Re: Orbi Wifi Pro mini appearing as device in VLAN

lostgear · ‎2023-03-07

I am using the SXK30 as an AP and created 2 VLANS (i.e. home (VLAN ID1), guests (VLAN ID 20)).

It is working well, however, when I check my router the SXR30 (the main unit) appears under the devices connected to both VLANs. So in VLAN 1 it appears under an IP under VLAN 1 and in VLAN 20 it also appears as a device with IP under VLAN 20.

What could be happening here or how do I fix it? Shouldn't the AP not appear in each VLAN since its not part of the VLANs?

NiveditaP · ‎2023-04-03

Hello @lostgear

And welcome to the NETGEAR Community! 🙂

Is this your topology?ISP -> SXK30 (main router ; vlan 1 and vla20 ) -> SXK30(AP)

Now SXK30 AP appearing in both VLAN1 and VLAN20 connected client list?

If so what is the SXK30 master port configuration : trunk/access and VLAN configured on port to which SXK30 AP is connected?

Have a lovely day,
Nivedita Pa
Netgear Team

lostgear · ‎2023-04-03

Hi,

Thanks for the reply. It is in AP mode.

ISP-Router-Swtich Port 1------SXR30 Port 1 (LAN)

Switch Port 2 - SXS30 Port 1 (LAN)

Animal7857 · ‎2023-04-03

I find my SXK50 does this as well. In fact it uses one of the VLAN's as it's default route.

I believe it is an artifact of the connected devices display. If the SXR did not have an IP address it would not be able to map the devices connected to the VLAN's. It also uses the DHCP info on the VLAN's to determine the subnet masks.

Unfortunately that also means the management GUI and ability to route through the SXR in order to escape VLAN confinement are both available to devices on the more restricted VLAN's.

Selecting "Network Isolation" in the vlan setup plugs most of the holes but unfortunately the ebtables "GUEST" chain is part of both "INPUT" (routed) and "FORWARD" (bridged) chains. That big hammer precludes more sophisticated firewall rules in your main router such as one-way access to printers or IOT devices not possible with stateless ebtables rules.

I would like an option that left FORWARD alone but dropped all traffic other than existing exceptions and vlan 1 from INPUT.

lostgear · ‎2023-04-03

Glad to know I am not alone. Should I still turn on network isolation between even if my switch and/or router is already separating them? setup is SXR30 (VLANS 1,2) in AP mode, connected to Switch connected to Router.

Animal7857 · ‎2023-04-04

I would say if you can then you should isolate vlan 2 if only to disable the GUI access.

Personally I can not because I allow limited routing between VLAN's -- DVR and printers for instance can be accessed from any vlan. One-way access can not be granted with the stateless ebtables firewall -- either the requests or reply's end up blocked.

The issue without isolation is that if a malicious user changes their default route to the SXR IP then they can vlan hop to any subnet that has a valid return route. Likely the traffic never even hits the router so it is tricky to block.