Reply
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@User00 wrote:

As of 11/25/18 - the problem still exists.  Although I'm in AP mode - realizing that it's not actually separating the two networks is enough for me to return this device.


As you see form reading this thread, Netgear does not intend to change this for the consumer class Orbi system.

Message 101 of 118
User00
Star

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@schumaku wrote:


As you see form reading this thread, Netgear does not intend to change this for the consumer class Orbi system.


FWIW, I opened a ticket with Netgear explaining the issue and asking if this was by design or a bug.  They asked me to send them my config and they will put it in their test environment to confirm.  To me, if that would allow one engineer to see the problem in action and then be able to fix it - i'll keep the setup.  

Of course, now as I'm in the process of changing the SSIDs and passwords of the config - I ran into another weird bug - where the satellite only seems to sync the base password, but not the WiFi settings unless I perform a factory reset. 

So for me, fixing these two issues (and maybe adding an option to remotely reboot the satellite without having to upload a firmware) - then you have a decently solid product.

 

 

 

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 102 of 118
User00
Star

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

So response from Netgear support (had to be escalated) was that because the SSIDs are indeed on the same network - the broadcast NMAP/Fing traffic cannot be prevented.  However, because they are blocked from actually making any connections to those devices then that's sufficient for Guest isolation.  If you are able to make a connection to any device, then they'll investigate further. 

So while, it's not necessarily a deal breaker for some - I wish they would mention this on the product page without having the users discover it on their own.

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 103 of 118
ErdTirdMans
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Yeah... this is making me seriously consider returning this whole thing and going back to a convoluted but secure setup. I've been on the openwireless.org train for a long time now and I'm not hopping off just because Netgear can't manage to do with this router what they've done plenty of times before.

 

You can't very well label it a setup that only businesses use when you and your competitors have included it on many consumer routers for years. The fact that it *is* available on this architecture but in the "Pro" form is just insult to injury. This isn't DynDNS or high-end QoS, it's security.

Model: RBK43| Orbi AC2200 WiFi System
Message 104 of 118
jamestores
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

As good as Netgear Orbi may be and the fact it retains its #1 spot does not excuse them from the privacy that guest network should have, This is over a one year old problem so it looks like it will never be fixed. I know 1st hand that customers have spoken to Netgear support on the phone then the issue goes silent with no fix. I tested Orbi just over a year ago and I was blown away with the coverage and performance but advertising and supporting a guest network that is not isolated from the main network is unexceptionable, In fact even in my own testing I contacted Netgear over a year ago and asked them why did the guest network get an IP in the same range as the main network and that went unanswered. buyer beware. You can read the complaints here

Message 105 of 118
User00
Star

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

It's really all about managed expectations.  If all you need is coverage for no more than 2 SSIDs with one of them as a "trusted" guest - then the Orbi is really a great product.  If you need the true separation between clients and networks - then you'll just have to look somewhere else.  Somehow, I don't think anyone is going to print that on the box though....

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 106 of 118
dan801
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I went into a large corporate business today that I noticed had some Orbi Pro attached to the wall. There was one locked network and one with a guest label (no password). I viewed this threat a little while ago so I decided to check. I managed to access their computer network and view some pretty sensitive sales and personnel data. Now I have no use for any of that so I didn’t look any further into it but Pretty scary stuff
Message 107 of 118
BIG9MM
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@dan801 wrote:
I went into a large corporate business today that I noticed had some Orbi Pro attached to the wall. There was one locked network and one with a guest label (no password). I viewed this threat a little while ago so I decided to check. I managed to access their computer network and view some pretty sensitive sales and personnel data. Now I have no use for any of that so I didn’t look any further into it but Pretty scary stuff

Are you talking about the Orbi or the Orbi Pro?  I did think it was fixed on the Orbi Pro.

Message 108 of 118
ThisIsAwkward
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Just got off the phone with a support engineer.  He claims since a guest network is a different SSID key they are different networks?  I am skeptical since nodes on my guest network are assigned IP's that I have defined on my LAN (10.0.0.2 - 200).  I was hoping to have a guest network in the default IP range (192.168...).  Has anyone gotten this configured successfully?

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 109 of 118
ThisIsAwkward
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Also was told by Level 2 support that the Guest Network is only there as a means to provide guests access to my network and that the guest network cannot be segmented from the LAN.

Message 110 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Netgear does deploy some L2 isolation for the standard vs. the guest network on these consumer devices. All systems are run from the same DHCP in the same subnet. The isolation can be cobsidered "good enough" for consumer applications. On Orbi Pro a few enhancements have been implemented, ebahxibg the isolation. Still it's not intended to serve dedicated VLAN and dedicated subnetworks and DHCP pools.

Not amused Netgear support engineers are not able to explain this in a few words.
Message 111 of 118
TECman51
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I have read this thread and understand little of it so I ask for assistance.  I have a 3500 s.f. home, a rental unit about 150' away and an RV (sometimes used for guests) about 75' away.  I want to allow internet access to the rental and RV but isolate my home network.  From reading this thread, it would appear the RBK60 Pro is the best way to accomplish this.  Or stay with the RBK53?  I have access to both models as well as an EX7500 extender.

 

Also, if I go with the RBK60 or RBK53, would there be any security issues extending the range to the rental and guest RV without using the Orbi outdoor satellite?  If not, what is the recommendation?

Message 112 of 118
johngm
NETGEAR Moderator

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

TECman51,

 

First of all let me clear up a few things.  The RBK5X and RBK6X family have the same radios but the 60 family is designed for small business applications (mounting, software features, etc).  So from the standpoint of wireless connectivity you are going to be in the same boat with both and the 6X and 5X family DON'T talk to each other so don't try to mix them.

 

With Orbi, the radio and product design are really optimized to generate a very high quality backhaul (from satellite to base station, or satellite to satellite) and the client facing radios are tuned to limit cross over interference between the satellites and base station.   In simple terms for best performance, make sure you can see the base station or a satellite from wherever you want good performance, and make sure the line between the satellites and the base station is as clear as possible.  

 

In open air (without obstructions) we have seen Orbi's perform well at more than 500' of separation, so your distances are not a problem.  What will need to be considered is the type of walls and the number of walls between the base station and the satellite.   For best results place the base station on the side of your home which faces your guest house and RV.   Similarly place the satellites in each of those units nearest to the house.   Metal walls are particularly challenging so you may want to place it near a window (not low-e hopefully) in the RV.  

 

With regards to isolation, this is where there is a difference between the RBK5X and SRK6X.   Orbi Pro uses SSID access as a basic way to isolate traffic and access within an Orbi network.   On Orbi Pro you can set up three different "networks" using a Management, Employee, and Guest SSID.   The "Guest" SSID will send all traffic out the WAN port, so it will not have access to local assets on the other SSIDs or the hardwired ports on the base station and satellites.   The same is true of the "Employee" SSID.  The "Management" SSID allows access to all devices on the hard ports and the other SSIDs.   The RBK5X products and all other "Orbi" products, does not offer this isolation.  Guest SSID is just a different set of credientials to get access to your whole network.  

 

One last bit of insight.  Orbi Outdoor works with both the RBK5X (and other Orbi products) and the SRK60 (Orbi Pro products).   It is similar in internal design as the 5X and 6X and can help you if penetrating walls as well as outdoor obstructions is an issue getting to your guest house and RV.  

 

Hope this helps.

 

john

 

 

Message 113 of 118
BIG9MM
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

This is where I felt like I got robbed. When I bought the Orbi I assume the gest network would isolate the Chromecast from streaming Chromecast media to my home network, unfortunately, anybody on the guest network access can stream anything over on top any of my TVs. Now turning off guest network not allowing each other to see each other will not allow them to stream their chrome cast device to the TVs that’s on the guest network. Another downside is I set up a printer network for the guest network wirelessly and no one can see the printer on the guest network if I don’t allow devices to be seen by each other on the guest network. Without having a Orbi pro I find the guest network not straightforward and very hard to configure for privacy and convenience for the guest network.

Message 114 of 118
Vahik
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Activated the guest mode and uncheck the "Allow guests to see each other and access my local network". Now on guest wifi, can not open the routers login page, but all connected devices to the main wifi are visible by NetAnalyzer app on android.
Model: RBK40| Orbi AC2200 WiFi System
Message 115 of 118
BIG9MM
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Visible by NetAnalyzer app on android, yup no new news at all. That is why they put out the Orbi PRO version I believe.
 
Message 116 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@Vahik wrote:
Activated the guest mode and uncheck the "Allow guests to see each other and access my local network". Now on guest wifi, can not open the routers login page, but all connected devices to the main wifi are visible by NetAnalyzer app on android.

Yes - however you won't be able to establish e.g. TCP or UDP connections for example beteen the different networks. This was explained in this thread before several times. Scroll back to about Messge #57 - there is even a reply from @johngm  on the subject. https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-gues... Netgear does not intend to enhance things towrds a full VLAN-like isolation on the consumer routers (Nighthawk, Orbi). Only the Orbi Pro systems will get (or have received already) some enhancements. 

Message 117 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

All the guest WLAN, the standard WLAN and the LAN are sharing the same L2 infrastructure including the very same TCP/IP subnetwork and DHCP server with DHCP pool and more. With the isolation feature for the guest network enabled (that's all there is implemented!), the individual guests can't communicate with other devices on the guest network or with devices on the standard (W)LAN. In no way this is providing a complete L2 isolation bottom up.

Message 118 of 118
Top Contributors
Discussion stats
Announcements