CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

100% agree.  Security is *NOT* a business perk.  It's a market requirement, period, and if you don't grasp that, your competitors do.

---

@BIG9MM wrote:
I posted it a while back that I was dissatisfied about guest network able to access the local network but I just want to clarify with this new patch, Orbi firmware update v2.1.4.16 does it fix the issue now? ...

---

I updated to FW 2.1.4.16 today by clicking on the update message on the RBR50 main Web GUI page and then electing to install all automatically. It proceded and completed. The sattelite took a few extra minutes to complete, but it eventually sinced up with no manual intervention.

It seems to be working more-or-less as well as it was prior to the fw upgrade:

1) The Prosafe Plus utility will no longer brieach the guest network wall to let me reconfigure switches (note: Also upgraded to 2.7.2)..

2) My IP scanner tool still shows devices on the main network -- both IP and MAC addresses)

3) A number of devices are missing from the connected devices displays where they used to appear. Sattelite shows 1 device (> zero). I would exoect to see the remaining devices split between the 2 ORBIs.

Hello,

I've just updated to v2.1.4.16 firmware on my home Orbi system. I've been recommended by cyber security professionals that I isolate smart devices in my home on their own separate network. The responses here seem to indicate that Orbi is not taking this seriously for non-pro users - can anyone confirm if they have made the necessary changes to ensure our security in this latest firmware?

Thank you.

You just installed the latest version.  Can't you confirm for us?

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...

I see there was mention of this issue being resolved in the PRO version. Not sure if this has populated to the Home version. I presume you are using the PRO version? Or Home? It's not recommended to use Home products in a business setting. Things test to lead to products not working as well for the Business environment. Business envrionments need more than Home class products for safter and secure operations. You may need to look into better business solutions for your needs if your using a Home class system. If your concerned about this, you'll need to disable the Guest Network feature on your systems.

---

@Mister-Mike wrote:

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

 

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

 

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...

---

Hello!  Well, I wish I was advised to buy the Pro.  The offices are small, only a couple of users each.... and I was ready to purchase whatever was recommended.  No one mentioned a Pro system.  So now I will need to look into upgrading... however I can't believe there isn't an answer to this.  Because - regardless, this is also completely unacceptable in ANY home environment.  An isolated guest network is just that - an isolated guest network, whether in a home or wherever.   I am not opposed to buying Pro versions, but I need some type of stopgap/workaround in the meantime if possible...

I would disable the Guest Network. If you just got the Orbis, you should check into returning them after looking into the PRO version...

Something to ask NG about and see.

@BretD

@ChristineT

@Christian_R

---

@Mister-Mike wrote:

Hello!  Well, I wish I was advised to buy the Pro.  The offices are small, only a couple of users each.... and I was ready to purchase whatever was recommended.  No one mentioned a Pro system.  So now I will need to look into upgrading... however I can't believe there isn't an answer to this.  Because - regardless, this is also completely unacceptable in ANY home environment.  An isolated guest network is just that - an isolated guest network, whether in a home or wherever.   I am not opposed to buying Pro versions, but I need some type of stopgap/workaround in the meantime if possible...

---

I would love to test this Jeremy - who should I contact?  Their regular support department?

https://community.netgear.com/t5/Orbi/Looking-for-a-select-group-of-Orbi-Community-members-that-are/...

---

@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?

---

I would send a PM to @ChristineT, @DarrenM and @Christian_R for more immediate responce.

---

@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?

---

Good morning @Mister-Mike,

Please check your private messages for a link to the Beta Community. Please provide your feedback within the Beta Forum so we can ensure your findings are investigated further if needed.

Thanks @Jeremyinsf and @FURRYe38 for the assistance here! 🙂

Best Regards,

Christine 

@Mister-Mike

Please let us know how it goes with the new beta FW.

---

@FURRYe38 wrote:

I would send a PM to @ChristineT, @DarrenM and @Christian_R for more immediate responce.

---

@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?

---

 

---

---

@Mister-Mike wrote:

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

 

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

 

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...

---

If I understand what you wrote correctly, you have Orbi in Router mode behind another router, with the 192.168.0.x subnet on the WAN side of Orbi.

If so, the behavior you report is not a glitch with NETGEAR.  The behavior is as expected, and is due to the way you have Orbi setup.

Guest isolation pretains only to the LAN side of Orbi and does not affect traffic heading to the WAN side of Orbi. The PRO would behave no differently. Also, Orbi's guest isolation only pertains to wireless clients, not wired machines.

If you want to maintain two separate networks, then you need a router that supports multiple subnets and IP-based firewall rules to control traffic between subnets. If your current router doesn't support this, you could buy a cheap router that does and run the Orbi in Access Point mode behind that.

Thank you for that insight/explanation...

So, if I am understanding you correctly... then the following scenario WOULD work, or?   As follows:

- A cable modem coming into the building, in Bridge Mode / Pass-Thru mode.

- The modem connected to the WAN port of the ORBI (yellow "Internet" port)

- a small gigabit switch connected to one of the ports in the back of the ORBI (1 thru 4 - any port)

- the switch, connecting to several PC's in the home via Cat5e/Cat6 Ethernet

- The ORBI in ROUTER mode, provided all IP assignments / DHCP assignments

- Then, create a GUEST network in the wireless settings.

In this scenario, with only the ORBI providing all routing, and the only thing behind the ORBI is a cable modem in Bridge Mode, providing zero routing... then anything on the LAN wired through a small switch, then connected to one of the ports on the back of the ORBI.  In this scenario, would the guest network be able to "see/interact with" the wired devices?

If this is the case, I can easily implement this type of setup (these are VERY small places - just a couple users, one single room etc.).

Thank you again for the clarification!

Yes that would work. Make sure your switch is a NON managed switch. Orbi doesn't seem to like Managed switches.

Your isolation requirements aren't clear to me. But, yes, in the scenario you described, any wireless client connecting to the Orbi's guest SSID would be blocked from interacting with the rest of the Orbi LAN--both wired clients and wireless clients connected to the Orbi non-guest SSID. This assumes guest isolation is enabled on Orbi (and working as designed.)

I am running fw 2.1.4.16 on an RBR50 in AP mode. When I run an IP scanner from a Windows 7 computer on the guest wireless network, it "sees" most (all?) devices on the wired LAN side of the RBR50. I have not been able to connect to them the way I could with previous versions of the fw, but I can detect their presence, their IP addresses, and their MAC addresses. I have not done an exhaustive connection test I don't know enough to devise an exhaustive test.

Is your Orbi router running in router mode and the only router on the line when you test this?

I would ask for the Beta FW from NG and see if this resolves what your seeing.

https://community.netgear.com/t5/Orbi/Looking-for-a-select-group-of-Orbi-Community-members-that-are/...

---

@JoeM845 wrote:

I am running fw 2.1.4.16 on an RBR50 in AP mode. When I run an IP scanner from a Windows 7 computer on the guest wireless network, it "sees" most (all?) devices on the wired LAN side of the RBR50. I have not been able to connect to them the way I could with previous versions of the fw, but I can detect their presence, their IP addresses, and their MAC addresses. I have not done an exhaustive connection test I don't know enough to devise an exhaustive test.

 

 

---

As of 11/25/18 - the problem still exists.  Although I'm in AP mode - realizing that it's not actually separating the two networks is enough for me to return this device.

---

@johngm wrote:

 

While you might disagree with our attempt to target this particular customer segment, which you are clearly not a member of, I wanted to make sure you understood who we are targeting the product at and why we made the design tradeoffs which we did.

---

Well, dear John,

• Users continue to disagree with the tradeoffs since our agreement to disagree - being on Orbi (yet another customer returning an Orbi product as posted these hours), and
• Orbi and Orbi Pro users have massive problems when combining wired and wireless backhaul (something that must simply work transparent and automatic), and last
• we find that Netgear has pushed the similar tradeoffs to the Insight business router (BR500) where the specs clearly don't match the implementation: Claiming to support 256 VLAN but in reality there are just four, where all must be untagged LANs, and just one VLAN per port, so with four LAN ports it is just supporting for VLAN with four subnets and dedicated DHCP only - ways off the specs, ways off the capabilities of the Insight switches and wireless access points.

I'm still convinced things could be done properly by using industry standard technology with tagged VLANs on designated ports. It's all about proper documentation and communication. For the Insight routers this is undoubted a must, for the Orbi Pro a proper solution was promised, while Orbi customers are left behind. Every industry standard Linux router with iptables plus some support software is ways ahead. And afraid, the L2 routing technology in place has massive performance problems in combination with QoS and connection logging - that's why we have to guide your customers to disable useful features when they have high speed Internet connections in place (like 1G or 10G which are industry standard in more and more markets), otherwise the router performance is badly impacted. You can find this not only in Orbi or Orbi Pro, but much more prominent on the Nighthawk routers, too.

And all this is not helpful for promoting the Netgear brand products.