Segregate IoT network from main network

"It is needed to be on main subnet as LAN so that devices can communicate between each other. For example, lets say your smart wall adapter connect to IoT and your google home connects to main network, google home will be able to see your smart wall adapter. It is mainly for IoT clients."

I am fully aware of the "convenience" factor, to have the iot devices and main network be able communicate.

However, best (security) practice is to have all IOT devices, including i.e. Google Nest hubs, on a network segregated from the main network where you have e.g. laptops and other private and work devices.

I had the impression that the IOT network was segregated. However, as I could not see any documentation for the configuration, I asked that support staff. They suggested to raise this as a proposal for a change request in this community thread.

The biggest DDOS and ransomware attacks are utilizing IOT devices, to get a foothold on networks, as iot devices are very rarely designed with security in mind.

Thus, I strongly recommend that this option to enable segregation between the networks (I.e. enable VLANs) in the Orbi router's firmware.

Abstracts and sources :

Weaponization of IOT devices:

"If a device is connected to the internet—a camera, video recorder, computer, mobile device, router or household appliance—it is subject to attack."

Https://www.ibm.com/downloads/cas/6MLEALKV&ved=2ahUKEwirzcLF5oGCAxW7R_EDHdHTDikQFnoECCQQAQ&usg=AOvVaw1tOwcT8-mhKbM8AFDMp5ar

DDoS 2.0: IoT Sparks New DDoS Alert:

" IoT-driven DDoS attacks increased by 300% in the first half of 2023 alone,..."

https://thehackernews.com/2023/09/ddos-20-iot-sparks-new-ddos-alert.html?m=1

Just my wild guess (and small hope) that the three "networks" of the WiFi 7 Orbi systems are L2 isolated only, right on the router and all satellites, spanning the wireless backhaul probably - and the fun is over the moment when a wired backhaul is in place. This is where commodity will have it's end - until Netgear will introduce an Orbi Pro WiFi 7 system supporting VLANs (similar to the Orbi Pro WiFi 6 systems). Full L2 isolation on the wired network would require custom designed switches. Time will show...

Only supported VLANs that NG supports is on there Orbi Pro series. 

On Orbi AXE11000 and AXE10000 why cant they at least isolate the IOT SSID like they do with the guest network. A device on the guest network can't see the other devices on the network access the admin portal. I can I access my router admin portal on the IOT SSID.  I know the best option would be Vlan but Netgear doesn't want to do it. The hardware has plenty of processing power. With the lower Wifi security options on the IOT SSID but with full access to the whole network and admin portal the WPA3 is only as good as your lowest security allowed on IOT SSID.  Not a lot features offered for a $1300 router.

Feature request

Isolate IOT SSID Vlan or at least restrict it like guest network.

disable Admin portal on IOT SSID.

put IOT devices on separate subnet like 192.168.2.1

NG designed the IOT network to be on same network as main wifi so all mobile devices could access the devices on the IoT network since most of the phones and pads are mostly connected to the main network. How NG designed it. At least users can get there IoT devices connected now. Unlike Orbi AC series. 

Well insecure by design needs to change culturewise. The fact is these cheap WiFi IoT devices although useful cannot be trusted. It’s called a zero trust security. I wish to try to layer my defensive barriers. With NG there is no barrier just a false advertisement of security at a premium price tag. Limiting lateral movement on a networks is another layer or barrier to help secure your data on your computers that also have multiple layers of security like firewalls and antivirus software. There is no one stop fix all. You are only as strong as your weakest link and when your weakest link is a WiFi smart device that has critical vulnerability and exposures because they haven’t thought about it or updated their device in years, we will be left in the dust when a criminal causes mayhem. NG should have the option available for users to opt in to a more secure minded infrastructure, at the users risk of losing convenience, or loss of function.