If I have the Router and Hub operating in AP mode what does the Network Isolation checkbox for VLANs actually do?
The user manual of the SXK80 says "Network isolation, also referred to as network segmentation, prevents hosts and clients in the VLAN from reaching ports, hosts, and clients in other VLANs"
But isn't that what having VLANs set-up in the first place should do?
Basically I want the SXR80 and SXS80 to preserve the VLAN separation (both Wi-Fi and Wired that go over the trunk) and not do any kind of bridging or other 'clever' stuff - I've got a separate firewall to allow traffic between VLANs.
Does unticking Network Isolation mean that hosts in one VLAN can potentially communicate with hosts in another VLAN?
Assuming the SXK80 operates like the SXK50, the network isolation tickbox installs ebtables rules that prevent communication to or from the isolated network and any other network the Orbi is attached to.
Unfortunately, this happens even in AP mode where VLANs shouldn't have IP addresses or any knowledge of IP networks that are attached to them.
Worse, the client isolation tickbox does something similar. IP based rules are installed that prevent WiFi clients on the isolated network from communicating with VLAN based clients on the same VLAN.
There is unfortunately no way to disable this (IMO erroneous) behavior and is why I'm highly likely to abandon the Orbi Pro in favor a brand like Ubiquiti which has far less nanny-like behavior.
I've come from the opposite direction, having previously used a Unifi UAP-AC-PRO but wanted to upgrade to a mesh with dedicated wireless backhaul.
Your explanation helps, I can take a look at the dumped ebtables with and without the tickbox to see what it's up to.
I seem to have all kinds of strange behaviour - wired hosts on subnet A can reach a wired host in subnet B (intentionally allowed via a firewall). But as soon as I try doing the same from the same host on subnet A but over Wi-Fi it doesn't work...there's loads of TCP re-transmissions, so I'm wondering if there's still some filtering or table issue.
I'm hoping I might be able to get OpenWRT up and running on these. If I can do that, it should get rid of a lot of the hidden (and broken) magic the Netgear firmware seems to be doing. I'd rather stick to stock, but there's just too much hand holding in a supposedly pro product.
I seem to have all kinds of strange behaviour - wired hosts on subnet A can reach a wired host in subnet B (intentionally allowed via a firewall). But as soon as I try doing the same from the same host on subnet A but over Wi-Fi it doesn't work...there's loads of TCP re-transmissions, so I'm wondering if there's still some filtering or table issue.
This unpredictable behavior is exactly why I was digging into the Orbi's behavior. Even when network isolation is disabled, a station on my LAN WiFi is unable to communicate with a station on the IoT WiFi if they are both associated to the SXR. However, when the LAN station is associated to the satellite it can communicate with the IoT device through the wired backhaul.
This is because the SXR obtains layer 3 addressing for all VLANs (even when it is only providing layer 2 connectivity) and has to install protective rules to prevent traffic from flowing between subnets on those connected interfaces. Because these rules are layer 3 rules they also prevent traffic from being forwarded to the upstream router.
In my opinion AP mode is fundamentally broken and unfit for its intended purpose because there is no way to disable this behavior.
