Need some input on this one before I put this into action:
I have two SSIDs running on Orbi router say "Home" and "Guest" and I deselected the option that allows machines on "Guest" to see each other. Thereafter I put the Orbi router in AP mode and plugged it into one of the ports of PfSense which is running two VLANs:
VLAN10: Home (only static assignment in subnet 192.168.10.x)
VLAN20: Guest (runs its DHCP subnet 192.168.20.x)
If there are no firewall rules that allow these subnets to talk to each other than is it possible to isolate "Guest" network from "Home" network?
Orbi has no VLAN capability. In AP mode, every device that connects will send a DHCP broadcast that the Orbi will send "out the WAN port" looking for a DHCP server. There will be nothing to distinguish which SSID the DHCP request came from. And thus no way for the PfSense to know which IP subnet to assign.
The ability the Orbi has to prevent devices on the Guest SSID from reaching other devices is limited to the Orbi. It is not based on IP subnet, as the Orbi has only a single DHCP pool of IP addresses. (On the newer AX products, I have a vague impression that the Guest SSID actually does have a separate IP subnet - which makes more sense.)
Is the concern that the Orbi Guest isolation mechanism may not function correctly?
The ability the Orbi has to prevent devices on the Guest SSID from reaching other devices is limited to the Orbi. It is not based on IP subnet, as the Orbi has only a single DHCP pool of IP addresses.
So, with the Orbi in AP mode, when there are devices connected to the Orbi (its ethernet ports or WiFi) and devices connected to some other router.
The devices connected to the Orbi's guest network will "not see" other devices connected to the Orbi, but will have access to devices (PC's NAS's) connected directly to the router?
So, with the Orbi in AP mode, when there are devices connected to the Orbi (its ethernet ports or WiFi) and devices connected to some other router.
The devices connected to the Orbi's guest network will "not see" other devices connected to the Orbi, but will have access to devices (PC's NAS's) connected directly to the router?
That is one concern. I am not confident that there is any mechanism within the Orbi to limit what Guest devices can do once their packets leave the Orbi. The other concern remains, i.e. that Orbi has no capability regarding VLAN. Every packet from the Orbi will come from the same IP subnet with no VLAN tag, and no way to distinguish one from another.
