This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
WNDR4500v2: Wireless isolation doesn't work on guest network
Hi,
I have used this Router now for about 9 months and have been very happy with its performance. We have a home business and students regularly visit our home. We have recently had requests for them to get on our WiFi (because cell reception is bad), and I wanted to use the "Guest Network" feature to accomplish this.
Goals:
--Guest network is for student needing to access the internet only.
--Guest network will broadcast SSID and will be guarded with password, given to student at their request.
--Multiple clients on guest network should not be able to see each other. Just client and the internet.....that's it.
--Guests must be absolutely isolated from our regular WIRED network (plugged into the physical ports on the WNDR4500v2) and the regular WIRELESS network (via the WiFi on the WNDR4500v2). Assets on these internal networks (WIRED & WIRELESS) are lightly guarded and thus outside individuals must not be allowed to traverse these networks.
CONFIGURATION:
Router Model: WNDR4500v2
Firmware: V1.0.0.60_1.0.38
SETUP:
-Regular Wifi "WIRELESS" is ON:
"Enable Wireless Isolation" checkbox is OFF.
-Guest WiFi "GUEST" is ON:
"Enable Wireless Isolation" checkbox is ON.
"Allow guest to access My Local Network" checkbox is OFF.
-DHCP is ON
-"Enable AP Mode" checkbox is OFF.
Everything above seemed quite straightforward for easy configuration. However, it was a different story when I actually tested it.
I used my iPad to get on the guest network. I used the application called "Fing" that does an IP address scan on the entire network. Once identifying an asset, you can then run a more detailed scan by attempting to access various services on various ports of the device. Immeidately, the guest network showed every device on my GUEST, WIRED, and WIRELESS networks (combination of fixed and DHCP addresses). Not good! I then ran a more detailed analysis of the devices found all standard open ports (smb shares, webserver, terminal services) cound indeed be accessed from the guest network.
Is this a firmware bug? How do I deny guests access to everything but their connection to the internet?
By the way, the "Help" on the router configuration screen appears to describe the checkbox functionality BACKWARDS of the description. (I tried it both ways, just in case, but to no avail.) Probably a previous version or person-who-did-interface didn't talk to person-who-did-help?
"Allow guests to see each other and access my local network
When unchecked, users connecting to this guest network can only access the Internet and cannot access any other devices in the same network or in other networks, including the main network and the wired network. In addition, all the clients in this guest network cannot access router's management GUI or any other services provided by the router (for example, ReadySHARE Storage, ReadySHARE Printer... if the router supports these functions). When checked, users connecting to this guest network can access not only the Internet but also all devices on all local networks, including the main network and the wired network."
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
Confirmed the WNDR3700v2 firmware (even when loaded in a WNDR3800) allows for a Guest Network, that does not see the local network. Allow Local Access (unchecked), Wireless Isolation (unchecked). Guests can print to a printer on the Guest Network.
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
Did you guys try pinging devices?
The settings are correct.
The only way to isolate the devices on the Guest Network is to enable "Wireless Isolation".
If a device is connected to the Guest Network and Wireless Isolation is enabled, computers on the Guest network will not be able to ping nor see each other.
If you're saying that it sees each other and can still ping, then this could be a firmware problem.
Did you try to re-flash the firmware of the router and do a factory reset?
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
Yes PING is working (and any protocol and service) to/from any host despite of the "Wireless Isolation" checked on.
I did not try to factory reset nor reflash the device as I really have some other thing to do than screwing up my current setup...
Honestly this Netgear router have never been very satisfactory to me with tons of bugs and full freeze requiring hard reboot from time ot time (and usually a couple minutes after ANY change to the Wireless settings).
Due to the number of similar post about this exact device and issue (and same on some other models) this definitely sounds like a huge firmware bug that your engineers will be able to confirm and should already be aware off with proper Quality Assurance process before submitting for GA.
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
I did some more testing tonight. Pinging is no problem. Heck, I can view webpages, ftp, view windows shares, etc. The only effect that I notice on wireless devices when the isolation is checked is that host names no longer immediately resolve (they eventually do, but it takes some time).....I'm guessing that perhaps the DNS is in the process of rebuilding? Regardless of the status of the DNS, if you have an IP address on the network, you have full access to all ports, at any time, even when "isolation" is enabled.
By the way, I just tested enabling isolation on the regular WIRELESS (not GUEST) network (I thought that perhaps if it worked there and this was a bug only on the guest network, I would simply designate my WIRELESS for guests and use the GUEST network for my internal, secure stuff). Again, no effect. I was able to ping, ftp, view webpages, etc. across wireless clients.
In summary, "Isolation" on either the WIRELESS or GUEST network has absolutely no effect from a security standpoint.
I just updated the firmware last night to the latest version (from V1.0.0.56 to V1.0.0.60, if my memory serves me correctly). I have no information regarding if this bug was present in .56.
As far as doing a voluntary factory reset, I would consider doing that only under extraordinary cirumstances where replication of the bug or environment is difficult/impossible. This bug should be able to be tested with 10 minutes worth of work by Netgear. It's bad enought the website said "sorry, you've had the device for 9 months so its out of support period unless you give us more $."....I'm not going to do extensive troubleshooting and risk my very well-functioning system to do Netgear's job . I think the bug description that myself and others have given here should be enough to warrant an investigation.
Thank you to all the contributors and moderators of this community! I was shocked to see how many responses I've gotten in just the past 24 hours.
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
I was contacted by the support team and they indicated engineering had made a change to the firmware and asked me to be a Beta tester.
I was sent a large contact to sign away my rights and first born in order to be a Beta tester. I said I would be willing, but would need a test piece of hardware in order to properly test since they also repeadly said it might brick my personal one that is currently in operation. They refused to send me hardware for testing. (Note that I offered to send it back when finished.....I'm not looking for handouts--I'm looking for a way to conduct a Beta test in a safe and effective manner, which is also what I happen to do for a living {but with industrial machinery firmware}).
So obviously this issue got someone's attention, and they seemed to have a proposed fix ready quite quickly.
It would be great to get a status update. If it's "it'll be in the next firmware update, slated for xx".....that's fine, at least we would have a general timeline and expectation of a fix.
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
You are correct, the WNDR4500v3 (included) does not support the Guest Network configuration flexibility. You need the WNDR3700v3. It has two configuration selections that were SUPPOSED to be separate in the WNDR4500 but some ****one***** decided to combine the two functions.
With the WNDR3700 Configuration selections One: Guest network devices can see each other (or not) This is necessary to setup a Guest network Printer to allow guests to use a printer installed on the Guest network. Two: The second configuration selection is whether or not to let the Guest network devices see the Local network (or not).
Really frosted me to waste my money on a 4500 to replace a lighnting damaged 3700. I Just ordered a 3700 from Amazon at the suggestion of the Netgear Customer Service rep. The Guest network devices being visible to each other but NOT be able to see the Local network devices is a primary requirement of my system.
Re: WNDR4500v2: Wireless isolation doesn't work on guest network
Confirmed the WNDR3700v2 firmware (even when loaded in a WNDR3800) allows for a Guest Network, that does not see the local network. Allow Local Access (unchecked), Wireless Isolation (unchecked). Guests can print to a printer on the Guest Network.
