× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Reply

Re: Guest network can't access internet when client isolation is enabled

Guest network can't access internet when client isolation is enabled

Hi,

 

I got an AX1800 wireless AP. I'm trying to set up a guest network and personal network. I configured each of them to have a separate SSID and separate VLAN. My problem is that when I "enable wireless client isolation" I can't access anything, even the internet. When I disable that setting everything works fine.

 

Does anyone have any advice on what I can look into? Is the AP unable to access the gateway?

Message 1 of 14

Accepted Solutions
RaghuHR
NETGEAR Expert

Re: Guest network can't access internet when client isolation is enabled

Hi @aefsdfsafwefaf 

 

We have made some improvements to address your issue mentioned here. Current ETA to release the firmware is in mid of March. 

Kindly wait till that time and provide your feeback.

 

Thanks,

Raghu

View solution in original post

Message 7 of 14

All Replies
RaghuHR
NETGEAR Expert

Re: Guest network can't access internet when client isolation is enabled

Hi @aefsdfsafwefaf 

 

Could you please send your network diagram with VLAN info and diagnostic logs? Please PM me.

 

Thanks,

Raghu

Message 2 of 14

Re: Guest network can't access internet when client isolation is enabled

I was able to fix the problem.

 

It seems that you MUST have the DHCP client setting enabled in order for the "wireless client isolation" feature to work. Is this how it is intended or is this a bug?

 

I hope that it is a bug, becaues I don't want the AP management interface IP to be assigned by a DHCP server. The other weird thing is that when my computer was connected to the guest network, it was still properly being assigned a gateway, DNS, and IP address, even with the DHCP client disabled on the AP.

 

Thanks for any information you can provide.

 

Message 3 of 14
schumaku
Guru

Re: Guest network can't access internet when client isolation is enabled

AX1800 is some fancy marketing speed class definition - not a model. Are you talking of a WAX214 or a WAX610 or another WiFi 6 device with an access point feature ... and what firmware version are we facing here?

 


@aefsdfsafwefaf wrote:

It seems that you MUST have the DHCP client setting enabled in order for the "wireless client isolation" feature to work. Is this how it is intended or is this a bug? .. I hope that it is a bug, becaues I don't want the AP management interface IP to be assigned by a DHCP server.


This is at least very strange. It should not matter on how the device management interface is configured (IP, subnet mask, GW, DNS) for the wireless client isolation.

 

It's never a bad policy to have MAC IP pair reserved on the DHCP server, even if using static configs.

 


@aefsdfsafwefaf wrote:

The other weird thing is that when my computer was connected to the guest network, it was still properly being assigned a gateway, DNS, and IP address, even with the DHCP client disabled on the AP.


Assuming we talk of the WAX2xx/WAX6xx here: None of these devices does offer a DHCP service. The DHCP client is just to get the management interface config in place. Any DHCP service does come from the network, where what would be used as a guest network must be on a dedicated VLAN, with the appropriate router handling the routing, NAT, DHCP, ... There is no "magic" guest network thing, these are not consumer mesh type guest network devices.

Message 4 of 14

Re: Guest network can't access internet when client isolation is enabled

Hi,

 

Sorry for the delay. The router is in fact the WAX610. It's running firmware version 9.2.07.

 

I agree that it is strange that the client interface was affecting the isolation feature on the guest network was werid, and that is why I was suggesting it is a bug.

 

I also understand that the DHCP server is provided by my firewall/gateway device. The reason I mentioned that my guest clients were still getting an IP address was because that presumably meant that some communication with the firewall/gateway was still taking place.

 

I also understand that there is no magic for the guest network. It is just and SSID with network client isolation enabled and put on the VLAN I configured for guests. With regards to this not being a consumer device—that is why I purchased it. However, I am wondering if it really is a business class device, because the solution I found (disabling the static clinet IP address for the AP configuration interface) was also described as a bug for a consumer level device. So I am suspect if the "business class" devices are just running consumer software under the hood.

Message 5 of 14
schumaku
Guru

Re: Guest network can't access internet when client isolation is enabled


@aefsdfsafwefaf wrote:

The router is in fact the WAX610. It's running firmware version 9.2.07.


The WAX610 isn't a router, just a wireless access point. But I also understand you have a VLAN capable router and two VLANs configured based on your initial post.

 


@aefsdfsafwefaf wrote:

It seems that you MUST have the DHCP client setting enabled in order for the "wireless client isolation" feature to work. Is this how it is intended or is this a bug?


Now I see the full scope, it's clearly a bug.

 


@aefsdfsafwefaf wrote:

It is just and SSID with network client isolation enabled and put on the VLAN I configured for guests. With regards to this not being a consumer device—that is why I purchased it. However, I am wondering if it really is a business class device, because the solution I found (disabling the static clinet IP address for the AP configuration interface) was also described as a bug for a consumer level device. So I am suspect if the "business class" devices are just running consumer software under the hood.


Whatever ... there is a lot of low level code in use, some coming from the radio chipset makers, the base platform is industry standard, and with the WiFI 6 Mesh systems optionally supporting VLAN and multiple SSIDs it's well possible the same bug might be in place. There is a reason why a WAX610 can be priced around USD 160 ex VAT while other vendors put up business AP in the 400..600 USD or even more for cloud managed units, requiring on top annual software support and cloud management fees of 10..15% p.a., ... despite of using similar chipsets, platforms.

At the end of the day, we pay for the functionality, support, warranty, cloud services.

I know some people complain the WAC5xx and WAX6xx lack of features like a shell access, SNMPv3, ... just because they used to it from whatever overpriced enterprise class vendor. Netgear does promote these APs as Insight Managed WiFi 6 Wireless Access Points for SOHO, small and medium businesses. Price, performance, quality is perfectly right. Especially if deploying multiple units, where distances requiring distributed PoE+ switches, under Netgear's Insight Cloud management.

Message 6 of 14
RaghuHR
NETGEAR Expert

Re: Guest network can't access internet when client isolation is enabled

Hi @aefsdfsafwefaf 

 

We have made some improvements to address your issue mentioned here. Current ETA to release the firmware is in mid of March. 

Kindly wait till that time and provide your feeback.

 

Thanks,

Raghu

Message 7 of 14

Re: Guest network can't access internet when client isolation is enabled

I apologise that I came off so critical, I got overly defensive to another comment. Of course the devices can share some, or a lot of code and that makes sense. The AP certainly gets updates much more regularly than my old consumer-grade AP. It also has a lot more features and better support.

 

Message 8 of 14

Re: Guest network can't access internet when client isolation is enabled

Thanks for the update and responsiveness 👍

Message 9 of 14
Doug_Ho
Apprentice

Re: Guest network can't access internet when client isolation is enabled

Sorry to cut into an existing thread, but I installed the mid-March firmware on my AP such as WAC564 in non-Insight mode which had an SSID -Guest with Client Isolation, guest did not have any problems before the firmware update.  No changes from default VLAN so I'd guess you'd call that Management.  After the firmware update the client gets DHCP address but internet access such as tracert 8.8.8.8 fails.

 

Since it seems like it might be related to this, any chance you can explain your "improvements" - maybe there is some setting I need to go in and change, or maybe there is an issue which requires me to try something like toggling the Client Isolation off and then back on again?  This was an item in the release notes (I am not doing URL Filtering and I think my using defaults means there is no non-management VLAN): Fixes the issue where clients cannot connect to the Internet if they are connected to the SSID with both Client Isolation and URL Filtering enabled on a non-management VLAN.

 

This is at my church, where I have updated four of the APs on the same LAN but left one on the previous firmware because it is WAC505 in router mode and I could not interrupt it in active use.  I'm going back tonight to update that one, and will try to reply to this post if the guests are suddenly able to access internet again.

Message 10 of 14
DougHog
Aspirant

Re: Guest network can't access internet when client isolation is enabled

I updated remaining AP, actually WAC510 (not 505) in router mode. -guest still failed to get internet. All default vlan 1 like I said. So I went into web GUI and under the -guest isolation checkbox I disabled the access to the AP GUI and Applied. That made -Guest get internet again! No idea whether it was just needing to apply any change to those settings, but it was easy for me to click that box about access to the AP GUI (rather than trying something else such as toggling isolation off and back on again).
Message 11 of 14
Doug_Ho
Apprentice

Re: Guest network can't access internet when client isolation is enabled

Here a recap of the new bug for any Netgear firmware engineer out there, and another data point.

 

Models which got the mid-March firmware update such as WAC564 (presumably also WAC505 and WAC510 etc) had been running fine in standalone mode with a standard SSID such as Zero Day setup and a second -Guest SSID with defaults except Wireless Client Isolation enabled (no URL filtering or non-default VLANs or anything fancy like that).  After firmware update, clients on that -Guest SSID could not access internet anymore.

 

New data point is that going into the web GUI for that 564 AP and simply toggleing the Wireless Client Isolation off (then Apply) then On again (then Apply) seemed to fix the problem.  It was not necessary to change anything with the allow access to AP GUI checkbox that I mentioned (that was just an easy/convenient change for me to be allowed to "Apply" which is what seems to be the bug workaround).

 

I'm glad there is this workaround, but hopefully there can be a firmware fix and/or let the support group know, since I would think this could be common situation.

Message 12 of 14
schumaku
Guru

Re: Guest network can't access internet when client isolation is enabled

Doug,

Tell us a little bit more about the LAN IP config of the WACs (DHCP or static?) as it appears the point they enhanced was related to the static IP case. Also tell us more bout the guest network - what security mode is in place there?

 

There is a cryptic known issue in the WAC540 / WAC564 Firmware Version 9.3.0.5 stating "WAC564 static radio configurations are not persistent across reboot. Workaround: Reconfigure the static radio configurations." I'm little bit lost of what they understand under the term "static radio config" here.

 

No issues with the guest networks and client isolation (some with WPA2 Personal, some open with OWE, or OWE and OWE transition mode (using the simple captive portal) on 505/510/540/610... all under Insight management. Still the best investment ever in my opinion.

 

Regards

-Kurt

Message 13 of 14
Doug_Ho
Apprentice

Re: Guest network can't access internet when client isolation is enabled

Sorry there is one thing I guess isn't answered to your question by me saying "defaults" like I did (so DHCP since that is a default).  That is the SSID I added for -Guest has a WPA2 password (ten numeric digits in my case).  Not Open, not Portal, etc.  Thanks for the mention of cryptic known issue, my three tests were all in locations where WAC564 may have been strongest AP (instead of two WAC505 and one WAC510 that I also have).  It is indeed cryptic enough to potentially match my situation - no static IP addresses but static in the sense that I do standalone config using GUI and then don't make further changes until the router reaches end-of-life (which used to mean thunderstorm lightning zap but I'm hopeing I solved that by replacing lots of copper runs with fiber runs).  Personally I would think "static radio config" might instead mean something like choosing a specific radio channel instead of "auto" (and mine are "auto").

 

Sorry but Insight just doesn't fit with my model at church.  The exception was when I tried using a recently purchased BR200 router at home, Insight worked well for that until a couple days ago when it said that it will end after a 30-day trial.  I took that as an excuse to further test/"prove" that my BR200 was causing delays in my clients DNS requests (when the DHCP assigned 192.168.1.1 forward/relay was adding around 70ms), and I wasn't willing to go to each of 50 clients to set their DNS manually to some different address.  Switching to an Edgerouter solved my DNS slowdown.

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 7035 views
  • 5 kudos
  • 5 in conversation
Announcements