WAX220 Guest Network - Unsecured

Retired_Member · ‎2023-05-21

Do not buy this Access Point and expect a secure Guest Network. The original firmware had an option for L2 Isolation, but updating removes this option and reverting does not restore it. The Guest Network is broken, since it allows access to any device connected to the internal network via Ethernet with no way of isolating.

It is a bad joke that even the WAX214 has better security and allows for L2 Isolation on both guest and regular SSID's.

In 2023, implementing a proper Guest Network is something that apparently too complex for the firmware developers here. They'll push for selling more cloud subscription crap, but they can't even get something like this done correctly. No idea how anybody could justify paying a monthly fee and expect things to be properly secured after seeing this.

Also, the timezone seems to keep defaulting itself to Pacific Standard Time. Did QA even test this model?

Retired_Member · ‎2023-06-08

@schumaku wrote:
@Retired_Member wrote:
Who knows what else is not working as intended...
Whatever impression you want to bring up with such shabby comments and poorly formulated subject lines. just poor sportsmanship or bad intentions?

Unexperienced users (some >99% of the readers in such a user community) tend to understand "WAX220 Guest Network - Unsecured" very different. Wouldn't "WAX220 Can't enable Client Isolation to Block LAN Subnet Access" describe the effective information much better? Just my 2 Cents.

Reminder: We talk about essential wireless AP products WAX214v2 (street price less than 88 USD ex VAT!) for a WiFi 6 AX1800 Dual-band PoE Wireless Access Point, and WAX220 (street price less than 129 USD ex VAT) for an AX4200 Dual Band AP with a 2.5 GbE network connection.

You really love those partial sentences, don't you? I didn't know this was a competition, Mr. Good-sport.

Unexperienced users absolutely need to be made aware of a product that has flaws. Quit defending a company you say you claim to not be affiliated with. You're playing a semantics game because you have a must-be-correct complex at this point.

You still haven't tested the WAX220 as thoroughly as I have, and you just glazed over some basic stuff, like an NPC help desk rep.

Here's a real reminder: I just picked up a different brand, and return all the Netgear products I bought. The competitor was even priced almost identically for each product (switch and access point), and they offer A LOT more control, along with functionality that isn't broken.

The solution? Buy something else, don't waste your cash till Netgear decides that firmware is important, again.

Done with this thread, the replies coming in are from sources out of their depth.

View solution in original post

Retired_Member · ‎2023-05-21

Bonus round:

Why does the WAX220 also set up the DHCP Snooping alarms on a switch when trying to connect a device to a NON-Guest SSID, but the WAX214 does not?

Perhaps this AP's firmware was poorly put together?

Retired_Member · ‎2023-05-21

To clarify the Time Zone bug, it only happens if you check the Day Light Savings time box, and change the Time Zone from the DEFAULT one. Unchecking DST, then changing the Time Zone, then rechecking DST, will save it.

schumaku · ‎2023-05-23

@Retired_Member wrote:

Do not buy this Access Point and expect a secure Guest Network.

i was almost set confirming your (hard to believe) information, as i like to take challenges. Indeed, for a moment it appeared to me the web UI controls for Ordered factory new WAX220 and WAX214v2 and took the the plunge.

@Retired_Member wrote:

The original firmware had an option for L2 Isolation, but updating removes this option and reverting does not restore it. The Guest Network is broken, since it allows access to any device connected to the internal network via Ethernet with no way of isolating.

This all tastes to me like an odd problem

@Retired_Member wrote:

It is a bad joke that even the WAX214 has better security and allows for L2 Isolation on both guest and regular SSID's.

As I believe in good stories, and don't like bad jokes except from those I'm coding myself, please allow me to post some screenshots taken these minutes.

WAX220, v1.0.3.0

WAX214v2, v1.0.2.2

In no way, I don't want to insist there is no issue or problem. Can't get it out of my head, believe having seen the very same Web UI (e.g. on current Chrome or Edge) with the two lines missing or hidden. Afraid, have not spotted any obvious cause.

For my part, I don't like the (i) text ... it's not clear enough to me at least. That's why I included it on the screenshot above.

schumaku · ‎2023-05-23

@Retired_Member wrote:

Why does the WAX220 also set up the DHCP Snooping alarms on a switch when trying to connect a device to a NON-Guest SSID, but the WAX214 does not?

The WAX220 has no idea what your switch DHCP Snooping is or does, regardless if it's a non-guest SSID (so the DHCP handshake from the wireless client is hand-over) or an Guest-SSID which does represent a designated private IP subnet dedicated to the AP.

Much more informative (for the future readers) would be what your unknown switch does report or complain on the DHCP snooping processing.

Have an eye in the DHCP RFCs for example. These AP, or in general any AP don't do anything like you describe.

@Retired_Member wrote:

Perhaps this AP's firmware was poorly put together?

May i ask to adjust your transmitter frequency or the modulation a little bit, please? The reception is poor.

schumaku · ‎2023-05-23

@Retired_Member wrote:

To clarify the Time Zone bug, it only happens if you check the Day Light Savings time box, and change the Time Zone from the DEFAULT one. Unchecking DST, then changing the Time Zone, then rechecking DST, will save it.

Thank you, nice find. Should be easy to fix for Netgear.

Retired_Member · ‎2023-05-24

@schumaku wrote:
@Retired_Member wrote:
Do not buy this Access Point and expect a secure Guest Network.
i was almost set confirming your (hard to believe) information, as i like to take challenges. Indeed, for a moment it appeared to me the web UI controls for Ordered factory new WAX220 and WAX214v2 and took the the plunge.

Thank you, that confirms my suspicions of the WAX214v2's firmware, but I should have said I tried out the WAX214v1, which has noticeably different firmware. The L2 Isolation is present there and the Guest Network does not allow clients to access the LAN.

Retired_Member · ‎2023-05-24

@schumaku wrote:
@Retired_Member wrote:
Why does the WAX220 also set up the DHCP Snooping alarms on a switch when trying to connect a device to a NON-Guest SSID, but the WAX214 does not?
The WAX220 has no idea what your switch DHCP Snooping is or does, regardless if it's a non-guest SSID (so the DHCP handshake from the wireless client is hand-over) or an Guest-SSID which does represent a designated private IP subnet dedicated to the AP.

Much more informative (for the future readers) would be what your unknown switch does report or complain on the DHCP snooping processing.

Have an eye in the DHCP RFCs for example. These AP, or in general any AP don't do anything like you describe.

I mean to say set OFF the DHCP Snooping on my switch, causing it to block clients from accessing the internet.. I tried the exact same configuration with the WAX214v1, and I did not have to disable DHCP Snooping to get the AP to work like the WAX220 needs.

As for the switch I used, it is a GS308T.

Retired_Member · ‎2023-05-24

@schumaku wrote:
@Retired_Member wrote:
To clarify the Time Zone bug, it only happens if you check the Day Light Savings time box, and change the Time Zone from the DEFAULT one. Unchecking DST, then changing the Time Zone, then rechecking DST, will save it.
Thank you, nice find. Should be easy to fix for Netgear.

After being logged out of the WAX220 for a little while, or possibly changing some settings on another page, the Time Zone will still unfortunately revert back to it's default setting. The bug grows.

schumaku · ‎2023-05-25

@Retired_Member wrote:
After being logged out of the WAX220 for a little while, or possibly changing some settings on another page, the Time Zone will still unfortunately revert back to it's default setting. The bug grows.

Interesting. All related to the default time zone, and which one does apply to your installation?

Operating a bunch of WAX214, WAX218 as well as the newer WAX220 v1.0.3.0 and WAX214v2 v1.0.2.2 (two factory new units added these days to complement the Beta sample) on the UTC+01.00 time zone with the ubiquitous DST enabled. All trouble free since installing resp. updating a few days ago.

Retired_Member · ‎2023-05-31

@schumaku wrote:
@Retired_Member wrote:
After being logged out of the WAX220 for a little while, or possibly changing some settings on another page, the Time Zone will still unfortunately revert back to it's default setting. The bug grows.
Interesting. All related to the default time zone, and which one does apply to your installation?

Operating a bunch of WAX214, WAX218 as well as the newer WAX220 v1.0.3.0 and WAX214v2 v1.0.2.2 (two factory new units added these days to complement the Beta sample) on the UTC+01.00 time zone with the ubiquitous DST enabled. All trouble free since installing resp. updating a few days ago.

That's not correct.

I just tested ANOTHER WAX220, more thoroughly, both with stock and then with current firmware.

Firmware v1.0.1.2 (stock) = L2 Isolation option is PRESENT, but it does not actually work. I am still able to access my router's login page even when connecting to the guest network and enabling the isolation.

Firmware v1.0.3.0 (current) = L2 Isolation option is MISSING. Clients on guest networks are still able to access the router's login page.

The time zone will still default to PST after some random time and/or actions settings have been configured on the AP.

Don't believe something simple like typing in 192.168.1.1 and watching your web browser ask you to for your login information? Then go for the overkill and Wireshark it like I did. I see why they removed the poor attempt at L2 Isolation. It's been broken from release. Who knows what else is not working as intended...

schumaku · ‎2023-06-01

@Retired_Member wrote:
Don't believe something simple like typing in 192.168.1.1 and watching your web browser ask you to for your login information? Then go for the overkill and Wireshark it like I did. I see why they removed the poor attempt at L2 Isolation. It's been broken from release. Who knows what else is not working as intended...

You talk to the wrong person on the wrong channel, please avoid insulting innocent community members please. To repeat .I'm just yet another Netgear customer who is happy to help. It's luckily not my job here figuring out what random time settings you played on to break the PST time. I'm located in Switzerland, all the local time zone GMT+0100 and DST works for me as expected.

Putting the PST time zone and DST aside: If you can't see the Client Isolation controls (for whatever reason, I had the feeling these were hidden due some browser caching oddity here, too), it might be difficult to state, these don't work. I can't care less about the factor firmware which had to be released for production at a certain point for starting the serial production. Whatever broke back then. i have no access to the formal or internal released code. For me, at the end of the beta process, the control was visible and workable.

Sorry for making you unhappy. I'm done on what I can do here. Talk to Netgear support with your findings please. For a reason Netgear does provide free support for the initial time after the initial installation.

schumaku · ‎2023-06-01

@Retired_Member wrote:

Who knows what else is not working as intended...

Whatever impression you want to bring up with such shabby comments and poorly formulated subject lines. just poor sportsmanship or bad intentions?

Unexperienced users (some >99% of the readers in such a user community) tend to understand "WAX220 Guest Network - Unsecured" very different. Wouldn't "WAX220 Can't enable Client Isolation to Block LAN Subnet Access" describe the effective information much better? Just my 2 Cents.

Reminder: We talk about essential wireless AP products WAX214v2 (street price less than 88 USD ex VAT!) for a WiFi 6 AX1800 Dual-band PoE Wireless Access Point, and WAX220 (street price less than 129 USD ex VAT) for an AX4200 Dual Band AP with a 2.5 GbE network connection.

Retired_Member · ‎2023-06-08

@schumaku wrote:
@Retired_Member wrote:
Who knows what else is not working as intended...
Whatever impression you want to bring up with such shabby comments and poorly formulated subject lines. just poor sportsmanship or bad intentions?

Unexperienced users (some >99% of the readers in such a user community) tend to understand "WAX220 Guest Network - Unsecured" very different. Wouldn't "WAX220 Can't enable Client Isolation to Block LAN Subnet Access" describe the effective information much better? Just my 2 Cents.

Reminder: We talk about essential wireless AP products WAX214v2 (street price less than 88 USD ex VAT!) for a WiFi 6 AX1800 Dual-band PoE Wireless Access Point, and WAX220 (street price less than 129 USD ex VAT) for an AX4200 Dual Band AP with a 2.5 GbE network connection.

You really love those partial sentences, don't you? I didn't know this was a competition, Mr. Good-sport.

Unexperienced users absolutely need to be made aware of a product that has flaws. Quit defending a company you say you claim to not be affiliated with. You're playing a semantics game because you have a must-be-correct complex at this point.

You still haven't tested the WAX220 as thoroughly as I have, and you just glazed over some basic stuff, like an NPC help desk rep.

Here's a real reminder: I just picked up a different brand, and return all the Netgear products I bought. The competitor was even priced almost identically for each product (switch and access point), and they offer A LOT more control, along with functionality that isn't broken.

The solution? Buy something else, don't waste your cash till Netgear decides that firmware is important, again.

Done with this thread, the replies coming in are from sources out of their depth.

schumaku · ‎2023-06-09

The last reply before I stop this thread: The L2 Isolation feature as known from the WAX214/218 ...

L2 Isolation 

To prevent WiFi and LAN clients on the same access point from communicating with
each other, select the Enable radio button. By default, this option is disabled. If you
enable L2 isolation, clients can still communicate with each other over the Internet.
If you enable L2 isolation, to exclude a device from L2 isolation, enter the MAC address
of the device in a Whitelist field. You can exclude up to three devices.

...is not available on the WAX214v2 or WAX220.

The default config listed (the only place the feature is mentioned) does show the L2 Isolation Disabled.

Client Isolation

To prevent WiFi clients that are associated with the same or different WiFi networks
on the access point from communicating with each other, select the Enable radio
button. By default, this option is disabled. If you enable client isolation, WiFi clients
can still communicate with each other over the Internet.
Note: If L2 isolation is enabled, the Client Isolation radio buttons are disabled

It's not about Netgear having the L2 Isolation implemented right or wrong.

Would be nice to hear from Netgear team about this missing functionality to avoid similar future disappointing customer communication. @DavidGo

WAX220 Guest Network - Unsecured

WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured

Re: WAX220 Guest Network - Unsecured