RBR750 (AX4200)

Question

I am converting my network to pfSense. I plan to have 3 networks - the main LAN, an IoT vlan, and a Guest vlan. I was able to set up those vlans in Orbi. However, I do not want to use Orbi as the router, I want the router (DHCP) to be handled by pfSense. It seems that if I switch Orbi to AP mode, then the vlans are still available to connect to, but the information about which LAN the device belongs to is not being passed to pfSense. Is there another way to set this up? If not, then I assume I need a vlan aware managed switch between Orbi and pfSense? If so, is there an inexpensive Netgear switch that you would recommend?

Thanks for the help.

CrimpOn · Answer

The Orbi 750 router has no knowledge of VLAN - none. All packets coming from the Orbi to the pfSense will be "untagged".&nbsp; It does not matter what 'mode' the Orbi is in. ('router' vs 'access point')&nbsp; The only difference between 'router' and 'access point' is that 'access point' disabled the Network Address Translation which would hide every device behind the Orbi WAN IP address.
&nbsp;
Devices connected to the system in three ways appear in the same IP subnet:

Any device 'wired' to the router or any satellite
Any device connected to the primary WiFi network
Any device connected to the IoT WiFi network

Devices connected to the Guest WiFi network are assigned IP addresses in a different IP subnet.

AE8U · Answer

So then, the second part of the question is what do I need to accomplish my goal? The Orbi is my only WiFi access device. And I want the pfSense to segregate the devices. So what do I need to do? If I place a managed switch between Orbi and pfSense, can I get there?

CrimpOn · Answer

This may be a topic best raised on a pfSense user forum.
&nbsp;
When operating as a 'router', Orbi AX systems block devices on the guest WiFi from communicating (a) with each other, and (b) with the primary network (wired and WiFi).&nbsp; They connect only to the internet.&nbsp; (Personally, I preferred the original Orbi system which allowed the user to choose whether 'guests' could communicate with each other and with the primary network ... or not.&nbsp; I thought of "Guest WiFi" in terms of (a) temporary, (b) could be changed to a different SSID/password without affecting any 'permanent' devices, and (c) could be disabled at any time without affecting permanent devices.&nbsp; I would find it really irritating to have guests over and say, "oh, no.&nbsp; YOU can't print because you are on the Guest WiFi." So, I would let them communicate and change the password after they left.&nbsp; But.... Netgear went with what they thought appealed most to customers. ..... or what some programmer decided at the time.)
&nbsp;
I would have to get out an RBR750 and set it up again, but my memory is that even in AP mode, the Orbi assigns guest WiFi devices to a different IP subnet.&nbsp; Once traffic leaves the Orbi WAN port, it would take an experiment to see what they can communicate with.&nbsp; IoT... no chance.
&nbsp;
&nbsp;

CrimpOn · Answer

Did an experiment with an RBR750, configured with a Guest WiFi network.&nbsp; This router is connected to my primary network (also an Orbi) and because the primary network defined 192.168.1.x for the LAN subnet, this RBR750 switch to use 10.0.0.x for its own LAN subnet.
&nbsp;

When a device connected to the Guest WiFi network, it was assigned an IP address of 10.0.1.x, i.t. a different IP subnet.&nbsp; This device was not able to communicate with anything on the primary network.
Switched the RBR750 to Access Point (AP) mode.&nbsp; When this happened, every device on the primary network of the RBR750 was assigned an IP by the base router in the 192.168.1.x LAN subnet. This is what we expect to happen with AP mode.&nbsp; However, a device connected to the RBR750 Guest WiFi remained in the 10.0.1.x subnet.&nbsp; It could not communicate with any devices on the primary network. Not devices connected to the RBR750, but also not devices connected to the base network.

My conclusion remains the same:

When an Orbi AX system in AP mode is connected to a network (router, firewall, whatever) devices on the primary and IoT network will receive IP assignments from the network DHCP server.&nbsp; Devices connected to the Guest WiFi network will be assigned IPs in a different LAN subnet and will be segregated from the primary network.
Thus, keeping Guest WiFi devices segregated is "no problem".&nbsp; Separating devices on the primary network from devices on the IoT network cannot be done with the Orbi AX product.&nbsp; The pfSense firewall might be able to accomplish something in terms of using the DHCP server to assign IPs based on MAC address:

Devices in the primary network could be assigned IPs in one IP subnet, for example 192.168.1.x, with subnet mask 255.255.255.0 and devices in the IoT network could be assigned IP's in 192.168.2.x, with subnet mask 255.255.255.0
If a device attempts to 'scan' its IP subnet, it will find only devices in that group of devices.
It might be possible to create rules in pfSense to prevent devices in one subnet from communicating with devices in the other subnet.

The "bottom line" (to me) remains that this is a topic for pfSense experts.
&nbsp;

AE8U · Answer

Here is what I am confused about. When I select Enable VLAN/Bridge Setup and then By VLAN Tag Group (see image below) in the Advanced/Advanced tab. what does that mean? If I assign the Guest WiFi to VLAN 10 and to Port 1, what does that mean? Does it mean that it is segregating the data packets going from the WiFi connection logged in to the Guest network to port 1 of the Orbi? Since the Orbi has 3 network ports (other than WAN), and the VLAN has 3 ports to be assigned, it seems like that is what it is saying. So if I inserted a managed switch between the Orbi and the upstream router (pfSense) and I connect port 1 of the Orbi to port 1 of the managed router, would Orbi only transmit its data packets coming from the Guest network through port 1 of the Orbi and thus also through port 1 of the switch? If that is correct, then I should be able to add the tagging at the switch, if it isn't already tagged.&nbsp;Additionally, the latest manual which I can download from the Netgear site specifically calls this a VLAN Tag Group as well. That indicates to me that Orbi is tagging the container for the data packets.&nbsp;So I am still confused what is happening when I set this up.&nbsp;Thanks for all your help with this.Mike

Forum Discussion

RBR750 (AX4200)

6 Replies