Re: Where is traffic separation for the Guest network?

Redlightning88 · ‎2019-12-16

Set up the AX 6000 to replace a 4 unit Orbi Pro system with only minor hiccups. One of the main reasons I used the pro was the ability, VS the regular orbi at the time, to separate the three networks. My Tesla could not connect on the regular Orbi system despite 9 months of trouble shooting. Before buying the AX, I confirmed in the manual that you could separate the guest and main networks, but after installation and update to the latest firmware (3.2.8), there is no option to separate. Not in the Guest Network section nor anywhere else. Everything else is great. 2 units have faster speeds and way better coverage than the 4. But I need the traffic separation to keep the Tesla connected. Any thoughts?

Bandito · ‎2019-12-16

I'm not sure I can be any help, but would like to understand your problem a bit better anyway.

When you say your Tesla, do you mean an automobile or do you have one of their power systems?

Next, what do you mean by traffic separation? Are you connecting your Tesla to the guest network? If, so why? It can't be part of your primary network? That seems very odd.

If by traffic separation, you mean that it requires a different IP address range from the main network, I read here where someone was able to telnet into the RBR850 and change the guest network address scheme following the instructions for the RBR50, so that might be an option for you.

Redlightning88 · ‎2019-12-16

It IS strange. Netgear has never been able to get this fixed, and Tesla (on the car side) has no clue, but the prevailing theory online is that Tesla's circa 2015 wifi chip doesn't play nice with DLNA devices on the same network. And I have many, and so you would think the Guest network would be a solution. But in the normal Orbi setup, despite the different logins, network traffic on the main can see the network traffic on the guest and so no go. On the Telsa, you see it briefly connect, and then the whole wifi reboots in an endless connect/reboot cycle. The Orbi pro solved this dilemna by allowing you to choose whether the employee and guest networks can see the main network, or whether they each get individual access to the internet but not access to the other networks (network isolation), or whether they can all see each other (which would, for example, be helpful in allowing folks on the guest network to access network printers). Prior to the pro I had to have a separate ap on a subnet. The manual for the AX Orbi says you have the choice whether to allow network isolation in the same way as the pro, but there is no actual option in the firmware. So I'm re-hosed!

SW_ · ‎2019-12-16

I don't have this new model, but it's possible to do what you want with older model RBR50 via Guest Network. By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest.

Check out this: How to separate 2.4GHz/5GHz SSIDs for Guest Network

Z42985 · ‎2019-12-16

@Redlightning88 wrote:
The manual for the AX Orbi says you have the choice whether to allow network isolation in the same way as the pro, but there is no actual option in the firmware. So I'm re-hosed!

Yeah, they haven't exposed that setting yet but the best that I can see this default configuration is actually keeping them isolated and it also creates a different subnet. Are you seeing any evidence that traffic is being allowed to pass between the main LAN and the guest LAN?

FWIW my Model 3 has always connected fine to my main wifi network.

As far as the physical topology of your network. Are your Orbis plugged into each other or do some plug into a switch?

Z42985 · ‎2019-12-16

@SW_ wrote:
By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest

You used the word should, and I agree it SHOULD be isolated but the previous generations of Orbis have what I would consider an abusrd security flaw in that they don't actually keep ALL of the packets seperated. They also don't even use the different subnets. You'll find some other long threads about this topic.

OTOH the new Orbi's use a different subnet, that unfortunately is not configurable (yet?), and as far my basic testing went are actually isolating all traffic between the two networks.

SW_ · ‎2019-12-16

@Z42985 wrote:
@SW_ wrote:
By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest
You used the word should, and I agree it SHOULD be isolated but the previous generations of Orbis have what I would consider an abusrd security flaw in that they don't actually keep ALL of the packets seperated. They also don't even use the different subnets. You'll find some other long threads about this topic.

OTOH the new Orbi's use a different subnet, that unfortunately is not configurable (yet?), and as far my basic testing went are actually isolating all traffic between the two networks.

Yes, subnetting will isolate traffic between each interface to a certain point, but all traffics/packets still share/flow through the same physical backhaul/WAN interface even with subnettings. Subnetting is just another form of access control via routing table. Packets are dropped if they're not routable between subnets.

If you want true physical isolation, all different subnets/packets are separated, a single Orbi isn't the right product for that purpose. You'll need at least two separate routers/Orbis, one router/Orbi for each subnet with dual WANs/ISPs. Again, all these packets will travel through the same pipe upstream to be routed to their respective targets. How far down the rabbit hole do you want to take this separation/isolation?

Bandito · ‎2019-12-16

@Redlightning88

Thanks for the explanation. It sounds to me like changing the subnet for the guest network might address your issue. The instructions for doing so are in post no. 7, here:

https://community.netgear.com/t5/Orbi-AX/RBR850-Changing-Guest-LAN-IP-subnet-Guest-Wireless-subnet-T...

This should prevent the DLNA packets from being seen on the guest network. It's worth a shot if you want to try it.

Good luck!

Z42985 · ‎2019-12-16

@SW_ wrote:
@Z42985 wrote:
@SW_ wrote:
By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest
You used the word should, and I agree it SHOULD be isolated but the previous generations of Orbis have what I would consider an abusrd security flaw in that they don't actually keep ALL of the packets seperated. They also don't even use the different subnets. You'll find some other long threads about this topic.

OTOH the new Orbi's use a different subnet, that unfortunately is not configurable (yet?), and as far my basic testing went are actually isolating all traffic between the two networks.
Yes, subnetting will isolate traffic between each interface to a certain point, but all traffics/packets still share/flow through the same physical backhaul/WAN interface even with subnettings. Subnetting is just another form of access control via routing table. Packets are dropped if they're not routable between subnets.

If you want true physical isolation, all different subnets/packets are separated, a single Orbi isn't the right product for that purpose. You'll need at least two separate routers/Orbis, one router/Orbi for each subnet with dual WANs/ISPs. Again, all these packets will travel through the same pipe upstream to be routed to their respective targets. How far down the rabbit hole do you want to take this separation/isolation?

I'm obviously not referring to the fact that there is only one WAN connection so obviously the packets are going to end up getting comingled.

I'm referring to the fact that on previous generation Orbis some types of packets are not being filtered between the LAN and Guest networks. I'm not familiar with the specific issue the OP is having with their Tesla but based on what they've said it would make sense that the reason the previous Orbi generation did not work for them was exactly because of this; the DLNA packets that are tripping up the Tesla were not being isolated between the LAN and Guest networks like a secure product would do.

The packets sent and received on the LAN should never also be sent or received on the Guest network. As I said the basic testing I did indicated this was now the case on the AX generation of Orbi.

Z42985 · ‎2019-12-16

@Bandito wrote:
@Redlightning88

Thanks for the explanation. It sounds to me like changing the subnet for the guest network might address your issue. The instructions for doing so are in post no. 7, here:

https://community.netgear.com/t5/Orbi-AX/RBR850-Changing-Guest-LAN-IP-subnet-Guest-Wireless-subnet-T...

This should prevent the DLNA packets from being seen on the guest network. It's worth a shot if you want to try it.

Why do you think changing the Guest wireless subnet from the default 192.168.2.0 to something else would address the OPs issue?

Changing the subnet is not going to have any impact on the filtering between the LAN and Guest subnets.

I see no reason why if the DLNA packets aren't being filtered with the default settings changing the subnet to something different is going to cause them to be filtered.

I think the OP needs to ensure that if their Orbis are physically connected that they are not connected through a switch. If that's not the issue then I'm wondering if the new generation of Orbis has the same lack of basic isolation as previous generations but if that's the case then my testing was not thorough enough.

SW_ · ‎2019-12-16

@Redlightning88 wrote:

... network traffic on the main can see the network traffic on the guest and so no go.
...
... Orbi pro solved this dilemna by allowing you to choose whether the employee and guest networks can see the main network, or whether they each get individual access to the internet but not access to the other networks (network isolation), or whether they can all see each other (which would, for example, be helpful in allowing folks on the guest network to access network printers).
...

Older FW versions didn't allow this, but the Orbi Pro solution above was added in later (Orbi RBR50) FW release. There is an option/check box on Guest Network page, which is doing what's described above by default.

[ ] Allow guests to see each other and access my local network

Bandito · ‎2019-12-16

@Z42985

Having separate subnets should separate the traffic and only allow access to the WAN from each subnet. For example if the main traffic was on 192.168.0.1 and the the guest traffic was on 192.168.0.2 with a mask of 255.255.255.254, that should prevent any traffic from crossing between the two subnets. They would go to the WAN for any address not in their particular subnet.

Z42985 · ‎2019-12-16

Unfortunately that isn’t actually how LANs work. Regardless this generation requires the guest network be a different subnet from the LAN network so there is no need to change it as you recommended above. The other major flaw in attempting to use just subnets to isolate a network when one is less secure than the other is you can simply statically set your IP to the other subnet and now your guest device is on the other network.

I’d recommend you research the OSI model. What you will find is that subnets are part of layer 3 and TCP/IP but there are other protocols that don’t use TCP/IP and thus don’t use subnets so if you are like Netgear in previous generations of Orbi and attempt to isolate two different networks using IP address based firewalls you will leave open all of the traffic that doesn’t require TCP/IP. This problem is why VLANs were created, to isolate networks at layer 2 when they aren’t isolated at layer 1.

I don’t know that this is actually happening but if Netgear is going to make products with basic security they need to be tagging traffic with which VLAN it is from before sending it between Orbis and then handle the proper isolation based on the VLAN tags to ensure guest packets don’t end up on the main LAN and main LAN packets don’t end up on the guest network.

Redlightning88 · ‎2019-12-17

Yes, the Orbi can do that now via firmware update long after I had to switch to the pro.

@SW_ wrote:
I don't have this new model, but it's possible to do what you want with older model RBR50 via Guest Network. By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest.

Check out this: How to separate 2.4GHz/5GHz SSIDs for Guest Network

Redlightning88 · ‎2019-12-17

great if that is the case. My Tesla connects on the new network without the reboot cycles but won't download anything so I was surmising it was a network bleed issue.

@Z42985 wrote:
@SW_ wrote:
By default Guest Nework is not allowed to see local network and other clients on the same Guest network. If you put Tesla on Guest with a separate Guest SSID, it should be isolated from the rest
You used the word should, and I agree it SHOULD be isolated but the previous generations of Orbis have what I would consider an abusrd security flaw in that they don't actually keep ALL of the packets seperated. They also don't even use the different subnets. You'll find some other long threads about this topic.

OTOH the new Orbi's use a different subnet, that unfortunately is not configurable (yet?), and as far my basic testing went are actually isolating all traffic between the two networks.

Redlightning88 · ‎2019-12-17

Correct. It wasn't a complete wall in the way that the Pro allowed. Can't speak to the mechanics but I went from 9 months of misery to a complete fix the day I installed the Pro and switched on traffic isolation. Note that I tried it without isolation on the pro and it worked the same as the regular Orbi (ie: it didn't).

Redlightning88 · ‎2019-12-17

There is a switch between the Orbis but that doesn't influence how the Pro behaves in terms of separating the three networks (at least in any way that affects the ability of the Tesla to connect).