Reply
anschmid
Apprentice

CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access many resources on the main network.

 

My setup is as normal Wireless setup and I have also created a Guest Network. Note under Advanced -> Guest Network I have DISABLED "Allow guest to see each other and access my local network". This would indicate to me that the Guest Network would be isolated fromt the main network.

 

However I noticed when I connect to the Guest Network I get an IP address in the same range as the main network which is already strange. The usual way to seprate a Guest network is to have a separate IP range. Orbi doesn't do that as it doesn't seem to have a separate DHCP server for Guest Network.

 

Now having the same IP segment I noticed that some trickery is done that prevents TCP connection to main network. For example if from the Guest Network I want to ping a system on the main network it times out. So Netgear does something to block standard layer 3 TCP connections.

 

However I have a number of devices that use Bonjour (mDNS) services on my main network, for example my printer and my file server use it. Now even when I am connected to the Guest Network I can still see these devices and CONNECT to them!

 

I am not sure what to think about this but this is a major security hole. People would assume that a Guest Network is separate from the main network but what I can see right now the Orbi Guest Network has only a partical sepration that is not really a Guest Network at all!

Message 1 of 118
rhester72
Virtuoso

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

If you're in AP mode, it's (currently) going to behave exactly as you describe, which is long-known and has been announced as to be fixed in a future update.  If you're in router mode, you're the first to report such a thing.

 

Rodney

Message 2 of 118
anschmid
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Yep I do think I am in Router mode: according to this:

 

Screen Shot 2017-02-03 at 20.41.47.png

 

And as I said I did un-tick the box to allow the Guest Network access as seen here:

 

Screen Shot 2017-02-03 at 20.42.12.png

 

Yet connected to the Guest Wifi Network I can print on my printer (via Airprint) and can access my file server which are both hardwired into the Orbi. I cannot ping them or access them via HTTP browser but I can see them via Bonjour (mDNS) advertising in my Finder sidebar and connect to them by clicking on them.

Message 3 of 118
fbg
Initiate
Initiate

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

It sounds like the Orbi forwards multicast IP packets between the guest and main networks, even when the isolation box is selected, but blocks other IP traffic between these zones.  I'm just guessing.  I would agree this is a bug.  I wonder if this was done to support some services that use broadcast or multicast, like DHCP or uPNP?  If so, I would like to see configuration options / check boxes to allow or block specific broadcast and multicast traffic from leaking between guest and primary networks.

Message 4 of 118
TheEther
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Even if the Orbi forwards IP multicast between guest and main networks, that doesn't explain why access to the printer and file server are permitted.  Hopefully, Netgear will investigate and respond soon.

Message 5 of 118
whsbuss-1
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I would hope in router mode all connections to the guest SSID would provide a separate subnet, i.e. 192.168.10.xxx and assign IPs. That would provide direct access to the internet thru the router but prevent any connectivity to the normal LAN. I know with FiOS here and having to keep their router in the loop, when I tested google wifi (they don't allow bridge mode and mesh and have a locked in 192.168.86.xxx LAN) I could not access my FiOS local LAN.

Message 6 of 118
TheEther
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Using a separate subnet is one way to implement a guest network, but it can be done with one subnet.  It just has to be done with the right set of internal policies to block traffic.  Even with two subnets, some sort of policy is required in order to keep the traffic segregated.

Message 7 of 118
anschmid
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

From what i can see the Orbi today provides an IP address for the guest clients in the same IP range as the main network 192.168.1.0/24. It must be as there is no way I have found in the GUI to define a separate IP range or DHCP server settings for the Guest Network. Other routers I have had usually have that option.

 

It's might be possible to do a Guest Network in the same IP address range but it becomes very hard. It also assumes a pure Orbi setup and all traffic goes always through the router. If you have for example a semi-intelligent switch in such a configuration it learns IP addresses and could forward traffic in the same subnet without involving the router and that would circumvent all the policies.

 

The cleanest way IMO is to use a separate IP adddress range, e.g. 172.16.X.X for the Guest Network because then all traffic between the main and guest network has to go through the router to be routed probably and that's where you have a single point of control.

Message 8 of 118
kamahaffey1
Initiate

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I was considering purchasing this for my office.  I need to be able to have a guest network without the guests possibly being able to access and/or see the other devices hooked to the network (e.g. printers, servers, etc.).  Has this been fixed or is it still a possible security issues?

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 9 of 118
rhester72
Virtuoso

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

It works as expected in AP mode in the latest firmware, unless you have an IPv6 network presence (which the filter completely ignores).

 

I believe it's worked properly in router mode for several releases now, so as long as you are IPv4 only, I think you should be fine with guest isolation.

 

Rodney

Message 10 of 118

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Running lastest firmware 1.11.0.20. (July 2017). Guest Network is basically broken. Not isolated at all from the main wifi network. Using Orbi as an access point (AP).  Apparently, some of the other Netgear routers are able to isolate the guest network can do this even when used as an access point (AP). Please, Netgear Fix This.

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 11 of 118
rhester72
Virtuoso

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Are you running dual-stack with IPv6, by any chance?

 

A few releases back, they finally had IPv4 blocking working in AP mode, but not IPv6.  Those without a dual-stack setup would have seen guest isolation to be working fine.

 

Rodney

Message 12 of 118

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Hi rhester72

 

Sadly I am not. Just a plain IPv4 home network with a pretty normal range of home wifi devices. When I check my router/internet modem, all devices are connecting via IPv4 addresses. To the best of my knowledge, I am not actively using IPv6 in my home network.

 

Just a reminder that I having this issue with the Obri system being used as a WiFi access point (AP) and NOT as a router.

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 13 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

FYI: Problem persists with fw 2.0.0.74 on Orbi in AP mode.

 

An IP Scanner sees all devices on network. Netgear's Prosafe Plus Utility connects to all Netgear switches. Blocks browsing to some devices, though.

Message 14 of 118
CliffP
Guide

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I have Orbi on latest firmware and set in Router mode, not AP mode.

I connect to the guest network on my iPhone and then use the Fing app (https://www.fing.io/) and can see every single device--i.e. it's useless as a guest network. Smiley Sad

Message 15 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@CliffP wrote:

I have Orbi on latest firmware and set in Router mode, not AP mode.

I connect to the guest network on my iPhone and then use the Fing app (https://www.fing.io/) and can see every single device--i.e. it's useless as a guest network. Smiley Sad


You can see devices with Fing.  So what?  If you try to ping or connect to any devices from a client connected to the guest WiFi, you will find that you cannot.

Message 16 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@st_shaw wrote:


You can see devices with Fing.  So what?  If you try to ping or connect to any devices from a client connected to the guest WiFi, you will find that you cannot.


Security is not about building most of a wall. Security is about eliminating holes in that wall. If you read back through this thread you will find that you can "connect". I was able to connect across the wall using Netgear's switch manager ProSafe Plus Utility.

Message 17 of 118
CliffP
Guide

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I was also able to connect... iPhone is on Guest 5GHz, HP AirPrint printer is on Main 2.4GHz. iPhone can print a Safari page on the printer.

 

I didn't know before now that it was acceptable to even allow seeing clients on the network. Personally, I'd prefer avoiding being able to see other clients on Main if I'm on Guest... ideally not even able to see others on Guest.

Message 18 of 118
jmbones
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Is this still an issue with the latest firmware?

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 19 of 118
godspeed
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Yes, this is still an issue.  Guest mode with the Orbi allows all devices (on guest or not) to "see" each other using apps like Fing.  Guests cannot ping non-guests, but everything on your network is visible, and according to above posters, certain protocols (bonjour, etc) may be usable by guests.

 

Because of this, i am still using my Asus AC68 as the router (and orbis in AP  mode, no guest network), and have enabled a 2.4 ghz radio strictly for guest mode.  Asus properly hides all devices from non-guest network.

Message 20 of 118
jmbones
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Thanks. That is a deal breaker for me. I will wait a little longer to see if it's resolved before I go a different route because I really like the other reviews and features of the Orbi system.

Message 21 of 118
Boatguy54
Guide

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I have a new Orbi and see the same problem with the current s/w (2.1.1.16).

 

My Orbi is in AP mode sitting behind a Cisco RV325 router that provides better security, plus VLANs used for wired IOT devices (amazingly I have three of these).

 

I enabled a Guest network and did NOT check the "enable guests to see...".  I connect to the Guest network with my phone and run a scan and I can see all the devices on the primary network.  Access to some devices was blocked (e.g., Epson printer), but access to other devices (e.g., router) was possible.

 

This is NOT a secure Guest network.  Odd, because certainly NetGear knows how to do this right.  It could be done with VLAN tagging from the primary router, it could be done with a separate address space entirely (e.g., 10.x.x.x), etc.

 

Netgear has a real opportunity to meet a very real consumer need:

 

a) primary wifi network for home users.

b) guest wifi network for general use (that works as advertised, but not as implemented)

c) secure secondary wifi network for IOT devices which isolates every device from every other device and from the primary network.

d) secure wired network (at least one port which can be connected to switch) for wired IOT devices (pool, garage door opener, window shades, etc.) isolated from all other devices and networks.

 

These are de facto VLANs, though I understand that they can't be presented as VLANs for consumers.  But that is the need and certainly Netgear has the ability to provide the functionality and then package it as something more consumer friendly.

 

But for now they have not done that and the Guest network is not secure.

 

 

 

 

Model: RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 22 of 118
Boatguy54
Guide

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Not true.  I'm able to connect to any number of devices that use Bonjour.  Other posts show similar flaws in the security.

 

And "so what"?  The first step of hacking into a system is know what targets are availble.  The product says it hides guest users from each other.  So what is that it doesn't do that.

Message 23 of 118
Mr-Wednesday
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I can confirm that this is still an issue with firmware version V2.1.2.18.

 

Signed into the guest network and using Fing I can see ALL devices on my regular home network.  In the Guest Network settings, "Allow guests to see each other and access my local network" is unchecked.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 24 of 118
MarinJim
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

To clarify, am I correct that, as of January 2018, the Guest network still has the various shortcomings described above, but only when operating in AP Mode? And that, when using the Orbi in "router mode" (i.e., as your main router), the Guest network operates as it should (isolating main network resources, including making them invisible to guests on the Guest network)?  Thanks for the clarification. 

 

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 25 of 118
Top Contributors
Discussion stats
Announcements