The R7000 has no provision to assign a dedicated range of IP addresses for guest users.
Instead, just go to the Guest network setup page on the R7000 and make sure that Allow guests to see each other and access my local network is not checked. This will prevent guests from accessing internal network resources.
@TheEther - when you write "... This will prevent guests from accessing internal network resources ..." - how, exactly, does this work?
For example, if I have a NAS/SAN which lives on the LAN, or a printer, or whatever, how does a checkbox inside Netgear software prevent someone from hacking into my Guest network and geting to my NAS/SAN??
I don't work for Netgear, so I can only make an educated guess. The software certainly knows which devices are connected to the guest network. It can drop packets from those devices targeted to non-guest devices in the LAN and vice versa. It probably identifies traffic by the joined Wi-Fi network (guest or non-guest), IP address and possibly also by MAC address. Ideally, it would check all 3 but it's probably sufficient to filter just by the Wi-Fi network.
You can either hope for a moderator who has access to Netgear employees to respond, or send a private message to one directly, or click on Support at the top of this web page, then Contact Us> Get help on my NETGEAR product to get help.
FWIW, I'm pretty confident about my guess. I am a software engineer in the computer networking industry. While I don't specifically work on Wireless Networking, I'm pretty knowlegeable about general networking principles. What I described is how I would implement a guest network.
@TheEther - you may have misunderstood my reply ... I don't think your approach is incorrect; rather, I want to know how these yahoos built this?!? Meaning, I currently have four SSIDs - Guest 2.4, Guest 5, Internal 2.4 and Internal 5 - on the same subnet (WTF?!?!)
Use case: I have my laptop on I5 and a security cam of my sleeping kid on I5 ... someone hacks into G2.4 ... since *ALL FOUR* SSIDs share the same subnet, it is only a matter of time until the hack has my sleeping kid on video.
Apparently there is some magical checkbox for 'don't let other wifi clients see stuff' which operates on undisclosed tech?? If I wanted a 'just trust us' approach to wireless security I would save all this hassle and get an OnHub 😉
Again, thx to @TheEther for the guidance to submit a ticket.
I can understand your concern and looking for an explanation can often help alleviate fears. I'm not sure that an explanation from Netgear, should they choose to provide one, is going to allay them. You may simply have to trust them on this. After all, you are trusting that router generally works. If you can't, then you can use a second router as a dedicated guest network.
With respect to your use case, a hacker can just as easily attack your internal 5 GHz network directly. The fact that two internal Wi-Fi networks are on the same subnet does not make it significantly less safe. I suppose Netgear could have put the guest network on an entirely different subnet but what would make you trust this to be any more secure?
The first and main line of defense for Wi-Fi is a strong password. I use passwords of at least 16 characters in length. Ideally, they should be totally random or use the first letters from a long, memorable phrase that only you know. For convenience, you cab use a simpler password for the guest network, but it should still be long. For example, HumansTakeFlight, though this one is not ideal because it lacks numbers and special characters.
