Reply

Guest Network Isolation Issue

IPFreely
Guide

Guest Network Isolation Issue

There are other posts regarding this issue with no fix.  Netgear, please respond and fix this!!!

 

I have the latest firmware and the router is in router mode.  I set up a guest network and uncheck the option to "Allow guests to see each other and access my local network".

 

However, using a network scanning tool on my iPhone, I can still see IP Addresses of my NAS, printers, etc.  I shouldn't be able to see anything; one of the main reasons for setting up a guest network --> Network Isolation.

 

Please respond and fix this security issue - thanks!

Model: R7000|AC1900 Smart WIFI Router
Message 1 of 10
antinode
Guru

Re: Guest Network Isolation Issue

> There are other posts [...]

   Links?  Or should I already know what you've been reading?

> I have the latest firmware [...]

   An actual version number would be more useful than your opinion of
what's "the latest" today.   

> [...] using a network scanning tool [...]

   Which?  How?

> [...] I shouldn't be able to see anything; [...]

   That's one, but not the only possible, interpretation of "Network
Isolation".

   Can a guest-network device do any actual communication with non-guest
devices on your LAN?  For example, can a guest device access files on
your "my NAS", or print on your "printers", ...?

Message 2 of 10
IPFreely
Guide

Re: Guest Network Isolation Issue

Thanks for the reply. Regarding posts: If you search for: netgear guest network isolation you will see several posts with eventually no or little response from Netgear. Eventually, the thread/post closes. Firmware: This issue has persisted for several years according to the posts mentioned above, but my firmware was updated last night to: 1.0.9.34 Network scanning tool: Other posts mention different tools, but any port scanning tool should work. I used Net Analyzer Lite on my iPhone. Network Isolation: Most IT Professionals, Network Admins, Security Admins, etc. would expect that network isolation would isolate users so they can't see or interact with others. If I can see it, am I really isolated?
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 3 of 10
antinode
Guru

Re: Guest Network Isolation Issue

> [...] Regarding posts: If you search for: [...]

   If _I_ search for anything, I still won't know what you were reading.

> [...] If I can see it, am I really isolated?

   Define "see".  Define "really isolated".  A guest network on these
routers is not a separate network or subnetwork, merely a set of
firewall-like access restrictions.  If "see" means something like "get a
ping (ICMP) response from", but any TCP or UDP access is blocked, then
what real difference does it make?

> [...] can a guest device access files on your "my NAS", or print on
> your "printers", ...?

   Still wondering.

Message 4 of 10
antinode
Guru

Re: Guest Network Isolation Issue

> Posts: [...]

   I see one device with different firmware, and one different device
marked "Solved".

> Definitions: See- ping Really isolated- not able to ping

   With that definition, the Guest Network feature on these routers may
not be satisfactory.  And such complete isolation may be impractical.
For example, if a Guest Network were really completely isolated from the
main-router network, then guest clients would be unable to access the
DHCP server on the main-router network.

   If you want _complete_ isolation, then you may really want a distinct
guest subnet (with its own, separate router and/or firewall, DHCP
server, ...).  If you care about more than "ping" (which, in itself,
conveys very little information), then something less than that might be
satisfactory.

> > [...] can a guest device access files on your "my NAS", or print on
> > your "printers", ...?
>
>    Still wondering.

   Still wondering.

Message 6 of 10
IPFreely
Guide

Re: Guest Network Isolation Issue

All of the posts were marked closed due to no activity, and no resolution or response from Netgear. I would love to hear from someone from Netgear to understand if this is a security issue as I and several others believe it is. I will try and see if I can access the devices that I can ping (NAS, printer, etc.).
Message 7 of 10
schumaku
Guru

Re: Guest Network Isolation Issue

There is a thread in the Orbi section (again essentially the same platform, same guest network implementation, ...) where the business GM John stated that some better isolation towards guest network isolation for the Orbi Pro is required and will be enhanced. For the consumer stuff like Nighthawk, Orbi (non-Pro), DSL, and Cable routers, the status quo seems to be retained, a full isolation is not required and not intended.

 

Head over to the Idea Exchange for Home section, check if there is a guest network isolation related entry, or create a new one.

Message 8 of 10
IrvSp
Master

Re: Guest Network Isolation Issue

I'd like to know what "(NAS, printer, etc.)" means?

 

NAS and Printer connected to the USB ports?

 

Wonder if there is access to the USB ports via the Guest SSID's?

 

Interestingly, this one says you can't connect a wired printer to the Guest ID unless you wirelessly connect it to that SSID...

 

All that I could locate either there was no answer (some were for different routers) or use individual routers or subnets.

 

Message 9 of 10
schumaku
Guru

Re: Guest Network Isolation Issue

@antinode@IPFreely

 

Fact is that the primary network does leak to the guest wireless like an old garden hose.

Fact is that the guest network implementation does work on the wireless side only, and is fit for providing Internet access only. Any other usage, any extension on a wired network, any offering of additional services like a NAS, a printer, or using the guest network for BYOD usage are not possible. No rocket science, just ignorance by all (or many) consumer router makers. If you complain about missing features (say a configureable firewall rule for Internet -> (port forwarding) -> LAN or Internet -> router to restrict the access to some services to known/trusted peers) you are told the others don't have it either.

 

For leading edge router products sold for several hundred bucks I would expect a little bit more than what was considered basic functionality 20 years ago on a home CPE. 

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 7706 views
  • 2 kudos
  • 4 in conversation
Announcements

Orbi WiFi 6E