NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

AE8U's avatar
AE8U
Aspirant
Nov 21, 2024

RBR750 (AX4200)

I am converting my network to pfSense. I plan to have 3 networks - the main LAN, an IoT vlan, and a Guest vlan. I was able to set up those vlans in Orbi. However, I do not want to use Orbi as the rou...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Nov 21, 2024

Did an experiment with an RBR750, configured with a Guest WiFi network.  This router is connected to my primary network (also an Orbi) and because the primary network defined 192.168.1.x for the LAN subnet, this RBR750 switch to use 10.0.0.x for its own LAN subnet.

 

  • When a device connected to the Guest WiFi network, it was assigned an IP address of 10.0.1.x, i.t. a different IP subnet.  This device was not able to communicate with anything on the primary network.
  • Switched the RBR750 to Access Point (AP) mode.  When this happened, every device on the primary network of the RBR750 was assigned an IP by the base router in the 192.168.1.x LAN subnet. This is what we expect to happen with AP mode.  However, a device connected to the RBR750 Guest WiFi remained in the 10.0.1.x subnet.  It could not communicate with any devices on the primary network. Not devices connected to the RBR750, but also not devices connected to the base network.

My conclusion remains the same:

  • When an Orbi AX system in AP mode is connected to a network (router, firewall, whatever) devices on the primary and IoT network will receive IP assignments from the network DHCP server.  Devices connected to the Guest WiFi network will be assigned IPs in a different LAN subnet and will be segregated from the primary network.
  • Thus, keeping Guest WiFi devices segregated is "no problem".  Separating devices on the primary network from devices on the IoT network cannot be done with the Orbi AX product.  The pfSense firewall might be able to accomplish something in terms of using the DHCP server to assign IPs based on MAC address:
    • Devices in the primary network could be assigned IPs in one IP subnet, for example 192.168.1.x, with subnet mask 255.255.255.0 and devices in the IoT network could be assigned IP's in 192.168.2.x, with subnet mask 255.255.255.0
    • If a device attempts to 'scan' its IP subnet, it will find only devices in that group of devices.
    • It might be possible to create rules in pfSense to prevent devices in one subnet from communicating with devices in the other subnet.

The "bottom line" (to me) remains that this is a topic for pfSense experts.

 

AE8U's avatar
AE8U
Aspirant
Nov 22, 2024

Here is what I am confused about. When I select Enable VLAN/Bridge Setup and then By VLAN Tag Group (see image below) in the Advanced/Advanced tab. what does that mean? If I assign the Guest WiFi to VLAN 10 and to Port 1, what does that mean? Does it mean that it is segregating the data packets going from the WiFi connection logged in to the Guest network to port 1 of the Orbi? Since the Orbi has 3 network ports (other than WAN), and the VLAN has 3 ports to be assigned, it seems like that is what it is saying. So if I inserted a managed switch between the Orbi and the upstream router (pfSense) and I connect port 1 of the Orbi to port 1 of the managed router, would Orbi only transmit its data packets coming from the Guest network through port 1 of the Orbi and thus also through port 1 of the switch? If that is correct, then I should be able to add the tagging at the switch, if it isn't already tagged.

 

Additionally, the latest manual which I can download from the Netgear site specifically calls this a VLAN Tag Group as well. That indicates to me that Orbi is tagging the container for the data packets.

 

So I am still confused what is happening when I set this up.

 

Thanks for all your help with this.

Mike

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Nov 22, 2024
    AE8U wrote:

    Here is what I am confused about. When I select Enable VLAN/Bridge Setup and then By VLAN Tag Group (see image below) in the Advanced/Advanced tab. what does that mean?

    The key is to click on the little "Help" arrow at the bottom of the screen. It says essentially what the User Manual says on page 74:

    This has absolutely nothing to do with creating VLANs on the internal network.  It is a means to support IP televisions for specific Internet Service Providers.  If the ISP says, "To enable IPTV, the customer must enable VLAN xxx" then that is the only way to get IPTV to work.