I have all my IoT devices connected to IoT VLAN. I have all my computers and phones connected to Default VLAN. This separation is for security obviously as recommended. I have Network Isolation turned on for IoT VLAN so that devices on IoT VLAN couldn't access any devices outside that VLAN. And Default VLAN comes with Network Isolation disables, which in theory should allow it to connect to all IoT devices. However, this doesn't happen. I cannot access any of my IoT VLAN devices, unless I disable Network Isolation on IoT VLAN. But as soon as I do that all Default VLAN devices become immediately visible from any IoT VLAN Device.
What am I doing wrong? Or how can I achieve the obvious security that I'd like to achieve without making it impossible to access any IoT devices from the non-IoT network?
In my perspective you are not doing anything wrong, the rule for Network Isolation is just implementing it's job. To clarify what is happening is that. If you can recall as you have mentioned, there should be no IoT devices be able to get out from it's VLAN. Now what is happening when you try to access them from your non IoT devices they would not respond as it's being blocked by the rule that nobody should be able to get out from it's VLAN. That is also why when you remove the Network Isolation everything will work fine. I believe only through access control list that you will be able to achieve your requirement. Please check page 59 to 63 from the link below to be guided about ACL:
Thank you, Erwin. So does Netgear then have those access rules or other mechanism to achieve what I want?
The way other routers isolate IoT Vlan is that you can access devices from outside of IoT VLan, but IoT Vlan devices cannot access any devices outside of the IoT Vlan. This is very simply achieved with a couple of Firewall rules.
This type of isolation where IoT Vlan devices become completely inaccessible locally and are only accesible via Cloud is super inconvenient. Basically, I end up maintaining Wifi to IoT Vlan and Ethernet to Default VLan constantly completely defeating the point of IoT Vlan isolation as anyway have to be permanently exposed to it.
Any suggestions how to fix this annoyance and inconvenient lack of firewall in such an expensive Pro device?
Were you able to check the manual I have provided? I believe it was mentioned there how you can allow or block devices from accessing the network using access list.
Yes I have and all it says that its either all blocked or all accessible. According to the manual there is no way to have Default VLAN access IoT VLAN but not vice versa. So it doesn’t solve my issue. So I am still looking for clever workarounds if anyone was able to find?
I see. If that will not work for your requirement. You might want to try putting a switch in between your router and devices that has access list feature like GS110TPv3. Try checking the documentation all about ACL on page 354 to 385 from the link below
Did you solve your problem? In this case could you give us a feedback on the situation and accept the post as a solution to make it more visible to other users?
@ErwinL I would solve my problem if I could achieve what I am trying to - be able to connect to any of my IoT device on IoT VLAN without having a security issue of any of my IoT devices being able to connect to my computers and phones on Default VLAN.
This is an absolute common sense need and way to isolate IoT devices. This is a standard in feature in most linux powered routers, like Ubiquiti and for no comprehensible reason absolutely impossible on Orbi Pro routers.
So did I solve my problem? Absolutely not.
Did I get clear that Orbi Pro routers are incapable of achieving what I need? Yes.
I would like to apologize if the solution I have provided did not meet your requirements. If you think that this is a feature that is lacking for this device we are open for suggestions. Just visit the link below and find your way on suggesting your concern. Can we set this thread to closed now?
Thanks for requesting a feature. I do hope your feature request will be added to the device. With that, have I addressed your concern? In this case could you give us feedback on the situation and accept my post as a solution to make it more visible to other users?
