RBR750 assigns IPs to Guest WiFi in Access Point mode.... how is that possible?
The orbi RBR750 seems to have a strange setting that even if it is enabled to Access mode . the guest WiFi assigns an device an ip ( in this example it is 192.168.2.x
How can ORBI assign a 192.168.2.X address and the firewall allows that IP traffic all over the network , the Firewall does not even see it , yet I can access all network device .
I really need some assistance in understanding this , shouldnt access Point disable IP assignments ?
So the access point assigns an IP which it shouldn’t
[DHCP IP: (192.168.2.2)] to MAC address FC:B3:BC:XXXXX, Friday, Dec 03,2021 17:07:10
[DHCP IP: (192.168.2.2)] to MAC address FC:B3:BC:XXXXX, Friday, Dec 03,2021 17:04:10
But the worst part is that the Firewall is setup to quarantine ANY new device and with that IP assignment it just passes trough firewall and does not even see it , nor quarantine it .
Re: RBR750 assigns IPs to Guest WiFi in Access Point mode.... how is that possible?
Netgear has set up a community forum specifically for the Orbi AX (WiFi 6) products. Most of the people who watch that forum are more likely to have experience with Orbi AX and know how to work it better than those of us who follow this "general Orbi" forum. Might be more likely to find someone who has a solution if the question is posted there: https://community.netgear.com/t5/Orbi-AX/bd-p/en-home-orbi-ax
Guest Network should be disabled in AP mode as it's not supported in AP mode.
The orbi RBR750 seems to have a strange setting that even if it is enabled to Access mode . the guest WiFi assigns an device an ip ( in this example it is 192.168.2.x
Are you still within the magic "90 days of complimentary support" on this Orbi router? It would be really entertaining to hear how Netgear support explains this. I also find this situation inconsistent with how I think Access Point should work. (All IP's assigned upstream and zero separation between primary and WiFi networks.)
One of the differences between the original Orbi product and the 'AX' product is the way Guest IP addresses are assigned. The original Orbi placed devices from both the primary and guest WiFi networks into one subnet, typically 192.168.1.x This surprised (and annoyed?) many customers who thought it would be a lot simpler to put guest devices into a separate subnet. The older Orbi also had that option of whether guest devices could connect to devices on the primary network (page 80
I have heard comments that the AX product line does place guest devices into a separate IP subnet. The RBR750 User Manual seems silent on this topic (see page 70 https://www.downloads.netgear.com/files/GDC/RBK752/RBK752_UM_EN.pdf ) The RBR50 User Manual also makes no mention of that option for whether devices can (or cannot) communicate with the primary network.
Guest WiFi and Access Point mode are a complicated discussion. If the 'upstream' router makes all IP assignments, then it will have no way to determine which devices have connected to the primary or to the guest WiFi networks.
On the topic of what the firewall should do (or should not do), my understanding is that Access Point mode plays a role in this as well.
There is a Netgear web page explaining what features are not available in Access Point mode:
Notice that RBR750 is on the list of products this applies to. It is unfortunate that this web page starts with Guest Network, because obviously the Guest WiFi is still there. Personally, I believe that the person who wrote this web page intended to say that a separate Guest Network is not supported in AP mode, not that the Guest WiFi SSID could not be used.
You may notice a recurring theme: The AX product is different and those of who have never purchased one cannot speak from personal experience.
The orbi RBR750 seems to have a strange setting that even if it is enabled to Access mode . the guest WiFi assigns an device an ip ( in this example it is 192.168.2.x
How can ORBI assign a 192.168.2.X address and the firewall allows that IP traffic all over the network , the Firewall does not even see it , yet I can access all network device .
I really need some assistance in understanding this , shouldnt access Point disable IP assignments ?
So the access point assigns an IP which it shouldn’t
[DHCP IP: (192.168.2.2)] to MAC address FC:B3:BC:XXXXX, Friday, Dec 03,2021 17:07:10
[DHCP IP: (192.168.2.2)] to MAC address FC:B3:BC:XXXXX, Friday, Dec 03,2021 17:04:10
But the worst part is that the Firewall is setup to quarantine ANY new device and with that IP assignment it just passes trough firewall and does not even see it , nor quarantine it .
Re: RBR750 assigns IPs to Guest WiFi in Access Point mode.... how is that possible?
unfortunatly I am way past my 90 days.
I agree with your statements , the strangest thing realy is how does the guest wifi assigns an IP when DHCP is disabled and the device set to access point , which I agree defeats the purpose of beeing an access point. also how does it go past the firwall with an IP Range I did not assign to this port.
I agree with your statements , the strangest thing realy is how does the guest wifi assigns an IP when DHCP is disabled and the device set to access point , which I agree defeats the purpose of beeing an access point. also how does it go past the firwall with an IP Range I did not assign to this port.
I believe there is a technical difference between firewall and access control. Firewall is what protects a router from accepting connections on the WAN port (from the internet). In access point mode, access control is not supposed to be available. If a device provides the correct password, it gets on the network.
Re: RBR750 assigns IPs to Guest WiFi in Access Point mode.... how is that possible?
Setting your wireless router to AP mode means you have given up the role of a router to be a “dumb” LAN segment. Presumably, this LAN segment is located off a network that contains another router you gave up control to.
Now let's assume that, as some routers do, the guest network is on the same subnet as your home network and simply using a different SSID, password, and perhaps even channel. Now, even if your AP router keeps the traffic from those two ”networks” completely isolated, once you go beyond the AP router, traffic from both guests and your home network will appear to be on the same network to the router they eventually reach. Your laptop and phone won't look any more special than your guest's phone to the upstream router that has replaced your AP router. So if your friend's phone is compromised, it will be able to communicate with your computer as easily and as your *phone* can. Send a request to the router, get routed to your computer—it kind of defeats the purpose of a guest network.
Now, let's assume that instead of using DHCP from beyond your AP router for the guest network, your AP router instead acts as a DHCP server for the guest network and puts guest clients on a different subnet.
Technically, your friend's phone can still reach your computer. Make a request to the computer's IP, hit the upstream router, get routed to your PC, same as getting routed to another network across the internet. But now, your friend's phone does not look equally as special as your phone. It's on a different subnet. And so, the upstream router and a firewall can easily be configured to not allow communication from the guest network subnet to your home network subnet.
Why does your firewall not block this different subnet? Often, a firewall is set up by default to apply strict rules to what comes in from upstream on its WAN port(s) and a into your local networks, blocking anything unexpected. However, it will generally allow traffic originating downstream on your local network and entering it's LAN ports(s). So traffic originating locally is trusted and traffic originating elsewhere is not. That's just a simple starting strategy that is widely applicable though. A good firewall and/or router can be configured to allow and follow whatever rules you'd like. But in order to do that configuration to keep your guests off your network, you need a way to differentiate guest traffic from *your* traffic. The separate subnet gives you this.
