NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network
I was just playing around around with the Guest Network in Orbi and made a rather disturbing discovery that guest clients don't seem to be separated totally from the main network, in fact can access ...
We have purchased several of the "Pro" routers and satellites. We have been struggling with this issue for several days - until we came across this thread. Clearly the Orbi does NOT support the functionality claimed and more worryingly seems to have zero commitment to addressing it or getting it fixed. This is not acceptable as a "business" product - we will be moving away from Netgear completely based on this issue - I tried to contact Netgear for support (even before I saw this thread) which went so far and then my call was disconnected by the support representitive. We have had similar issues with other purportedly enterprise solutions which arent enterprise - ReadyData 5200 - Layer 3 switches M6000 chassis and this is the final straw.
Sorry that you haven't gotten a response on this sooner and thanks to shumaku for forwarding it on to the "Connect with the SMB GM" area which I am regularly monitoring.
Next let me start by saying I am sorry that you had a bad experience with a support representative. We take the quality of the support experience very seriously here at NETGEAR and if you can provide any information on the specifics of the call or a ticket number I would be happy to investigate and get back to you.
With regards to the concerns you have about OrbiPro, OrbiPro uses SSID isolation to provide a secure guest, employee and management domain. Within both the base station and satellites, OrbiPro will assure that all guest and employee SSID traffic is exclusively routed to the Internet through WAN port on the base station. This effectively prevents a person on the guest WiFi (or the employee Wifi for that matter) from being able to “snoop” or penetrate the traffic traversing the hardwired ports or the management Wifi. The current firmware does block all Layer 3 and unicast traffic from being bridged or routed between the guest, employee and management network. So communication between wireless stations is effectively blocked. Clients within the Guest network are also blocked from communicating with each other, so client isolation is supported. I recently became aware that the current 2.1.3 release does, however, allow multicast and broadcast discovery protocols (UPnP, bonjour, LLDP) to bridge across SSID’s. While this doesn't permit any traffic snooping or network penetration, it violates your privacy by unintentionally allowing guests to see some of the devices that are on your management network. This is a defect and we will immediately fix it in our next release of the code.
As I mentioned above, I am sorry that you had a bad interaction when you attempted to contact us and make us aware of the issue with this product. Myself and my entire team are strong advocates for the power and effectiveness of tools like this community versus the traditional (and largely inefficient) models built around call centers. I hope that you give NETGEAR another chance and utilitize our communities to get the most out of your NETGEAR products.
John
- John thankyou for taking the time to reply. I need to say that my original message was posted in a moment of extreme frustration. The equipment was purchased on the premise that it could do what we wanted and we have 3 orbi pro routers and 6 satellites for various sites so to discover via this thread what we were hoping to achieve isn't possible was really frustrating. We have also experienced serious network disruption when we enabled the guest portal because we have some legacy telephony kit in the 192.168.1.x subnet which seemed to reset every time the guest portal was enabled. Which knocked out the phones of 200 people ! You can imagine it did not make us flavour of the month.
Add to this the experience with the Indian call centre from an agent who clearly had no idea of anything we were talking about it all wound up in my frustrated post for which I apologise.
What I need is a conversation with someone who understands the product and it's capabilities and can help us incorporate it into our existing setup. Do you think you could connect me to that sort of resource? More for a high level network design conversation than anything else ?
Thank you for your reply
Sincerely
Nigel Hoar
johngmwrote:... Within both the base station and satellites, OrbiPro will assure that all guest and employee SSID traffic is exclusively routed to the Internet through WAN port on the base station. ...
John,
Thank you for your respoonse.
I am a little concerned that this approach may have a problem when the OrbiPro is used as an AP and therefore only controls part of the local network. The Orbi "WAN" port sees the LAN. If guest/employee packets get throught the "WAN" port, they will see all of the local network outside the Orbi control unless they are further restricted to the gateway, DNS server, and DHCP server (this may not be a complete list). I understand that this issue may be covered in the design and just not mentioned in your reply.
I note that your response was for the OrbiPro. I have an Orbi RBK50 which has similar vulneabilities in its more limited scope for a guest network. I have no idea if Netgear is doing something similar (or anything) for the Orbi problem.
If Netgear just overlooks the RBK50 because of the OrbiPro and will not fix the RBK50 then I will be backing away from Netgear. I have the NETGEAR CM1000 Ultra-High Speed Cable and Orbi RBK50 with a lot of satellites and yes Netgear, I use the Guest Network a lot and I need the Guest Network to see each other to access printers without seeing my private local network or to access my private printers. I feel like this option makes us go out and buy the OrbiPro and that is why RBK50 will not have a fix.
Hi John johngm ,
Can you comment about the non-pro version of Orbi because I, like so many others, have had an open ticket about this issues and am being told that the issues you are saying violates the users privacy by unintentionally allowing guests to see devices is operating as designed:
Case #: 29665589
Case Summary: RBR50 - Guest Wi-Fi is not working properly. Guest Wi-Fi is not isolated from the main Wi-Fi. *** L2 ML
Product: RBR50Update from NETGEAR:
Hi Paul,
Good day!
This is Rose from L2 support. I got an update from our Engineering team and they said that this is not a bug and this is by designed. Orbi does not block arp packets for Guest Network which means when you are using arp scan tools, it would show the devices connected to the Orbi but it would only allow arp to go through. Other users could not access the main network or send files to the main clients.
Please let me know if you have further questions.
Regards,
Rose, Expert ID: 8319
NETGEAR L2 Support Expert- Talking free here my friend : The situation is not acceptable, neither for Orbi nor for the Orbi Pro. It's simply bad design bottom up if your engineers wanted to avoid a proper implementation of VLANs. There are industry standards I do expect Netgear to follow - and this are clearly VLANs. There is nothing that stops Orbi and Orbi Pro from having a tagged WiFi trunk and a tagged backbone. If your engineers don't agree, I'm willing to proof that such a setup using standard Netgear equipment is possible. Your competition does support properly isolated, dedicated networks, including guest networks - without dirty L2 tricks and introducing new problems. I am very disappointed Netgear is unable to convert Orbi and Orbi Pro design to industry standards. My expectation is that Orbi and Orbi Pro - in any mode, in any mixed backbone design - can work and co-operative with industry standard switches, access points, and even wireless extenders. I can't get rid of the impression that there is a team of engineers who is riding the wrong horses. Proof enough how poor, no bad the Nighthawk product line does behave for many users - exactly built on the very same L2 hack design. And of course the Nighthawks lack of interoperability options with Orbi and Orbi Pro, too. And last but not least, the pricing of the often named competitor is aggressive, while Netgear is much to expensive for a product line which is a hack. Not a solution. We can't use Nighthawk, Orbi, and Orbi Pro to design and deploy as any kind of a solution today. Insight is a possible option, but lacks of a security appliance and state of the technology art Wireless APs. Not having all these devices able to interoperate is a big mistake. Interoperability is only possible by implementing industry standards. Doing anything different must be rejected as a business case. As such the Orbi system has - in its current state - nothing to do on Insight. Can't be a guest network is not the same like a guest network or like yet any other SSID/VLAN defining a network for a certain purpose.
Sorry to object Schumaku, but I completely disagree with you.
Orbi and OrbiPro are some of the most advanced physical layer, link layer and protocol layer network product implementations I have been associated with in my 35 year career at four networking companies. The Fast lane 3 architecture is the result of nearly one hundred man years of development, including trial versions which never saw the light of day.
We set out with the single-minded purpose of creating a distributed LAN and WLAN solution which could be deployed reliably by a networking novice.
That is exactly what Orbi achieved. In independent test after independent test, Orbi beats all competitors in coverage and delivered bandwith. That is amazing because very few of these tests actually test what Fast Lane Three technology is actually exceptional at and that is fully loaded networks. What you don't really appreciate with essentially all of the industry tests you will find, is that these distributed wifi solutions not really taxed when you only have one or two clients walking around doing speed tests. If that was the only application that these would support, then it wouldn't have taken years to develop this solution.
The reality is that wifi solutions, even in the home are bombarded by dozens of connections from handheld clients, to video displays, to IoT cameras and sensors. What you don't see is how competitive solutions fall down when their backhaul (which is shared with random endpoints) gets conjested because every single packet is traversing it twice. But the fact that this is the most advanced solution of its type on the market is not what makes Orbi unique and perfect...it is the fact that it is so simple to turn on and use by networking novices.
I will concede that there are home networks with VLANs (My personal experience is maybe 1 in 100). Certainly there are small businesses that are build upon discrete network architectures. But neither of these two applications was the target for Orbi or OrbiPro. Netgear has an wide selection of business, commercial and even individual user WLAN solutions which are ideal for these deployment cases. The Insight WAC510 is a great example of a product which for roughly $100 US provides wave 2 11AC solution which could easily provide the capabilities you are looking for and support remote cloud management as well.
As I mentioned, the Orbi architecture is one of the most advanced networking solutions I have been associated with in my career and it is roughly one year old. The product is doing band steering, active client roaming, signal optimization and trying to offer thousands of square feet of coverage, with out a site survey, band programing or manual signal strength tuning. We continue to learn more and more about the challenges of implementing an autonomous self-optimizing WLAN ecosystem in a world where certain mobile phone providers and video adapter developers regularly release clients with novel wifi behavior. We are firmly committed to this architecture and continue to invest in improving the customer experience.
While you might disagree with our attempt to target this particular customer segment, which you are clearly not a member of, I wanted to make sure you understood who we are targeting the product at and why we made the design tradeoffs which we did.
John
Sorry for the delay responding. First off all, I will say that the final decision about the question you are asking will come from another business unit and the Orbi (home) product is on a different code base so both feature set and timing are fairly independent. In my discussions with those folks they see this issue as less urgent in a home setting than it would be in a small business deployment. They are making tradeoffs between the addition of features being requested by their users and this defect which is seen as a P3 or P4.
Finally, even within my own business unit we are continuing to do code inspection and design review to fully understand the implications of the fix we are planning on OrbiPro. We are concerned that there are other side effects between router and AP mode with the obvious solution.
The concerns being raised are well understood and both teams are trying to address the issues which we feel are most impactful and beneficial to our wide customer base.
Stay tuned.
John
