My wild guess/$2c about the truth behind why you are s...
David_Ch strongly doubt, and fully disagree.
The Wireless Guest network isolation (a network that does only exist on the Orbi devices, Wi-Fi network!) is ä implemented on the proprietary Orbi consumer systems is purely a clever L2 filtering, not magically hiding some L3 VLAN tagging. This would have been unveiled over the any years the Netgear Orbi systems, abd a workaround would have been published long before.
The only area where VLANs are used is on the WAN (Internet) adapter, to implement a simple VLAN bridge to eg. one or multiple ports to connect some IP TV media boxes.
Sure, it’s even nicer and good to know my wild guess is wrong. Wonderful.
BTW, VLan is L2 protocol, not L3. For some management switches I don’t want to point out, they have been implementing IGMP Snoopying through the hack/tight with specific VLan ID. STP/VLan/Any bridging protocols are L2 protocol.
Thanks for your sharing and proving I am wrong.
Cheers,
-Dav Cheng-
The best thing about the Community Forum (to me) is the opportunity to explore unusual technical issues.
It appears to me that this discussion has mixed two different topics:
- Attempting to isolate wired devices from the rest of the primary network. (The term IoT threw me at first because I did not read the problem carefully in:
https://community.netgear.com/t5/Plus-and-Smart-Switches-Forum/Orbi-RBR750-and-GS108Ev3-VLAN-issues/m-p/2185221
IoT is the description Netgear used to describe a WiFi network with different features from the primary network and the Guest WiFi network. That discussion was not about WiFi Iot. Rather it was an attempt to find a mechanism to prevent communication between two wired devices (thus on the primary network. Assigned IPs by the Orbi router.) and the rest of the primary network.
As DaneA pointed out, the only way to achieve this would be through the use of a router than supports VLANs, which the Orbi residential product line does not. These managed switches support VLAN, but that cannot separate communication once it is delivered to the router or a satellite. - A discussion of what mechanism Netgear uses to separate devices on the Guest WiFi network from the primary network (wired & WiFi). As far as I am aware, this is no documentation available to the public which explains how this is done. Whereas the original Orbi WiFi5 products assigned devices on the Guest WiFi network IPs in the same IP subnet as the primary network, the AX product line (and the BE products?) use a separate IP subnet for Guest WiFi devices. Unlike the original Orbi, which allowed the owner to enable (or disable) the ability for devices on the Guest WiFi network to communicate with the primary network, AX products offer no option. Guest WiFi devices can communicate only with the Internet.
This means that packets to/from Guest WiFi devices travel through the same backhaul network between Orbi router and satellites as everything else (router-satellite communication, primary network communication, and WiFi IoT network communication. The topic of this second discussion is how Netgear identifies Guest WiFi traffic and keeps it separate from the primary network.
One solution might be to use VLAN tags on Guest WiFi packets and set up the backhaul network as a tagged VLAN.
Another solution might be to manage packets at the WiFi interface. - If the packet comes from a device on the Guest WiFi network, the only possible destination is the Orbi router gateway address. If this is the IP address, then send the packet there. If not, then drop the packet.
- In the reverse direction, when a packet arrives, use NAT lookup to find the internal IP address assigned to the device, then use ARP tables to discover which port to send that packet out. Same as with any other incoming packet. No need to involve VLAN in the process.
Of course, we'll never know what Netgear chose to do.
- Attempting to isolate wired devices from the rest of the primary network. (The term IoT threw me at first because I did not read the problem carefully in:
