NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Where is traffic separation for the Guest network?
Set up the AX 6000 to replace a 4 unit Orbi Pro system with only minor hiccups. One of the main reasons I used the pro was the ability, VS the regular orbi at the time, to separate the three networks....
Bandito wrote:
Thanks for the explanation. It sounds to me like changing the subnet for the guest network might address your issue. The instructions for doing so are in post no. 7, here:
This should prevent the DLNA packets from being seen on the guest network. It's worth a shot if you want to try it.
Why do you think changing the Guest wireless subnet from the default 192.168.2.0 to something else would address the OPs issue?
Changing the subnet is not going to have any impact on the filtering between the LAN and Guest subnets.
I see no reason why if the DLNA packets aren't being filtered with the default settings changing the subnet to something different is going to cause them to be filtered.
I think the OP needs to ensure that if their Orbis are physically connected that they are not connected through a switch. If that's not the issue then I'm wondering if the new generation of Orbis has the same lack of basic isolation as previous generations but if that's the case then my testing was not thorough enough.
Having separate subnets should separate the traffic and only allow access to the WAN from each subnet. For example if the main traffic was on 192.168.0.1 and the the guest traffic was on 192.168.0.2 with a mask of 255.255.255.254, that should prevent any traffic from crossing between the two subnets. They would go to the WAN for any address not in their particular subnet.
- Unfortunately that isn’t actually how LANs work. Regardless this generation requires the guest network be a different subnet from the LAN network so there is no need to change it as you recommended above. The other major flaw in attempting to use just subnets to isolate a network when one is less secure than the other is you can simply statically set your IP to the other subnet and now your guest device is on the other network.
I’d recommend you research the OSI model. What you will find is that subnets are part of layer 3 and TCP/IP but there are other protocols that don’t use TCP/IP and thus don’t use subnets so if you are like Netgear in previous generations of Orbi and attempt to isolate two different networks using IP address based firewalls you will leave open all of the traffic that doesn’t require TCP/IP. This problem is why VLANs were created, to isolate networks at layer 2 when they aren’t isolated at layer 1.
I don’t know that this is actually happening but if Netgear is going to make products with basic security they need to be tagging traffic with which VLAN it is from before sending it between Orbis and then handle the proper isolation based on the VLAN tags to ensure guest packets don’t end up on the main LAN and main LAN packets don’t end up on the guest network.