NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Router Recommendations
I am hopeful that a knowledgeable someone can save me some research time in selecting a new router. I have a few must haves and a few nice to haves:
Must Haves:
- VLAN support with wireless for each VLAN
- Port level VLAN with at least 3 ports
- Mesh capabilities that support both wired and wireless back-haul
- Gigabit or faster Ethernet ports (preferably 5+)
Nice Must Haves:
- Load balancing for multiple WANs
- Automatic switching to backup WAN if primary fails
- Port isolation configurable for each VLAN
I am using a much older, non-mesh router now, but it does have Fresh Tomato firmware on it that supports port-level VLANs with ability for each VLAN to have its own wireless. This allow me to keep my IoT devices separated from my primary VLAN. It also allows me to keep my guest network separate from both my primary and IoT VLANs. I am hopeful to upgrade to a new mesh router while keeping these abilities.
I currently have a primary and backup Internet provider and use a physical switch to toggle when needed. If possible, I would like to have the router either switch automatically for me or load balance.
9 Replies
This would be an ideal opportunity for someone to post links to information regarding the vulnerability of typical IoT devices. My observation is that typical IoT devices:
- Do not accept network connections at all.
- Operate by opening a connection to their "Cloud" to receive commands from their smartphone app.
- May not even respond to network ICMP probes. (Amazon Echo Dot, for example. Try to ping one.)
- Have very limited capabilities.
Seems (to me) that a much more dangerous thing to have on the primary LAN is something like a computer, laptop, tablet, or smartphone.
This allow me to keep my IoT devices separated from my primary VLAN. It also allows me to keep my guest network separate from both my primary and IoT VLANs.
Is the goal here just to have
- a main wifi network
- an IoT network (distinct, but can reach the main network and vice-versa)
- a Guest Network (isolated)
You can get this with WiFi 7 Orbi products, but the technology used is not VLAN.
an IoT network (distinct, but can reach the main network and vice-versa)
I wish to keep IoT devices completely isolated from my primary network.
All of the things in my Must Have list are easily accomplished with many non-mesh routers using custom firmware. That is exactly what I am doing currently. I use Fresh Tomato. However, my router is quite old and only offers 100 Mbps speeds. It is quite overdue for an upgrade! I was hoping to setup a mesh network, but it appears that I will have to basically repeat what I previously did, but with a newer non-mesh router. I think I am going to have to buy a modern non-mesh router and flash it with custom firmware like Fresh Tomato or OpenWRT.
With Fresh Tomato I can create multiple VLANs. I can assign specific port(s) to a specific VLAN. I can also have WiFi for each VLAN. It works quite well and keeps things isolated. I was hoping (not actually expecting) that there might be a mesh system that either offered these features with built-in firmware or could be flashed to do so.
Since many IoT devices do not have good security or anti-malware and can go for long periods of time without updates, it seems dangerous (in my opinion) to keep them on the primary LAN.
I wish to keep IoT devices completely isolated from my primary network.
Ok. Orbi (and Netgear routers generally) have a different policy -
- the guest network is isolated (both from the main network, and clients are isolated from each other).
- the IoT network is not isolated, but can be limited to 2.4 ghz (or 5 ghz only), and can have WPA2 security.
This works better for me than isolating the IoT devices, as it allows me to access them locally from my phone w/o needing to join the IoT network to do that. Personally, I'm not convinced that isolating IoT devices accomplishes much as far as consumer security goes (some reasons are below). But of course different people will have different opinions on that.
This would be an ideal opportunity for someone to post links to information regarding the vulnerability of typical IoT devices.
Maybe read through these:
- https://iotbreakthrough.com/is-iot-finally-secure-what-2025-taught-us-about-cyber-risk-in-connected-devices/
- https://blogapp.bitdefender.com/hotforsecurity/content/files/2025/10/2025_iot_security_report.pdf
Reading through the second report:
- Streaming devices, smart TVs, and IP cameras now sit at the top of the vulnerability pyramid, collectively representing more than half of all CVE-class issues detected in smart homes.
- A lot of the report is centered on the hijacking of IoT devices into botnets that can launch massive cyber attacks. Isolating them on your home network won't do much, since those attacks aren't aimed at the consumer who owns them.
- A lot of the other threats are privacy leakage/data gathering - in other words, surveillance. The information being gathered is often only from the device itself (TV, streaming device, IP camera), so isolation probably won't help much there either. That said, TVs and streaming appliances are reasonably powerful, and could be hijacked to gather information from other devices on your home network.
The report classifies a NAS as an IoT device, which I find a bit odd.
'Must Have' is VLAN support with wireless for each VLAN.
This requirement kills the idea of using one conventional mesh WiFi system. It would be possible to deploy the same number of mesh WiFi systems as desired wireless VLANs. i.e., if three VLANs are required, that means three mesh WiFi systems.
JmsWhitlow from your must haves, the 970 series does have both wired and wireless backhaul - I have two 970 satellites using wired and I have had them on wireless backhaul too. They have a dedicated wireless backhaul band as well. Also, The 971s support ethernet connections with 2x2.5GB ports and 1 10GB port. I have my satellites and router wired with 10G. Sweet!
As for VLAN, as others have said - Home-class Orbi systems (like the 970) do not offer true VLAN configuration on the LAN side in the way a business or prosumer router would (e.g., defining custom VLAN IDs, assigning ports to VLANs). They also do not support VLAN tagging for individual SSIDs that map Wi-Fi traffic to specific VLANs for LAN segmentation. I have not used it or have any experience with it, but to get real VLAN capabilities that can be assigned to specific wired ports, tagged/trunked to a managed switch, and have wireless VLANs per SSID, you would need a business-class router/AP system such as Orbi Pro (supports VLAN tagging & SSID-VLAN mapping) or a different brand with true VLAN/802.1Q features. See this link for info:
Or as others have suggested, you can use the Orbi as a pure AP and place a separate router/firewall (with VLAN support) in front of it.
- you won't get that all on a stock consumer route.
- build your own router using opnsense or pfsense and build it for the wired capabilities. Then just add the mesh network in access point mode that meets your needs.
I made a type in my headings. 'Nice Must Haves' should have been 'Nice to Haves'. I am pretty sure there are Orbis that have mesh capabilities with both wired and wireless back-haul since I know people with much older Orbis that offer this. I am also reasonably sure that there are versions that have gigabit Ethernet ports. So, the only other 'Must Have' is VLAN support with wireless for each VLAN. Do any of the Orbi mesh units offer VLAN capabilities? If so, can a VLAN be assigned to a specific port? If not, does it offer VLAN tagging. If yes to either, can I have a wired and wireless for each VLAN?
I am wishing to have 3 VLAN with both wired and wireless connections. I wish to have a VLAN for my primary computer as well as a guest network and IoT network.
