Reply

R8000 guest network isolation not working

chris12
Aspirant

R8000 guest network isolation not working

I have a guest wifi set up with the isolation mode turned on:

Guest wifi

 

I have a device attached to it:

Screen Shot 2016-03-06 at 8.08.04 PM.png

 

 

The device on the guest wifi is able to send some packets over the network, see some example packets which were broadcast to a device attached to one of the ethernet ports:

Screen Shot 2016-03-06 at 8.08.59 PM.png

and:

Screen Shot 2016-03-06 at 8.25.52 PM copy.png

Note: The MAC address and the IP address both match that of the device on the guest wifi.

 

These are only ARP and DHCP packets but i wouldn't expect even them to get through if the isolation mode is turned on.

 

Tried logging a support ticket twice but netgear wouldn't look into it as the product is more than 90 days old.  They suggested reporting the issue on this forum instead.

Message 1 of 10
TheEther
Guru

Re: R8000 guest network isolation not working

What happens if you try to ping the device on the guest network from the main network?

Message 2 of 10
chris12
Aspirant

Re: R8000 guest network isolation not working

The ping doesn't get through.

Message 3 of 10
TheEther
Guru

Re: R8000 guest network isolation not working

That's goods news. Maybe they neglected to filter out broadcasts. It looks like nothing responded to the ARP requests. Was there device at 192.168.3.4?
Message 4 of 10
chris12
Aspirant

Re: R8000 guest network isolation not working

192.168.3.4 was the IP address that was previously assigned to the device on the guest network but the router gave it a new address of 192.168.3.7 when it renewed the dhcp lease.  .4 is not currently assigned to any device.

Message 5 of 10
TheEther
Guru

Re: R8000 guest network isolation not working

Ok. Maybe they are deliberately letting DHCP and ARP across in order to allow devices to defend their claim on IP addresses. IIRC, that's part of the DHCP protocol.
Message 6 of 10
chris12
Aspirant

Re: R8000 guest network isolation not working

We are speculating here.  The networks are supposed to be seperateed so I would speculate that there should be no reason for ARP or DHCP traffic to be broadcast between the two.  Would seem like a good way for the guest wifi to mess with the normal network.

Message 7 of 10
TheEther
Guru

Re: R8000 guest network isolation not working

The networks are isolated but technically they are in the same subnet.  I'm guessing that Netgear's engineers decided to allow ARP and DHCP traffic in order to prevent duplicate IP addresses.  

 

Even if ARP and DHCP traffic were blocked, I think a malicious guest device could still cause havoc by using the same IP address as another device on the main network.  What's the router to do if it see two devices with 192.168.1.4, for example?

Message 8 of 10
chris12
Aspirant

Re: R8000 guest network isolation not working

What's the router to do if it see two devices with 192.168.1.4, for example?

If they are on two seperate VLANs I would expect it to treat them independently.

Message 9 of 10
TheEther
Guru

Re: R8000 guest network isolation not working

Separate VLANs would not be sufficient.  A separate NAT table and DHCP pool, the latter of which is clearly not evident in the configuration, are needed.  I suspect Netgear took the easy way out by using a single NAT and DHCP pool and just implemented some iptables rules to limit the flow of traffic between the two networks.  See this example (link) showing how DD-WRT used to implement guest access.

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 2346 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E