Reply
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Bad news! I just received a response to a support case on the guest netowrk that I opened about a year ago. This is from a level 2 tech passing on an engineering response:

 

"After verifying this with the engineering team, they said that this is not a bug and this is by designed. Orbi does not block arp packets for guest network. It means when customer is using arp scan tools, it would show the devices connected to the Orbi but it would only allow arp to go through. Other users could not access the main network or send files to the main clients."

 

Implications to me

1) The device is designed to always allow "guests" some visibility into the main network. I don't know enough about the ARP protocol to know how much information is transfered and if all the information that IPScanner finds comes through the ARP protocol.

2) The design implementation is flawed because Netgear's Prosafe Plus Utility has no problem reaching switches on the main network when run from a computer on the guest network.

3) A fix is not likely in the near term with the current set up because neither the tech nor the engineering team seems to have paid attention to the portion of my case that said the Prosafe Plus Utility reaches through to the main network. They don't think there is a problem.

 

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 51 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

@JoeM845   Check the configuration of your switches to see if you can disable management via the Prosafe utility. You'd then need to use the web interface. Might not be what you want, but it would close that security hole.

Message 52 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@st_shawwrote:

@JoeM845  Check the configuration of your switches to see if you can disable management via the Prosafe utility. You'd then need to use the web interface. Might not be what you want, but it would close that security hole.


Thanks for the suggestion, but the hole(s) through the Orbi would still be there. I did not cite the Prosafe example as the only Orbi vulerability or because I was especially concerned about the switches. I used the example because, if even a Netgear utility can pass the "guest" barrier, the designers/engineers did not think things through or test very thoroughly.

Message 53 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@JoeM845 wrote:

@st_shawwrote:

@JoeM845  Check the configuration of your switches to see if you can disable management via the Prosafe utility. You'd then need to use the web interface. Might not be what you want, but it would close that security hole.


Thanks for the suggestion, but the hole(s) through the Orbi would still be there. I did not cite the Prosafe example as the only Orbi vulerability or because I was especially concerned about the switches. I used the example because, if even a Netgear utility can pass the "guest" barrier, the designers/engineers did not think things through or test very thoroughly.


I'm trying to be helpful to you. I'm not debating the merits of the Orbi guest network. Yes, it has holes, as you mentioned.  There are other holes I've noticed that haven't been discussed here.  However, NETGEAR does not intend to change it and one could argue it's perfectly adequate for the majority of home environments.

 

The bottom line is one needs a different product if Orbi doesn't meet their particular security requirements.

 

It sounds like you need a VLAN router and VLAN aware switches.  You could still use Orbi, but it would be only an access point, and Orbi traffic would be confined to a single VLAN.

 

 

Message 54 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

@st_shaw, I appreciate that you offered help. I wish that you had spoken up a year ago. My response was attempting to say that I was not so much concerned about this vulnerability as I was concerned about Netgear's approach to vulnerabilties in general and discussing the limitations of their product.

 

Until I got the recent tech support response, I had only seen comments that Netgear was working on it. Or silence. No one said that Netgear's idea of a guest network is a very pared down level of isolation. No one said that the "Allow guests to see each other and access my local network" option would do so if check, but would still do so to a lesser degree if unchecked. I am somewhat mad at myself for falling for the claim and being strung along for a year on false promises. If I knew then what I know now, I would have returned the Orbi.

 

Note that I do have a router and switches with VLAN capabilities. I am using the Orbi as an AP. Deploying two sets of APs is not a desirable option. If you know how an Orbi AP can work on two VLANs I would be glad to hear about it.

 

 

Message 55 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

 

@JoeM845 Unfortunately, NETGEAR doesn't say much about how their devices work, either in the documentation or on here. Users sometimes need to experiment to see how things work.

 

In my testing, devices on the guest network can see other clients using tools like fing, but guest devices cannot connect via SMB or http/https protocols, so the security risk seems minimal for most home users. Especially since most home users don't give hackers or the general public acces to their guest network.

 

A bigger hole I found was that devices on my Orbi guest network COULD access file servers on another network that was connected to Orbi's LAN via an IPSEC VPN.  I presume this is because they were on a different subnet.  That's a significant hole, but one most home users won't encounter. 

 

Sorry, but I can't think of a way for the Orbi to exist on more than one VLAN.  Orbi uses a lot of spectrum, too, so it might be hard to have it coexist with WAPs that can put wireless clients on more than one VLAN.

Message 56 of 118
johngm
NETGEAR Moderator

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Sorry that you haven't gotten a response on this sooner and thanks to shumaku for forwarding it on to the "Connect with the SMB GM" area which I am regularly monitoring.  

 

Next let me start by saying I am sorry that you had a bad experience with a support representative.  We take the quality of the support experience very seriously here at NETGEAR and if you can provide any information on the specifics of the call or a ticket number I would be happy to investigate and get back to you.  

 

With regards to the concerns you have about OrbiPro, OrbiPro uses SSID isolation to provide a secure guest, employee and management domain.   Within both the base station and satellites, OrbiPro will assure that all guest and employee SSID traffic is exclusively routed to the Internet through WAN port on the base station.  This effectively prevents a person on the guest WiFi (or the employee Wifi for that matter) from being able to “snoop” or penetrate the traffic traversing the hardwired ports or the management Wifi.  The current firmware does block all Layer 3 and unicast traffic from being bridged or  routed between the guest, employee and management network. So communication between wireless stations is effectively blocked. Clients within the Guest network are also blocked from communicating with each other, so client isolation is supported.  I recently became aware that the current 2.1.3 release does, however, allow multicast and broadcast discovery protocols (UPnP, bonjour, LLDP) to bridge across SSID’s.  While this doesn't permit any traffic snooping or network penetration, it violates your privacy by unintentionally allowing guests to see some of the devices that are on your management network.   This is a defect and we will immediately fix it in our next release of the code.  

 

As I mentioned above, I am sorry that you had a bad interaction when you attempted to contact us and make us aware of the issue with this product.   Myself and my entire team are strong advocates for the power and effectiveness of tools like this community versus the traditional (and largely inefficient) models built around call centers.   I hope that you give NETGEAR another chance and utilitize our communities to get the most out of your NETGEAR products.  

 

John

Message 57 of 118
EcoFuelEngineer
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

John thankyou for taking the time to reply. I need to say that my original message was posted in a moment of extreme frustration. The equipment was purchased on the premise that it could do what we wanted and we have 3 orbi pro routers and 6 satellites for various sites so to discover via this thread what we were hoping to achieve isn't possible was really frustrating. We have also experienced serious network disruption when we enabled the guest portal because we have some legacy telephony kit in the 192.168.1.x subnet which seemed to reset every time the guest portal was enabled. Which knocked out the phones of 200 people ! You can imagine it did not make us flavour of the month.
Add to this the experience with the Indian call centre from an agent who clearly had no idea of anything we were talking about it all wound up in my frustrated post for which I apologise.

What I need is a conversation with someone who understands the product and it's capabilities and can help us incorporate it into our existing setup. Do you think you could connect me to that sort of resource? More for a high level network design conversation than anything else ?
Thank you for your reply
Sincerely
Nigel Hoar
Message 58 of 118
Mr-Wednesday
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

It has always been reliable, stable and a good performer for me.

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 59 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@johngmwrote:

...   Within both the base station and satellites, OrbiPro will assure that all guest and employee SSID traffic is exclusively routed to the Internet through WAN port on the base station.  ...



John,

 

Thank you for your respoonse.

 

I am a little concerned that this approach may have a problem when the OrbiPro is used as an AP and therefore only controls part of the local network. The Orbi "WAN" port sees the LAN. If guest/employee packets get throught the "WAN" port, they will see all of the local network outside the Orbi control unless they are further restricted to the gateway, DNS server, and DHCP server (this may not be a complete list). I understand that this issue may be covered in the design and just not mentioned in your reply.

 

I note that your response was for the OrbiPro. I have an Orbi RBK50 which has similar vulneabilities in its more limited scope for a guest network. I have no idea if Netgear is doing something similar (or anything) for the Orbi problem.

 

Message 60 of 118
BIG9MM
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

If  Netgear just overlooks the RBK50 because of the OrbiPro and will not fix the RBK50 then I will be backing away from Netgear. I have the NETGEAR CM1000 Ultra-High Speed Cable and Orbi RBK50 with a lot of satellites and yes Netgear, I use the Guest Network a lot and I need the Guest Network to see each other to access printers without seeing my private local network or to access my private printers. I feel like this option makes us go out and buy the OrbiPro and that is why RBK50 will not have a fix.

Message 61 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@Case850 wrote:

 

The Guest Network is disabled when the router is set to AP mode. See link

https://kb.netgear.com/26765/Disabled-Features-on-the-Router-when-set-to-AP-Mode


@Case850 That KB article is wrong.  The guest network is NOT disabled on Orbi when in AP mode.  It's not disabled on my R7000P when in AP mode either, but the R7000P does disable the isolation feature when in AP mode.  Orbi still offers the isolation option when in AP mode, and it does prevent SMB, http, and most other traffic to clients on the Orbi LAN subnet.

 

Message 62 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@Case850 wrote:

@st_shaw

Technically you maybe correct, but practically it is the same thing. The guest network without isolation is virtually useless. The proper way to do it is with VLANs/Subnets.


What I said was that KNB article was wrong. That statement is absolutely true.  Spare me the pedagogy. I own multiple Ubiquiti routers and Mikrotik routers, so I know about how full isolation is done with VLANS, and it's already been mentioned in this thread.

 

 

Message 63 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@Case850wrote:

 

@JoeM845

The Guest Network is disabled when the router is set to AP mode. See link

https://kb.netgear.com/26765/Disabled-Features-on-the-Router-when-set-to-AP-Mode


The right side of the link page lists the Netgear devices that the article applies to (to shich the article applies?). I am not able to find an Orbi or OrbiPro product number in that list.

Message 64 of 118
appierro
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

@johngm you say that this is a known defect that will be rectified but in the beginning of your post you specifically mention OrbiPro.  Will you be rectifying this defect for the Orbi (Non-Pro models) as well?

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 65 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@JoeM845wrote:

Bad news! I just received a response to a support case on the guest netowrk that I opened about a year ago. This is from a level 2 tech passing on an engineering response:

 

"After verifying this with the engineering team, they said that this is not a bug and this is by designed. Orbi does not block arp packets for guest network. It means when customer is using arp scan tools, it would show the devices connected to the Orbi but it would only allow arp to go through. Other users could not access the main network or send files to the main clients."

 

Implications to me

1) The device is designed to always allow "guests" some visibility into the main network. I don't know enough about the ARP protocol to know how much information is transfered and if all the information that IPScanner finds comes through the ARP protocol.

2) The design implementation is flawed because Netgear's Prosafe Plus Utility has no problem reaching switches on the main network when run from a computer on the guest network.

3) A fix is not likely in the near term with the current set up because neither the tech nor the engineering team seems to have paid attention to the portion of my case that said the Prosafe Plus Utility reaches through to the main network. They don't think there is a problem.

 


More bad news! I posted a reply on the case asking why tech support and engineering's last reply ignored the fact that Prosafe Plus could make it through the guest network walls. I got the following reply:

 

... "What we will do instead is submit this as a feature request/enhancement for the Guest Network function of the router. Should you wish to proceed further, you could submit a report to bug crowd instead." ...

 

It does not appear that Netgear will live up to their marketing claims.

 

Message 66 of 118
Stratguru
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Hi John @johngm ,

 

Can you comment about the non-pro version of Orbi because I, like so many others, have had an open ticket about this issues and am being told that the issues you are saying violates the users privacy by unintentionally allowing guests to see devices is operating as designed:

 

Case #: 29665589 
Case Summary: RBR50 - Guest Wi-Fi is not working properly. Guest Wi-Fi is not isolated from the main Wi-Fi. *** L2 ML 
Product: RBR50 

Update from NETGEAR: 

Hi Paul, 

Good day! 

This is Rose from L2 support. I got an update from our Engineering team and they said that this is not a bug and this is by designed. Orbi does not block arp packets for Guest Network which means when you are using arp scan tools, it would show the devices connected to the Orbi but it would only allow arp to go through. Other users could not access the main network or send files to the main clients.  

Please let me know if you have further questions. 

Regards, 

Rose, Expert ID: 8319 
NETGEAR L2 Support Expert

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 67 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Talking free here my friend : The situation is not acceptable, neither for Orbi nor for the Orbi Pro. It's simply bad design bottom up if your engineers wanted to avoid a proper implementation of VLANs. There are industry standards I do expect Netgear to follow - and this are clearly VLANs. There is nothing that stops Orbi and Orbi Pro from having a tagged WiFi trunk and a tagged backbone. If your engineers don't agree, I'm willing to proof that such a setup using standard Netgear equipment is possible. Your competition does support properly isolated, dedicated networks, including guest networks - without dirty L2 tricks and introducing new problems. I am very disappointed Netgear is unable to convert Orbi and Orbi Pro design to industry standards. My expectation is that Orbi and Orbi Pro - in any mode, in any mixed backbone design - can work and co-operative with industry standard switches, access points, and even wireless extenders. I can't get rid of the impression that there is a team of engineers who is riding the wrong horses. Proof enough how poor, no bad the Nighthawk product line does behave for many users - exactly built on the very same L2 hack design. And of course the Nighthawks lack of interoperability options with Orbi and Orbi Pro, too. And last but not least, the pricing of the often named competitor is aggressive, while Netgear is much to expensive for a product line which is a hack. Not a solution. We can't use Nighthawk, Orbi, and Orbi Pro to design and deploy as any kind of a solution today. Insight is a possible option, but lacks of a security appliance and state of the technology art Wireless APs. Not having all these devices able to interoperate is a big mistake. Interoperability is only possible by implementing industry standards. Doing anything different must be rejected as a business case. As such the Orbi system has - in its current state - nothing to do on Insight. Can't be a guest network is not the same like a guest network or like yet any other SSID/VLAN defining a network for a certain purpose.
Message 68 of 118
johngm
NETGEAR Moderator

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Sorry for the delay responding.  First off all, I will say that the final decision about the question you are asking will come from another business unit and the Orbi (home) product is on a different code base so both feature set and timing are fairly independent.   In my discussions with those folks they see this issue as less urgent in a home setting than it would be in a small business deployment.   They are making tradeoffs between the addition of features being requested by their users and this defect which is seen as a P3 or P4.  

 

Finally, even within my own business unit we are continuing to do code inspection and design review to fully understand the implications of the fix we are planning on OrbiPro.  We are concerned that there are other side effects between router and AP mode with the obvious solution.  

 

The concerns being raised are well understood and both teams are trying to address the issues which we feel are most impactful and beneficial to our wide customer base.  

 

Stay tuned.

 

John

 

Message 69 of 118
johngm
NETGEAR Moderator

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Sorry to object Schumaku, but I completely disagree with you.

 

Orbi and OrbiPro are some of the most advanced physical layer, link layer and protocol layer network product implementations I have been associated with in my 35 year career at four networking companies.    The Fast lane 3 architecture is the result of nearly one hundred man years of development, including trial versions which never saw the light of day.  

 

We set out with the single-minded purpose of creating a distributed LAN and WLAN solution which could be deployed reliably by a networking novice. 

 

That is exactly what Orbi achieved.   In independent test after independent test, Orbi beats all competitors in coverage and delivered bandwith.   That is amazing because very few of these tests actually test what Fast Lane Three technology is actually exceptional at and that is fully loaded networks.   What you don't really appreciate with essentially all of the industry tests you will find, is that these distributed wifi solutions not really taxed when you only have one or two clients walking around doing speed tests.  If that was the only application that these would support, then it wouldn't have taken years to develop this solution. 

 

The reality is that wifi solutions, even in the home are bombarded by dozens of connections from handheld clients, to video displays, to IoT cameras and sensors.   What you don't see is how competitive solutions fall down when their backhaul (which is shared with random endpoints) gets conjested because every single packet is traversing it twice.   But the fact that this is the most advanced solution of its type on the market is not what makes Orbi unique and perfect...it is the fact that it is so simple to turn on and use by networking novices.

 

I will concede that there are home networks with VLANs (My personal experience is maybe 1 in 100).   Certainly there are small businesses that are build upon discrete network architectures.   But neither of these two applications was the target for Orbi or OrbiPro.   Netgear has an wide selection of business, commercial and even individual user WLAN solutions which are ideal for these deployment cases.   The Insight WAC510 is a great example of a product which for roughly $100 US provides wave 2 11AC solution which could easily provide the capabilities you are looking for and support remote cloud management as well.  

 

As I mentioned, the Orbi architecture is one of the most advanced networking solutions I have been associated with in my career and it is roughly one year old.   The product is doing band steering, active client roaming, signal optimization and trying to offer thousands of square feet of coverage, with out a site survey, band programing or manual signal strength tuning.   We continue to learn more and more about the challenges of implementing an autonomous self-optimizing WLAN ecosystem in a world where certain mobile phone providers and video adapter developers regularly release clients with novel wifi behavior.  We are firmly committed to this architecture and continue to invest in improving the customer experience. 

 

While you might disagree with our attempt to target this particular customer segment, which you are clearly not a member of, I wanted to make sure you understood who we are targeting the product at and why we made the design tradeoffs which we did.

 

John

Message 70 of 118
Modmans2ndcomin
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

John,

 

with the explosion of IoT, do you really think it is not a feature that people should have in home and small business routers? Network segmentation may be something that is most used in the enterprise, but a light bulb or thermometor should not be on the same VLAN as my PC. 

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 71 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

The number of complaints, the amount of issues with this technology, the lack of support for 802.11q VLAN tagging, and the number of community members suggesting to install competitive routers from a different brand - replacing Orbi, Orbi Pro, Nighthawk does speak it's own language. 

 

The feedback from the community does not seem to work. 

Message 72 of 118
NaderA
NETGEAR Expert

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

All,

Thank you for your choosing Orbi Pro and your loyalty with Netgear.  I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.

 

Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.

This FW update can be found below. 

Download Orbi Pro Firmware 2.1.4.8 with Client isolation

 

Orbi Pro Product Management

 

Model: SRS60| Orbi Pro Tri-band WiFi Add-on Satellite
Message 73 of 118
RocketSquirrel
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@NaderA wrote:

All,

Thank you for your choosing Orbi Pro and your loyalty with Netgear.  I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.

 

Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.

This FW update can be found below. 

Download Orbi Pro Firmware 2.1.4.8 with Client isolation

 

Orbi Pro Product Management

 


This is the Orbi “non” Pro forum. Would love to see an isolation solution for the home products.

Model: RBK53| Orbi Router + 2 Satellites Orbi WiFi System
Message 74 of 118
Jeremyinsf
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Yeah, I appreciate that you state that you read them all and take them seriously, but I agree you misunderstand.  Isolation is supposed to be an option on non-Pro and that's what this thread is about.  There is a checkbox in our settings, and it's worthless.  

 

I have devices that I do want to totally isolate from my PC and files, and non-Pro is supposed to do this - but it's another bug that has been unresolved.

 

MY guess is that you fixed the bug for the Pro because many have a business requirement to isolate traffic, and you probably don't want to get sued.  

 

If you really are reading all these messages, perhaps you can put a new, general thread up explaining to everyone on these forums that you understand how upset your user base is about the overall lack of quality in your firmware (and QA), and what you plan to do to fix it, and what the timeline is.

Message 75 of 118
Top Contributors
Discussion stats
Announcements