Re: Guest network not isolated - D7000 (firmware V1.0.0.32_1.0.1)

ChrisLangford · ‎2016-06-20

Hi,

I brought this router to replace a DGND3300 when I upgraded to VDSL. I use the guest network to isolate my development PC from the main home network. The isolation is not working with the D7000 and the PC can ping devices on the main network and connect to the printer (on the main network). This makes the guest network pointless.

The setup wzard initially upgraded the router to v1.0.0.34 of the firmware but this had other issues (Address reservation) and so I downgraded to v1.0.0.32, did a factory reset and set up the router again. I have disabled the 5G wireless and have SSID broadcast enabled and WPA2-PSK (AES) set on the main and guest networks. The main and guest network have different SSID and passwords. The gurst network has "Allow guests to see each other and access my local network" unchecked. I am using IP Address reservation for devices on the main network (but not devices on the guest network).

I noticed that the devices on the guest network are on the same subnet 192.168.0.x as the main network (On the DGND3300 the guest network used 192.168.1.x and the main used 192.168.0.x).

Is anyone else experiencing the same problem? Is this another issue with the firmware?

BarefootAndrew · ‎2016-06-30

I have a very similar setup, the identical product and firmware version, and indeed the same problem of non-isolation of the guest network.

I'll be following this with interest.

There is a similar thread here:
https://community.netgear.com/t5/DSL-Modems-Routers/D7000-Wifi-isolation/td-p/1081711

A.

ChrisLangford · ‎2016-07-02

Hi,

I was beginning to think that I was alone here. Glad (but in a bad way) to see that someone else can reproduce the symptoms. I'm guessing that people assume that the guest network is working properly - I had and only spotted by accident, hen I could access the printer, that it wasn't.

I had already seen the post that you mentioned before I made my original post. I had done a factory reset and re-applied all settings but it made no difference.

I have done some reading around (VLAN tagging and 802.2 frames) and some more testing on my network. I turned off IPv6 on my printer and can no longer see/print to it from the guest LAN (Main LAN is OK). The "ping 192.168.0.62" (using the printer's IP) command returns "request timed out" whereas a "ping 192.168.0.200 (an unused IP) returns "destination unreachable". However, if you do a "arp -a" command (after the ping) the printer IP and MAC address are shown. This means that the "RARP" packet was sent to the printer and it responded.

My guess is that the isolation works by using separate vlans for the guest and main lan and filtering the packets at the frame level. However, I think that it only filters (or vlans) the IPv4 frames and not the RARP (used by the IPv4 ping command) or IPv6 frames.

Since all recent versions of Windows have both IPv4 and IPv6 stacks this means that any Windows PC's will not be isolated from each other. Other devices, which may only use IPv4, will be isolated.

I think that the isolation needs to apply to all types of frames that are sent on either network otherwise the PCs aren't "safe" (if one has a virus) from each other.

Chris

BarefootAndrew · ‎2016-07-04

Morning Chris.

I too have some ideas for things to try (even if to merely yield clues for NetGear) - will experiment and report back as soon as I can.

It's all a bit unsatisfactory - the isolation was a feature of primary interest.

Have you considered upgrading to firmware .38? (I know you tried .34 and then reversed it). I've not done so yet, but that purports to fix one little niggle I've noticed - displaying the wrong wifi name in the access control list.

I shall report back again soon.

A.

SimonSimple · ‎2016-07-23

I too am experiencing this same issue and have updated the firmware to 38, would be keen to hear back regarding this if you find anything?

Many thanks

SImon

BarefootAndrew · ‎2016-09-11

Apologies for the delay in following this up.

I finally upgraded my D7000 to firmware .38. This appears to have some effect on the isolation issue, in that pings from a guest wifi device to the core network no longer work (even accounting for the next issue below). However, Windows network discovery still does work across the isolation barrier, which is not what I had wanted.

More disappointingly is that address reservation has stopped working - the same issue that you experienced with .34 Chris. This thread:-

https://community.netgear.com/t5/DSL-Modems-Routers/Nighthawk-D7000-DHCP-Address-Reservation-not-Wor...

suggests this is a long-standing annoyance.

My view now is that the D7000 is a poor product not fit for purpose. I have posted a negative review on Amazon with links back to this forum.

I will be looking to cut my losses with NetGear as soon as possible.

A.

Edited to add Amazon review link:-

https://www.amazon.co.uk/product-reviews/B00ZU1T8C0/ref=cm_cr_arp_d_viewopt_srt?ie=UTF8&showViewpoin...

DarrenM · ‎2016-09-13

Hello barefootAndrew

We are aware of the issues with .38 as we are looking to fix these in the next firmware update I would suggest to try to go back to .32 and see if you are experiencing these issues.

DarrenM

BarefootAndrew · ‎2016-09-17

DarrenM,

This really is not a satisfactory answer.

If you had have read this thread at all, you would have seen that downgrading back to .32 would re-introduce other, equally unacceptable problems.

Further more, your remarks give no indications as to when a new release will be made, which is exasperating given the frustration expressed in this and other threads.

I would imagine that a number of us on this forum are technical people, and I certainly am. I'm a firmware and embedded systems engineer of some years standing, and the quality of your product and the process of maintenance in the marketplace is poor.

Sort it out - this debacle puts the profession in a poor light.

Regards,

A.

BarefootAndrew · ‎2016-10-05

An update:-

This evening I upgraded our D7000 to firmware V1.0.1.42_1.0.1, and our R7000 (operating in AP mode) to firmware V1.0.7.2_1.1.93.

The upgrade to the D7000 appears to fix the address reservation issue (https://community.netgear.com/t5/DSL-Modems-Routers/Nighthawk-D7000-DHCP-Address-Reservation-not-Wor...), which is good news. This was a (frankly) major nuisance in our previous D7000 f/w version .38.

With the R7000 off, and all devices connecting directly via the D7000, guest isolation appears to be working at first glance. IPv4 pings are certainly blocked in the way I would expect; I have more testing to do with IPv6.

One anomaly is that two laptops can see each other in the Windows Explorer network section, whereas neither can see other devices. I'll investigate this further.

However, when I power up the R7000 (which is physically cabled to the D7000), and allow Wifi devices to connect via the R7000, the guest isolation is bypassed completely and everyone can see everyone.

I'm unclear of any sounds technical reason why the R7000 can't enforce D7000 policy. I shall research VLAN mechanics further, and will report back with any findings.

Page 2 of this thread:-
https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Allow-Guest-to-see-each-other/td-p/498963

suggests that NetGear were going to address this issue, but sadly this seems not have materialised.

I'm reluctant to operate the R7000 in modes other than AP mode, because the speed and connection reliability of a physical ethernet cable is important to us.

A.