NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Unable to Use Guest Wifi in AP Mode and a Switched Wired Backhaul
Hi,
Summary: Need a solution to run a Guest Network on a Orbi 970 Wifi 7 system in AP mode with a switched and wired backhaul
I have a Firewalla Gold Pro router feeding internet into a Netgear Orbi 970 Wifi 7 System via a 10Gbps ethernet link. The RBE971 is in AP mode and drives the two satellites through an unmanaged 10Gbps ethernet switch. I bought this system for a low latency high speed network. Nothing else is connected to the 5-port switch. I'm running firmware V9.12.4.16 on the Orbi system, the latest as of 11/21/24.
This setup works extremely well for my main Wifi network (SSID). The RBE 971 in AP mode submits to the Firewalla for all DHCP address servicing. Any device that connects to the Wifi network gets its address from the Firewalla. The Wifi responsiveness is what I had hoped for and in that regard the user experience is good.
But this setup does not work when I setup the Guest network for the Orbi. The problem is as follows:
a) With wired backhaul: any device that is connected to the main RBE971 is able to use the internet. Any device that connects to the RBE970 satellites has a "limited internet connection" and cannot reach the internet. Packets seem to die at the satellite. If I move around the house with a device then internet availability dynamically changes whether I'm connected to the RBE971 or an RBE970 satellite.
b) When I change to a wireless backhaul, the Guest Wifi works all around. Whether I'm connected via the RBE971 or an RBE970. But I bought the Orbi system for the 10Gbps wired backhaul, the only one I could find with that. It is nice to know something works but without wired backhaul this is not useful to me.
Upon further investigation, it turns out that even though the RBE971 is in AP mode, the Guest Wifi still maintains a DHCP sever that dispenses addresses in the 192.168.2.X range (not configurable). Something the rest of the network could not possibly know. This is in contrast to the main Wifi network that properly defers DHCP assignments to the Firewalla router.
An AP mode where the Guest network still acts like a router seems contradictory. My understanding, in the context of an AP mode, is that a VLAN tag approach should have been used to disambiguate Guest network ethernet packets from main Wifi network packets. And, based on VLAN ID, the Firewalla could be setup to dispense addresses on two different address submasks, therefore ensuring proper Guest network isolation and overall security.
It took me a while to track this down. However with this explanation in mind I was able to find a number of threads where other users have experienced something similar. But all past resolutions seem to have to do with either disabling something called Guest network isolation or optionally chosing to use VLAN/Bridging options. The latter is similar to what I described above would seem like the best option for a router in AP mode (at least to me). The problem is none of these options seem to exist in the modern RBE971 firmware. Looks like these options have disappeared as new products have been released. VLAN/Bridging is not even grayed out, it does not exist in the mode menu. Yet the manual talks about it on page 99. There is the following "solved" thread where the user receive a firmware upgrade, but it does not apply to my case and nor does it discuss the idiosyncratic Guest Wifi DHCP server issue that my case needs solved:
https://community.netgear.com/t5/Orbi-WiFi-7-BE-Mesh-Systems/Guest-Network-Issue/td-p/2351191
Just to be sure, between the RBE971 and RBE970s, I've tried using ethernet switches from different vendors but the result remains the same. This switch is required.
Does anyone have a resolution for running a Guest Network on a Orbi 970 Wifi 7 system in AP mode with wired backhaul? Is there a way to use VLAN instead of having the Guest Network run a DHCP server?
Much appreciated for any help as without a Guest network this product is not useful to me.
22 Replies
Not Netgear, and even less practical knoledge on these Orbi WiFi 7 systems. However, a lot of experience on designing and implementing bigger SMB class networks.
What Orbi does (and this is the same for several Orbi generations!) is to maintain two networks on the same physical LAN, doing some L2 isolation- The guest network logically exists on Orbi devices only, and does aparently share the same wired backhaul. And it does -not- make use of VLANs for seggregating the this magic guest network. Really useful and meaningful is this guest network implementation only in Orbi router mode, and never in AP mode - unless I understand things wrong here.
The obvious fix would be -if- Netgear would force tagged VLANs, at least for the guest network - and would add some controls to make this clearer. From the bigger picture, the Netger Insight mangement does in general allow such configs, but not sure by how far this is implemented on the Orbi WiFi 7 product line.
As-is, I must say that you have choosen the wrong product combination for what you like to achieve with your small business class Firewalla, with random switch for the backhaul - and at the end of the day your limited of networking know-how.
Netgear does offer many different switches -and- Wireless Access Points supporting VLANs - and many are Insight manageable.
To cause even more confusion in the market for normal end-users, the IEEE implemented this IEEE 1905.1 add-on to the Ethernet standardisation. Some vendors have pushed products to the market, aparently allowing seamless co-opertion of multiple "networks" - promoted as wireless Mesh systems - but re not telling the users that all devices (including the switch infrastructure needs to be compliant to that other magic 1905.1.
Sorry for destroying some (and more!) illusions here.
Regards,
-Kurt.
Quazimodo wrote:
Does anyone have a resolution for running a Guest Network on a Orbi 970 Wifi 7 system in AP mode with wired backhaul? Is there a way to use VLAN instead of having the Guest Network run a DHCP server?
Could you please confirm exactly how the router and satellites are connected.
i.e.
- The RBE971 router WAN port is connected to the Firewalla Gold, not to the 10GB Ethernet switch.
- The RBE971 router 10GB LAN port is connected to the 10GB switch.
- The two RBE970 satellites are connected to the 10GB switch.
Not sure what this does change on the effective problem. Netgear has an obvious design and implementation flaw, raises wrong expectations on what does make up the supported and documented wired backhaul - regardless if we're facing router or AP opertion mode. From my Netgear SMB networking view: Simply a poorly QA and beta tested my friend. So obvious ... .
Regards,
-Kurt.
CrimpOn wrote:
Quazimodo wrote:
Does anyone have a resolution for running a Guest Network on a Orbi 970 Wifi 7 system in AP mode with wired backhaul? Is there a way to use VLAN instead of having the Guest Network run a DHCP server?
Could you please confirm exactly how the router and satellites are connected.
i.e.
- The RBE971 router WAN port is connected to the Firewalla Gold, not to the 10GB Ethernet switch.
- The RBE971 router 10GB LAN port is connected to the 10GB switch.
- The two RBE970 satellites are connected to the 10GB switch.
The reason for my question is that (at least one) previous Orbi AX system supports Guest WiFi both when satellites are connected to the router over WiFi and when they are connected using Ethernet ('wired').
The RBR750 that is connected to my primary network is in AP mode.
When this Orbi was connected to the primary network, it was assigned an IP address of 192.168.1.xxx by the primary network and created its own LAN subnet as 10.0.0.x
One RBS750 satellite is connected to the RBR750 over WiFi backhaul.
Guest WiFi is enabled on this Orbi system.
When I connect a device to the Guest WiFi, it receives an IP address of 10.0.1.4 (notice that 10.0.1 is a different subnet than the previous primary subnet of 10.0.0
When I move the device close to the satellite and reconnect, the Attached Devices display shows it as connected to the Orbi Satellite. Thus Guest WiFi works when devices are connected to satellites using WiFi backhaul.
I then pulled an Ethernet cable down the hallway and connected the router and satellite using this cable.
In a few minutes, the Attached Devices display now shows the satellite as 'Wired' Good.
The Attached Devices display also shows that device connected to the Guest WiFi on the Orbi Satellite.
Thus, Guest WiFi works when devices are connected to the satellite and the satellite is connected to the router using Ethernet. ('wired')
I have no doubt that engineers can mess up anything. Perhaps the 970 product does not properly support Guest WiFi when the satellites are 'wired'. My old AX 750 system certainly does. (people are tripping over the Ethernet cable as I write this.) If I had a 970 or 770 system, I would be reproducing the experiment (but I don't).
If the 970 system is wired as asked above, I believe a Bug Report should be made to Netgear. (the engineers broke something that used to work.)
Hi,
One setup works, the other does not. The setup that works unfortunately is no longer a 10Gbps network, which was my goal buying this equipment.
This does not work:
RBE971 (main "router") is connected through a 10Gbps LAN port to a TP-Link TL-SX105 switch port (a 5 port fanless 10Gbps unmanaged L2 switch with 100G switching capacity). The two satellites (RBE970) are each connected to a port of the same switch from their 10Gpbs port. I've tried this with two switches of the same model, and another which is a TRENDnet (TEG-S750) with the very samilar characteristics. Same result. Devices that connect to the satellite via the guest network do not reach the internet. They have a "Limited Internet Connection" in Android for example. Devices that connect to the RBE971 via the guest network are able to reach the internet, they don't go through the switch. I've not tried with a Mikrotik CRS-304, I don't own one (yet) but I'm not expecting a different result unless there is a L3 hack that I don't know of.
This does work:
RBE971 10Gbps LAN port is connected directly to the 10Gbps port of one of RBE970 satellites. The other satellite has its 10Gbps port connected to one of the 2.5Gps port of the RBE971. So no 10Ggbps network.
Thanks.
First off, thanks for your responses.
Currently, the configuration that works for guest network, but has an unwanted 2.5Gbps link at e):
a) Firewalla Gold Pro router LAN port connected to a Mikrotik CRS312, a 10Gbps switch
b) CRS312 port connected to WAN port of RBE971 in AP mode. This minimizes latency to wired gaming devices and network, critical for online gaming.
c) WAN port of RBE971 in AP mode connected to CRS312 switch, where it can't harm latency to wired network.
d) 10 Gbps LAN port of RBE971 connected to 10 Gbps of an RBE970 satellite
e) 2.5 Gbps LAN port of RBE970 connected to 10 Gpbs of the other RBE970 satellite.
Prior to that I had a TP-Link TL-SX105 10Gbps switch in between c) to d), and c) to e). But the guest network did not work for the satellites. Everything else worked as a true 10Gbps network, including the main Wifi. The only issue was the guest network, because of the 192.168.2.X.
And even before that I had a) and b) and all 10Gbps LAN ports of RBE971 and RBE970 connected to the CRS 312 switch. That did not work for main Wifi, you can't have the RBE971 WAN and LAN port on the same switch as per Netgear support.
Thanks.
If you put a non managed switch, as a temporary test, Get a NG GS 105 or GS305 non managed switch in c) to d), and c) to e). Just connect the GS series switch to one of the other non 10Gb ports behind the RBR for now.
This is only a 1Gb temporary to test to see if you can get both RBS ethernet connected BEHIND the RBR with a non managed switch in between and Guest Network working. Thinking there is something going on with the Tp-Link switch, may not a fully non managed as they say. I have tested the above NG model switches with my 970 series and all works when ethernet connected in between the RBR and RBS when not using my XS505M and GS110MX.
WAN and LAN ports from the RBR can not be ever connected to the same switch. Causes a network loop and arp storm. All must be daisy chained connection wise.
Quazimodo wrote:
My understanding, in the context of an AP mode, is that a VLAN tag approach should have been used to disambiguate Guest network ethernet packets from main Wifi network packets.
Perfectly correct!
However, these VLAN associations must be configureable in both the Web UI as well as on Insight. And the documentation (starting from the data sheet!) requires bottom up revision.
Hi,
Thank you all for the replies.
Given that VLAN tagging is a 26 year old protocol (IEEE 802.1Q), and that it should be quite easy to implement the software given hardware that clearly supports it, I'm left to wonder why they chose something that I feel is a lot more complicated. Further, it seems this was supported in previous Orbis. This could not have come from the engineering department.
For now, I've temporarily removed the switch in between the Orbi and the satellites even though the manual clearly shows this is supported. I am able to have the guest network working by using the 10Gbps LAN port and a 2.5Gbps LAN port to connect to the satellites. But this solution is one 10Gbps LAN port short of being acceptable. I bought this for 10Gbps support.
Kurt: are you saying that there is a layer 3 hack that I can implement on a different switch that could make this work? Then I might get a the Mikrotik CRS-304 to replace my layer 2 5-port switch.
Given the directions of some of the comments I feel the need to make some clarifications about my use case.
a) This is for a home, not a business. I want simplicity, 10Gpbs, low latency and a large coverage area.
b) I came to chose the Orbi 970 series system because it was the only one that has a 10Gbps backhaul that I could find. This network will be used for gaming, AV, local file transfers, uncompressed video and future proofing applications such as virtual reality. So high speed and low latency switching are factors in this choice. Solutions such as Unifi Wifi 7 have 2.5Gbps wired backhaul. That takes the 7 out of Wifi 7, I'm not sure why anyone using Unifi for Wifi doesn't stop at Wifi 6e. I read 168 page Orbi manual from cover before buying (which is easier than it sounds, there is a lot of repetition) and I felt informed that it met my needs. The good reviews were also a factor.
c) The small switch after the Orbi RBE971 was not there originally. I have a couple of professional layer 3 switches taking care of everything in my network but I had to add the switch after a number of lengthy support calls to Netgear. My regular Wifi was not working on the satellites, let alone the Guest network. Turns out Orbi has other limitations on the wired backhaul due the non-standard proprietary nature of their mechanism. I don't know the exact reason as details were not provided. But from what I deduce you need to have something in place that looks like a hardwired Minimal Spanning Tree or else the Orbi system can't deal with it. Even the regular Wifi SSID wouldn't work. So the switch was added. But then that breaks the Guest Network due to the 192.168.2.X business. I do not know of any product that Netgear makes that is comparable (small, fanless full 10Gbps switch). The most powerful I've seen is the Mikrotik CRS304-4X at $199 which has layer 3 features and 3 redundant power supplies. So I can't really get a Netgear switch, it doesn't exist as far as I can tell. I saw netgear M4350 at ~$4700 switch that came close though. But at that price, even if it did...
d) The Firewalla Gold Pro is an extremely capable device targeting the home user such as myself. I can even get rid of my Unifi Cloud Key (or a Dream machine) by running Unifi Network in a container on its OS. It is a wonderful device and I don't have to spend hours configuring it like my two layer 3 switches. I can't say enough about it, let's not underestimate it.
Thanks.
Quazimodo wrote:
Given that VLAN tagging is a 26 year old protocol (IEEE 802.1Q), and that it should be quite easy to implement the software given hardware that clearly supports it,
I would expect the primary WLAN SSID does run transparent untagged on the wired backhaul anyway - no hacks required - but I can be wrong of course.
Quazimodo wrote:
I'm left to wonder why they chose something that I feel is a lot more complicated.
Nothing to dispute with me, these Orbi are consumer systems as of writing.
Have-no- experience on these recent Orbi and Orbi Pro (which rumors told me there won't be any WiFi 7 Orbi Pro coming soon).
This is why the VLAN config features of the Orbi Pro and the consumer Orbi we're facing here are not deployed as deep as we would expect.
Quazimodo wrote:
Further, it seems this was supported in previous Orbis. This could not have come from the engineering department.
Don't know what Orbi models you have in mind. Best guess you compared to some Orbi Pro.
Quazimodo wrote:
For now, I've temporarily removed the switch in between the Orbi and the satellites even though the manual clearly shows this is supported. I am able to have the guest network working by using the 10Gbps LAN port and a 2.5Gbps LAN port to connect to the satellites. But this solution is one 10Gbps LAN port short of being acceptable. I bought this for 10Gbps support.
Therefore, I have never looked into the currnt Orbi WiFi 7 systems yet, not done any reverse engineering, too.
Quazimodo wrote:
Kurt: are you saying that there is a layer 3 hack that I can implement on a different switch that could make this work? Then I might get a the Mikrotik CRS-304 to replace my layer 2 5-port switch.
Have -no- experience on these recent Orbi and Orbi Pro (which rumors told me there won't be any WiFi 7 Orbi Pro coming soon).
This is why the VLAN config features of the Orbi Pro and the consumer Orbi we're facing here are not deployed as deep as we would expect.
CrimpOn would be more your partner on that side here.
When operating a more complex network with such a security appliance, mutlple SSIDs and two our more VLANs, I would opt for one of the ubiquitous VLAN capapble 10G/MultiGig switch, like the MS510TXUP, PoE++ capable, and some WBE75x APs. And for simplicity, I have opted for using Insight Managed switches and APs here in my new home along with a decent security appliance.
So please keep me posted and in the loop.
Regards,
-Kurt.
