Reply

CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@NaderA wrote:

All,

Thank you for your choosing Orbi Pro and your loyalty with Netgear.  I appreciate all of your feedback that helps us making Orbi Pro an even better product for your business. I personally read all of your feedback and comments and take them very seriously, especially in cases like this.

 

Please note that we have identified the issue and have rectified it with a FW update that you can download and update your Orbi Pro units.

This FW update can be found below. 

Download Orbi Pro Firmware 2.1.4.8 with Client isolation

 

Orbi Pro Product Management

 


I don't understand why the FW link takes you to a page on salesforce.com.

 

I, too, would appreciate it if Netgear addressed the problem for the non "pro" Orbis

Message 76 of 118
rhester72
Virtuoso

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

100% agree.  Security is *NOT* a business perk.  It's a market requirement, period, and if you don't grasp that, your competitors do.

Message 77 of 118
BIG9MM
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I posted it a while back that I was dissatisfied about guest network able to access the local network but I just want to clarify with this new patch, Orbi firmware update v2.1.4.16 does it fix the issue now? Any clarification on this would be helpful and beneficial for future customers.
Message 78 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@BIG9MM wrote:
I posted it a while back that I was dissatisfied about guest network able to access the local network but I just want to clarify with this new patch, Orbi firmware update v2.1.4.16 does it fix the issue now? ...

 

I updated to FW 2.1.4.16 today by clicking on the update message on the RBR50 main Web GUI page and then electing to install all automatically. It proceded and completed. The sattelite took a few extra minutes to complete, but it eventually sinced up with no manual intervention.

 

It seems to be working more-or-less as well as it was prior to the fw upgrade:

1) The Prosafe Plus utility will no longer brieach the guest network wall to let me reconfigure switches (note: Also upgraded to 2.7.2)..

2) My IP scanner tool still shows devices on the main network -- both IP and MAC addresses)

3) A number of devices are missing from the connected devices displays where they used to appear. Sattelite shows 1 device (> zero). I would exoect to see the remaining devices split between the 2 ORBIs.

 

 

Message 79 of 118
dragunov
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Hello,

 

I've just updated to v2.1.4.16 firmware on my home Orbi system. I've been recommended by cyber security professionals that I isolate smart devices in my home on their own separate network. The responses here seem to indicate that Orbi is not taking this seriously for non-pro users - can anyone confirm if they have made the necessary changes to ensure our security in this latest firmware?

 

Thank you.

Message 80 of 118
Mr-Wednesday
Tutor

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

You just installed the latest version.  Can't you confirm for us?

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 81 of 118
Mister-Mike
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

 

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

 

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System, RBR50| Orbi AC3000 Tri-band WiFi (Router Only)
Message 82 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I see there was mention of this issue being resolved in the PRO version. Not sure if this has populated to the Home version. I presume you are using the PRO version? Or Home? It's not recommended to use Home products in a business setting. Things test to lead to products not working as well for the Business environment. Business envrionments need more than Home class products for safter and secure operations. You may need to look into better business solutions for your needs if your using a Home class system. If your concerned about this, you'll need to disable the Guest Network feature on your systems.

 


@Mister-Mike wrote:

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

 

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

 

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 83 of 118
Mister-Mike
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Hello!  Well, I wish I was advised to buy the Pro.  The offices are small, only a couple of users each.... and I was ready to purchase whatever was recommended.  No one mentioned a Pro system.  So now I will need to look into upgrading... however I can't believe there isn't an answer to this.  Because - regardless, this is also completely unacceptable in ANY home environment.  An isolated guest network is just that - an isolated guest network, whether in a home or wherever.   I am not opposed to buying Pro versions, but I need some type of stopgap/workaround in the meantime if possible...

Message 84 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I would disable the Guest Network. If you just got the Orbis, you should check into returning them after looking into the PRO version...

Something to ask NG about and see.

@BretD

@ChristineT

@Christian_R


@Mister-Mike wrote:

Hello!  Well, I wish I was advised to buy the Pro.  The offices are small, only a couple of users each.... and I was ready to purchase whatever was recommended.  No one mentioned a Pro system.  So now I will need to look into upgrading... however I can't believe there isn't an answer to this.  Because - regardless, this is also completely unacceptable in ANY home environment.  An isolated guest network is just that - an isolated guest network, whether in a home or wherever.   I am not opposed to buying Pro versions, but I need some type of stopgap/workaround in the meantime if possible...


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 85 of 118
Jeremyinsf
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

You can ask to get the beta firmware. I've tested it and it seems this issue is resolved in the new version.
Message 86 of 118
Mister-Mike
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I would love to test this Jeremy - who should I contact?  Their regular support department?

Message 87 of 118
Jeremyinsf
Apprentice

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

There is a pinned post about joining. Check that out and ask to be added to the beta program. It isn't immediate but perhaps state in your post you want to test a specific issue that may be resolved that you are currently having issues with. Hopefully they will add you quickly with that.

Fyi this was one of the first things I tested when I got the new firmware, as I have other posts about this topic as well. Would love to hear you confirm you also think it is corrected.
Message 88 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

https://community.netgear.com/t5/Orbi/Looking-for-a-select-group-of-Orbi-Community-members-that-are/...


@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 89 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I would send a PM to @ChristineT, @DarrenM and @Christian_R for more immediate responce.


@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 90 of 118
ChristineT
Admin

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Good morning @Mister-Mike,

 

Please check your private messages for a link to the Beta Community. Please provide your feedback within the Beta Forum so we can ensure your findings are investigated further if needed.

 

Thanks @Jeremyinsf and @FURRYe38 for the assistance here! :-)

 

Best Regards,

Christine 

Message 91 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

@Mister-Mike

Please let us know how it goes with the new beta FW.


@FURRYe38 wrote:

I would send a PM to @ChristineT, @DarrenM and @Christian_R for more immediate responce.


@Mister-Mike wrote:

I would love to test this Jeremy - who should I contact?  Their regular support department?


 


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 92 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@Mister-Mike wrote:

OK - I am hoping for some (possible) help here... I am very concerned about this.  I have around a dozen or so small mortgage offices (only a couple of users at each), where I have the Orbi RBR50 plus satellite installed.  in all cases, the networks are IPV4 only, and IPV6 is disabled.  All of the units have the absolute latest firmware to-date (2.1.4.16).  At each location, I have the private network on subnet 192.168.0.X, and on the Orbi, the network is in ROUTER MODE on subnet 10.0.0.X.  I have discovered that, even with the option DISABLED in the guest network settings, that ANYONE who connects to the guest network can easily and readily access ANY of my servers/resources on the 192.168.0.X subnet!  I was pretty shocked.  I managed to connect to the guest network, and easily not only PING one of the servers, but was able to RDP onto the server, as well as access the shared data volume.

 

This is completely unacceptable - and this is at all 12 locations.  Again - with only 2 or 3 people on-site, I saw no reason to go beyond the RBR50 + Satellite units for these tiny offices.  And I assumed that correctly having the guest network set-up would keep access to the wired 192.168.0.X network secure.  Again - IPV4 ONLY, in ROUTER mode.  Is there a fix here?  I am already running firmware 2.1.4.16.   The thought of having to replace all of these, because of a glitch with Netgear, is ridiculous.  I loved these so much, that I also bought this for my own home, and for friends' homes.  One note - I was promised over the phone when speaking to Netgear for general product info, that the guest network would be isolated!  Ugh..... now what?

 

If anyone has any ideas or advice, it would be so very much appreciated... more than you know.  Thank you very much in advance for any help you can give...


If I understand what you wrote correctly, you have Orbi in Router mode behind another router, with the 192.168.0.x subnet on the WAN side of Orbi.

 

If so, the behavior you report is not a glitch with NETGEAR.  The behavior is as expected, and is due to the way you have Orbi setup.

 

Guest isolation pretains only to the LAN side of Orbi and does not affect traffic heading to the WAN side of Orbi. The PRO would behave no differently. Also, Orbi's guest isolation only pertains to wireless clients, not wired machines.

 

If you want to maintain two separate networks, then you need a router that supports multiple subnets and IP-based firewall rules to control traffic between subnets. If your current router doesn't support this, you could buy a cheap router that does and run the Orbi in Access Point mode behind that.

Message 93 of 118
Mister-Mike
Aspirant

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Thank you for that insight/explanation...

 

So, if I am understanding you correctly... then the following scenario WOULD work, or?   As follows:

 

- A cable modem coming into the building, in Bridge Mode / Pass-Thru mode.

- The modem connected to the WAN port of the ORBI (yellow "Internet" port)

- a small gigabit switch connected to one of the ports in the back of the ORBI (1 thru 4 - any port)

- the switch, connecting to several PC's in the home via Cat5e/Cat6 Ethernet

- The ORBI in ROUTER mode, provided all IP assignments / DHCP assignments

- Then, create a GUEST network in the wireless settings.

 

In this scenario, with only the ORBI providing all routing, and the only thing behind the ORBI is a cable modem in Bridge Mode, providing zero routing... then anything on the LAN wired through a small switch, then connected to one of the ports on the back of the ORBI.  In this scenario, would the guest network be able to "see/interact with" the wired devices?

 

If this is the case, I can easily implement this type of setup (these are VERY small places - just a couple users, one single room etc.).

 

Thank you again for the clarification!

Message 94 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Yes that would work. Make sure your switch is a NON managed switch. Orbi doesn't seem to like Managed switches. Smiley Frustrated

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 95 of 118
st_shaw
Master

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

 

Your isolation requirements aren't clear to me. But, yes, in the scenario you described, any wireless client connecting to the Orbi's guest SSID would be blocked from interacting with the rest of the Orbi LAN--both wired clients and wireless clients connected to the Orbi non-guest SSID. This assumes guest isolation is enabled on Orbi (and working as designed.)

Message 96 of 118
JoeM845
Luminary

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

I am running fw 2.1.4.16 on an RBR50 in AP mode. When I run an IP scanner from a Windows 7 computer on the guest wireless network, it "sees" most (all?) devices on the wired LAN side of the RBR50. I have not been able to connect to them the way I could with previous versions of the fw, but I can detect their presence, their IP addresses, and their MAC addresses. I have not done an exhaustive connection test I don't know enough to devise an exhaustive test.

 

 

Message 97 of 118
FURRYe38
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

Is your Orbi router running in router mode and the only router on the line when you test this?

I would ask for the Beta FW from NG and see if this resolves what your seeing.

https://community.netgear.com/t5/Orbi/Looking-for-a-select-group-of-Orbi-Community-members-that-are/...

 


@JoeM845 wrote:

I am running fw 2.1.4.16 on an RBR50 in AP mode. When I run an IP scanner from a Windows 7 computer on the guest wireless network, it "sees" most (all?) devices on the wired LAN side of the RBR50. I have not been able to connect to them the way I could with previous versions of the fw, but I can detect their presence, their IP addresses, and their MAC addresses. I have not done an exhaustive connection test I don't know enough to devise an exhaustive test.

 

 


 

My Setup (Cable 1Gbps/50Mbps)>CM1200 v2.02.03(LAG Disabled)>RBK853 v3.2.18.223/RBK50 v2.7.2.104(WW)
Additional NG HW: C7800/CM1100/CAX80/CM2000, Orbi CBK40, R7800, R7960P, EX7500/EX7700, XR450(v2.3.2.120) and WNHDE111
Message 98 of 118
User00
Star

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network

As of 11/25/18 - the problem still exists.  Although I'm in AP mode - realizing that it's not actually separating the two networks is enough for me to return this device.

Model: RBK22| Orbi AC2200 Tri-band WiFi System
Message 99 of 118
schumaku
Guru

Re: CAUTION: Orbi's Wifi Guest Network does not really isolate guests from main network


@johngm wrote:

 

While you might disagree with our attempt to target this particular customer segment, which you are clearly not a member of, I wanted to make sure you understood who we are targeting the product at and why we made the design tradeoffs which we did.


Well, dear John,

 

  • Users continue to disagree with the tradeoffs since our agreement to disagree - being on Orbi (yet another customer returning an Orbi product as posted these hours), and
  • Orbi and Orbi Pro users have massive problems when combining wired and wireless backhaul (something that must simply work transparent and automatic), and last
  • we find that Netgear has pushed the similar tradeoffs to the Insight business router (BR500) where the specs clearly don't match the implementation: Claiming to support 256 VLAN but in reality there are just four, where all must be untagged LANs, and just one VLAN per port, so with four LAN ports it is just supporting for VLAN with four subnets and dedicated DHCP only - ways off the specs, ways off the capabilities of the Insight switches and wireless access points.

I'm still convinced things could be done properly by using industry standard technology with tagged VLANs on designated ports. It's all about proper documentation and communication. For the Insight routers this is undoubted a must, for the Orbi Pro a proper solution was promised, while Orbi customers are left behind. Every industry standard Linux router with iptables plus some support software is ways ahead. And afraid, the L2 routing technology in place has massive performance problems in combination with QoS and connection logging - that's why we have to guide your customers to disable useful features when they have high speed Internet connections in place (like 1G or 10G which are industry standard in more and more markets), otherwise the router performance is badly impacted. You can find this not only in Orbi or Orbi Pro, but much more prominent on the Nighthawk routers, too.

And all this is not helpful for promoting the Netgear brand products.

Message 100 of 118
Top Contributors
Discussion stats
Announcements