One firewall creating multiple networks that can not see eachother

Kristoffer,

With all due respect - using a no longer supported device should deny the intended project.

Regards,

-Kurt

I don't see this model as no longer supported as it's still listed and you can buy it in the shops?

https://www.netgear.com/business/products/security/SRX5308.aspx

However have you got a different firewall that you know will actually do the job?

Best regards

Kristoffer

https://www.netgear.com/support/product/SRX5308.aspx

Attention:

NETGEAR Inc. will terminate the ProSAFE VPN Firewalls on September 1, 2017. The last software update for these products was provided in April 2017. NETGEAR Inc. will continue to honor valid warranty claims for all ProSAFE VPN Firewall devices purchased from an authorized reseller. To complete the full exit from the product line, NETGEAR Inc. will no longer provide ProSAFE VPN Firewall software support or subscription updates for any ProSAFE VPN Firewall devices after September 1, 2017.

Also on the page you referred:

Netgear has recently launched the BR500 router ... what appears to be a small step into the right direction. Lack of personal experience with this device, I refuse to suggest getting one here. As of writing, it appears to be point solution for some K.I.S.S. VPN connection between different sites, plus some...

You're right. the BR500 is the new one, however i still don't see any evidence that it's able to do the required job.

Which leaves me with my quesiton still standing. Any input would be highly appreciated.

Can you please line-out the "networks that can see each other" in some more words and applications?

Pure routing is one thing - leaving the performance alone, it's relatively easy to achieve. Lots of Apps and IoT require the devices to be in the very same TCP/IP subnetwork - device discovery, service announcements, ... often depends on plain IPv4 broadcast, sometimes some very-magic L2 is used ... and even the Bonjour stuff does often not work over different L2 segments and subnets.

From discussions and presentations with NTGR people ref. the BR500 we discovered that some features are not covered by the documentation (the initial User Manual), and probably other tech features from the marketing list might be not available initially. Thus it's all a little bit digging in the dark.

What i mean is Two seperate networks. So they will act as they are independent networks going out to the internet seperately but through one firewall. 

Pretty much as the drawing shows. Devices on one network are under no circumstances able to send or receive traffice from other networks without going out through the firewall and hitting the internet first.

I just went through the BR500 manual, but it doesn't really show any such configurations. There is a bit aobut firewall rules and VLAN setup but not enough to clearly give an indicatio if the illustrated setup above is possible. 

Otherwise i'll have to go with a Cisco AR box as that clearly has the capability.

BR

Kristoffer

---

@Lippert wrote:

Pretty much as the drawing shows. Devices on one network are under no circumstances able to send or receive traffice from other networks without going out through the firewall and hitting the internet first.

---

In my understanding the BR500 (comparably inexpensive) should be able to handle multiple VLAN with dedicated subnetworks - in both the Web management as well as Insight management mode.

About the BR500 - is there any way of verifying that it is capable of running multiple Vlans?

Aside from buying one and trying it out? - I've been throuhg the manual but it's not clear to me if that is really an option or not.

Best regards

Kristoffer

Kristoffer,

As of writing, it appears the BR500 is able to handle four VLAN (when I get it right one per switch port!), and just a total of four IP subnets with DHCP services only - three are predefined (admin, guest, IPTV), and one is "freely" available.

The BR5000 5.1.0.14 firmware release notes are very optimistically stating

• VLAN. VLAN with the DHCP server on each subnet is supported.

The spec'ed 256 VLANs are out of reach - certainly for the next few months - as per some direct communication.

Reads to me like Netear has implemented the same ***** router engine we know to be cumbersome on consumer products like Nighthawk, Orbi, or Orbi Pro.

Aside, it appears they used (uniquely) a Web component from Ali which does establish a connection to AliPay - at least here we got a promise that this component will be pulled. Timer is ticking.

Netgear might want to provide additional information @YeZ

Not impressed at all - in fact a 100% failure for now. This BR500 is not ready for prime time, and it does not fit into the Insight environment as intended by the top management @johngm please. 

Regards,

-Kurt