Reply

Re: No way to actually segment guest network?

itdx
Aspirant

No way to actually segment guest network?

We have the SRR60 and one SRS60 in AP mode. We have a single subnet and DHCP server at the office location, however we have VPN connectivity to multiple other subnets. I have configured the guest portal and it works fine, it also does NOT allow access from the guest network to other devices on the same subnet. It DOES however allow access to the VPN subnets which is not desirable. The goal is for the guest to only be able to connect and get out to the internet, not access any local networks. It seems like this product doens't have that functionality can someone please confirm?

 

If that is true, is there a way to work aruond this issue? I was thinking we could try to use our firewall to just deny access over the VPN from guest wireless devices however since they just get DHCP from our internal server that seems impossible.

Model: SRK60B03|Orbi Pro Tri-Band Business WiFi System
Message 1 of 5
JohnC_V
NETGEAR Moderator

Re: No way to actually segment guest network?

@itdx,

 

Welcome to our community! Smiley Happy

 

The guest network should not communicate with the local network like it has its own isolation that is why it is only for guests.

 

Do you mean you can ping the guest network if you are connected to the VPN? Is that correct? Or you are using the guest network and you can connect to other subnets using a VPN?

 

Regards,

 

John

NETGEAR Community Team

Message 2 of 5
itdx
Aspirant

Re: No way to actually segment guest network?

@JohnC_V  From the guest network I can't connect to a local subnet but I can ping over site-to-site VPNs. So basically it seems to work for a local LAN but not a VPN network.

Message 3 of 5
schumaku
Guru

Re: No way to actually segment guest network?


@itdx wrote:

@JohnC_V  From the guest network I can't connect to a local subnet ... . So basically it seems to work for a local LAN ...


That's what it is designed and made for.

 


@itdx wrote:

@JohnC_V  ... but I can ping over site-to-site VPNs. ... but not a VPN network.


For the Orbi Pro these are just other IP subnets reachable "out there", like Internet or any other access. The Orbi Pro can't know what are other local or remote subnets (VPN or not is irrelevant). you would need to configure any kind of IP filters prohibiting the (dynamically changing) guest IP addresses to restrict or block the access to these subnets.

 

The classic Orbi Pro is not made for this purpose - it's intended as a throw-in solution to work with the use case Netgear had in mind.

 

If you need proper segregation of the different SSIDs you need a network and an access point able to segregate traffic by implementing real VLANs, e.g. the Orbi Pro WiFi 6, Smart Managed Plus or better Pro switches, Netgear WAP5xx/WAX6xx, a VLAN aware router, ...

Message 4 of 5
itdx
Aspirant

Re: No way to actually segment guest network?

Yeah I figured it wouldn't do this and I would need to do some kind of VLAN/segmentation to get it so it can't see the VPN subnets

Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 617 views
  • 1 kudo
  • 3 in conversation
Announcements