NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

carterbrandon's avatar
carterbrandon
Guide
Sep 14, 2019
Solved

Guest network isolation with WAC104 access point

This is a question about the 'guest network' feature on my DGND3700v1 router (with richud firmware and Genie interface) when there is also a WAC04 access point on the network. The router supports 'Guest networks' with settings like 'disallow guest from my local network'. I like the idea of this, because I have several PCs on my home network using cable and non-guest wi-fi.  So I'm planning to have a 5GHz Guest network with just my wired/wireless printer on it, so visitors can only print and see the internet. Now, here's the thing:

I also want to connect (by cable) a Netgear WAC104 access point to the router, to extend wi-fi coverage to my attic office, plus have it provide a few wired connections for my PCs up there.

I plan to set the WAC104 up to broadcast the same SSID/password/encryption as my intended Guest network on the DGND3700 so that visitors only need one login throughout the house BUT looking at the setup screens in the WAC104 user guide online, it seems to have no concept of 'guest network' as such. Its wireless setup form lacks those 'disallow guest from my local network' type options.

So the question is, if a visitor connects as guest at the WAC104 (rather than at the DGND3700) would they therefore have a route to my PCs, or would they encounter the blocks imposed by the guest network settings on the DGND3700?

  • antinode's avatar
    antinode
    Sep 15, 2019

    > [...] looking at the setup screens in the WAC104 user guide online, it
    > seems to have no concept of 'guest network' as such. [...]

     

       I know nothing about the WAC104, but I'd expect that.

     

       The guest-network implementation on Netgear routers seems to be a set
    of firewall-like (router) rules which affect the "guest" wireless
    clients.  A wireless access point which is separate from the router has
    no way of employing any such router-based rules.

     

    > [...] if a visitor connects as guest at the WAC104 (rather than at the
    > DGND3700) [...]

     

       The whole guest-network concept is confined to the DGND3700 (router);
    there is no "as guest at the WAC104".

     

    > [...] would they therefore have a route to my PCs, or would they
    > encounter the blocks imposed by the guest network settings on the
    > DGND3700?


       When any device is connected to the WAC104, the DGND3700 will see it
    as a wired client device (hence not a "guest"); just another device on
    the (extended) LAN.

     

       There may be ways to employ multiple (consumer-grade) routers to
    provide a "guest" LAN subnet and a non-guest LAN subnet, with the
    desired type of isolation between them.  Or, a more sophisicated router
    with Virtual-LAN (VLAN) capability (about which I know nothing) could
    probably do the job.  But I don't see a way for a DGND3700 and a WAP to
    do it.

3 Replies

  • antinode's avatar
    antinode
    Guru
    Sep 15, 2019

    > [...] looking at the setup screens in the WAC104 user guide online, it
    > seems to have no concept of 'guest network' as such. [...]

     

       I know nothing about the WAC104, but I'd expect that.

     

       The guest-network implementation on Netgear routers seems to be a set
    of firewall-like (router) rules which affect the "guest" wireless
    clients.  A wireless access point which is separate from the router has
    no way of employing any such router-based rules.

     

    > [...] if a visitor connects as guest at the WAC104 (rather than at the
    > DGND3700) [...]

     

       The whole guest-network concept is confined to the DGND3700 (router);
    there is no "as guest at the WAC104".

     

    > [...] would they therefore have a route to my PCs, or would they
    > encounter the blocks imposed by the guest network settings on the
    > DGND3700?


       When any device is connected to the WAC104, the DGND3700 will see it
    as a wired client device (hence not a "guest"); just another device on
    the (extended) LAN.

     

       There may be ways to employ multiple (consumer-grade) routers to
    provide a "guest" LAN subnet and a non-guest LAN subnet, with the
    desired type of isolation between them.  Or, a more sophisicated router
    with Virtual-LAN (VLAN) capability (about which I know nothing) could
    probably do the job.  But I don't see a way for a DGND3700 and a WAP to
    do it.

    • carterbrandon's avatar
      carterbrandon
      Guide
      Sep 15, 2019

      That doesn't yound hopeful. Although where you say 'no concept of guest at the WAC104, I suppose rather than 'connect as guest', perhaps I should have said for clarity 'connect to the wi-fi network at the WAC104 which is defined as guest at the DGND3700', but it looks like it makes no difference.

      Perhaps I'll take up my ISPs offer of a free router and move my DGND3700 upstairs....

      • antinode's avatar
        antinode
        Guru
        Sep 15, 2019

        > [...] perhaps I should have said for clarity 'connect to the wi-fi
        > network at the WAC104 which is defined as guest at the DGND3700', [...]

         

           How, exactly, is "the wi-fi network at the WAC104" "defined as guest
        at the DGND3700"?  Guest-ness is a property of a device which is

        wirelessly connected to the router which established the "guest
        network".  Nothing to do with the WAC104.

         

        > When any device is connected to the WAC104, the DGND3700 will see it
        > as a wired client device (hence not a "guest"); just another device on
        > the (extended) LAN.

         

           Still true.

         

        > Perhaps I'll take up my ISPs offer of a free router and move my
        > DGND3700 upstairs....

         

           The price seems right for some experimentation.