R7450 AP Mode Stop Guest access LAN

It is not clear (to me) that this is possible.

When in AP mode, the R7450 has no role in assigning IP addresses to client devices.  That happens on the primary router.  Devices connect to the R7450, either to one of the Ethernet ports or via WiFi, and the DHCP request that they broadcast is relayed to the primary router.  The primary router goes through its regular process and responds with a DHCP offer, either from the LAN Setup table (IP assignment) or from the DHCP "pool".  The primary router has no information about how the device connected.

It might be useful to look in the primary router Attached Devices display and see how devices connected to the AP are reported.  Do they show as 'wired' or 'WiFi'?

This is one of the factors that led to the creation of mesh WiFi systems.  (such as Google, eero, Asus, Linksys, TP-Link Deco, and Netgear Orbi & Nighthawk mesh)  The other factor is that devices connected to an Access Point or WiFi Extender often do not roam seamlessly between that system and the primary WiFi system.

You can't due to the AP being on same subnet as the host router. 

tkvoice wrote:

My question is how do I stop guest devices on the AP router from getting to my LAN? How do I lock a guest down to internet only?

Well, it is possible (despite the earlier comments from CrimpOn​  and FURRYe38​ ), but it does require a different setup.  Basically you don't run the R7450 in AP mode.  Instead set up both routers as routers.

                                                                        WiFi

internet --->--- R7450 Router ----->----- guest wifi

                                         |  

                                         |    R7450 LAN port

                                         |

                                         +-------------------> -------------------R6350 Router --->--- LAN and Home Wifi

                                                                                              R6350 WAN port

You would be running double-NAT on your main home network.  That would require some care in setting up port forwarding if you use that.  You wouldn't be able to use upnp on the R6350 either. 

But it would make it impossible for anyone connecting to the R7450 wifi to reach anything on the R6350 network.  Folks on the guest network could reach the R7450 web admin page, so you would need a strong password for that.  (Note you could reach the R7450's web admin page from your home network).

Beg to disagree.  This configuration will prevent devices on the R7450 Guest WiFi from communicating with devices on the R7450 primary network.

However, it will not prevent devices on the R7450 Guest WiFi from communicating with devices on the R6350 primary network.

Suppose the R6350 LAN is subnet 192.168.1.x (the default) and assigns 192.168.1.n to the WAN port on the R7450.

The R7450 LAN must be different.  The typical default for Netgear routers is 10.0.0.x.

Suppose a device on the R7450 Guest WiFi attempts to 'ping' any IP in 192.168.1.x.  The R7450 will say, "not on my LAN. Send this out the WAN port."

The WAN port will say, "hmmm. That's on the same LAN subnet as I am. Use ARP to find the MAC address and send it there."

This will solve half the problem.

I have an RBR750 in router mode connected to the primary RBR50.  The LAN is 192.168.1.x

The RBR750 LAN is 10.0.0.x and the RBR750 Guest WiFi LAN is 192.168.2.x

Devices on both the RBR750 primary LAN and on the RBR750 Guest WiFi LAN can ping devices on the RBR50 primary LAN.

Enjoyed the experiment.

This configuration can be set to keep any device on the R7450 LAN (primary or guest) from communicating with devices on the R6350 Guest WiFi LAN, but the objective is to keep them from communicating with the primary LAN.

Only a mesh WiFi system will do this.

Thanks for everyone's replies. I

It is really too bad Netgear did not put more effort into programming more features into the device when in AP mode.

Locking down the Guest network to Internet Only is of great importance to me. There are so many IP enabled devices running in my house (Alexa, thermostats, Roku, garage doors, smart watches, washer/dryer, etc.) I don't trust them on the same network with my laptop that has important data. All of those smart gadgets are a Cyber attack waiting to happen.

One day I might upgrade to mesh but for now I am going to just run multiple devices in router mode.

Thanks

All my IOT devices are on my Guest network with no ability to talk to each other or my home LAN. I have not found 1 IOT device that could not function this way. I have smart switches (controlling outlets and lights), Honeywell Thermostat, Alexa Echo, Samsung washer/dryer, Chamberlain Garage door openers, Roku, etc.

All of the devices only need the internet. The IOT App on your smartphone then connects to some database on the internet/cloud to control these devices. That's why when the internet goes down you can't control these IOT devices even though your home LAN is still powered up and working fine.

There are some technologies (like Home Assistant) that starting to make use of the new IOT standard (MATTER) that does all the control locally but most IOT users dont have this

This would be an interesting experiment to conduct.  i.e. Deliberately disconnect the WiFi system from the internet and connect the smartphone to the WiFi LAN.  Then go through smartphone apps and see how many function correctly with only local access.  Obviously, this experiment can be conducted only if IoT devices are on the primary or IoT network (because the Guest WiFi on newer systems cannot communicate with devices on the primary/IoT networks).

When I have the house to myself (and remember) this might be a fun activity.