×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: Enabling Guest Network

dsc_dewain
Guide

Enabling Guest Network

Has anyone tried the guest network yet?  Couple of things I see.

  1) When activating, I assume the router/satillite do some sort of reset, as my devices got disconnected during the process.

  2) There is no seperate Access Control. There is no way to segregate the allow / block access per network.  I tried blocking my phone from my network, thinking it could log into the guest network, Nope.  What ever you have setup for access controls also appears to apply to Guest Network.  I did not play around with new devices can or cannot be added, as I don't have any other devices to play with.

  3) There is no way to determine that I can see, if a device is on the main network or the guest network.

 

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 1 of 21

Re: Enabling Guest Network


@dsc_dewain wrote:

Has anyone tried the guest network yet?  Couple of things I see.

  1) When activating, I assume the router/satillite do some sort of reset, as my devices got disconnected during the process.


 


 

thats normal

 


@dsc_dewain wrote:

  2) There is no seperate Access Control. There is no way to segregate the allow / block access per network.  I tried blocking my phone from my network, thinking it could log into the guest network, Nope.  What ever you have setup for access controls also appears to apply to Guest Network.  I did not play around with new devices can or cannot be added, as I don't have any other devices to play with.

 

 

 


i think this is also normal as access control is done at mac / ip level not by wifi connection

 


@dsc_dewain wrote:

  3) There is no way to determine that I can see, if a device is on the main network or the guest network.

 


you cant normally distinguish this on other routers anyway

Message 2 of 21
dsc_dewain
Guide

Re: Enabling Guest Network

The router I replaced had a guest network. Totally separate. I was able to block new accesses on the main network, and still allow access to the guest network. Also, I was able to activate and deactivate guest network without kicking off current devices from main network.
Message 3 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

It seems to me that Guest network only blocks DNS lookups from attached devices to find other local devices. But if you poke around by IP address, you have full access to all local devices and services. Is this true? Please tell me this isn't true...if it is true Netgear is fooling people into thinking they are secure. And it makes me wonder what "security" is actually applied to internet traffic.

Message 4 of 21
RonV42
Luminary

Re: Enabling Guest Network

I have used the guest access though the the Christmas holiday with friends over and none of the deivces could see or use my media server, printers,etc.  So yes guest means guest.

Message 5 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

Hey Ron,

That is likely, because by default windows (and Macs?) will try to find devices by DNS lookups. What I am pointing out is that if you access devices by number instead, then there is no isolation. For instance, as I write, I am on a guest network. I can see in Device Manager that I ought to know about several NAS's on my network, but they are grayed out since Windows. wants to talk with them by name, not address. If I try to access them I get denied. BUT, and it is a big one, if I go to explorer and mount the NAS by address (e.g. \\192.168.1.47\share instead of \\myserver\share) they pop right up as usual. Also, my printer is still accessible since I assigned it by IP address and not by WSD port.

 

Hence my concern: people who aren't aware believe they are secure. People who want to pwn them can do it easily with a port scanner and no tools (given that most people leave guest unsecured and have low to no security on their NASs for internal use).

Message 6 of 21
RonV42
Luminary

Re: Enabling Guest Network

wodehouse,

 

I am afaid you are incorrect.  I have tested the guest network with various devices, phones (Android, iPhone, Windows Phone) , tablets (iPad Air, Android) , and computers (SurfacePro, Lenovo, Macbook,  etc.).  When they were attached they had no connectivity whatever to any of the devices that on on my wired or wireless network.  The only addresses the router would accept would be public IP addresses and the were routed out the WAN port of the router.  Any private address was dropped by the router. 

 

  It has nothing to do with the DNS it's all about how wireless creates a new "wl interface" and then uses the router and firewall rules to prevent traffic from going from this wireless network interface other other interfaces.  If you dump IP tables and network adapter configurations you will see them change when the options for guest is turned off and on.

 

Netgear is not fooling anyone, If you think there is a bug or something in your configuration that may allow this to happen I would suggest you open a ticket with Netgear.   

Message 7 of 21
Mikey94025
Hero

Re: Enabling Guest Network

I also confirmed that if I connect to my Guest network, it works correctly and I do not have access to IP addresses on my main network.  I could not ping nor access a Windows network share via the main network, but I could once I went back to my main wireless network.  Let's not scare everyone with incorrect claims before exhaustive testing & diagnosis.

 

wodehouse, is it possible that you have "Allow guests to see each other and access my local network" checked for your Guest network?  That could be one reason to explain your access to IP addresses on your main network.

 

Message 8 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

Hi Mikey, Thanks for the suggestion. I indeed have that setting disabled. So for grins I ran the following further tests from my phone instead of laptop (I can run more diagnostics from the phone that are ordinarily blocked by the security settings I have locked down on my laptop): (1) forgot internal network. (2) cleared application data and cache from my ezNetScan application (3) rebooted phone (4) connected to guest network (5) scanned for devices. Saw all devices on the internal network. Was able to access and download file from internal net's NAS (a public share). Something is definitely up -- internal net has WPA2-PSK [AES] enabled while guest has no security enabled.... I would think my steps (1)-(3) should have cleared any cached keys and references to internal network. Any thoughts?
Message 9 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

can you tell me how to dump the tables so I can see first hand the changes you call out? thanks
Message 10 of 21
rhester72
Virtuoso

Re: Enabling Guest Network

I too have seen the ability to reach, well, everything on the LAN from the guest network, but I'm in AP mode.  I don't have the ability to run Orbi as a dedicated router, so I can't speak for the isolation available in the default configuration.

 

Rodney

Message 11 of 21
Mikey94025
Hero

Re: Enabling Guest Network

Good point -- wodehouse, are you running your Orbi in AP mode?  I'm not so that may explain the isolation behavior differences.

 

Message 12 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

Hi guys,

Glad I am ont the only one seeing this. But, nope, I am not in AP mode. I do have a separate AP in the house on the internal network, but I have unplugged it during testing to remove it from the equation. Also I am running a WNDR4500v2 (not Orbi) with latest firmware (V1.0.0.60_1.0.38).

 

cheers

Message 13 of 21
RonV42
Luminary

Re: Enabling Guest Network

wodehouse,

 

I am curious how is your network connected? You say you also have other router on your network also?  Based on all the responses here you are the only one seeing this in router mode.  In AP mode the guest network has no isolation at all so I am wondering where you leakage is coming from.  Also have you tried to open a ticket to tech support, they are very responsive?

Message 14 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

I have the WNDR4500v2 in the basement as my router to the world, and main switch on my network (wired and wireless). Upstairs I also have a Nertgear WAC120 access point. As noted, I powered that off during tests to isolate the symptoms.

Message 15 of 21
rhester72
Virtuoso

Re: Enabling Guest Network

If you have Orbi in router mode connected to another router, you're double-NATting and guest will never work as intended.  Orbi has to be the *only* router for isolation to work.

 

Rodney

Message 16 of 21
RonV42
Luminary

Re: Enabling Guest Network

With a router connected to another router your orbi netowrk is isloated in guest but the Wan port to the other roter would be a "external" network and thus all devices would be seen.   Let say that you used 192.168.1.1 as your network for the WNDR4500 and 192.168.2.1 as your IP address for the Orbi.  With the devices:

-----------------
| Internet      |
|  172.x.x.x    |
-----------------
      |
      |
------W----------
| wndr          |
|  192.168.1.1  |
-----L-----------
     |
     |
     |
-----W------------
| orbi          |
|  192.168.2.1  |
-----------------

So guest isloation on the orbi will forward all packets to 192.168.1.1 and any devices you have on that network would be visable.  If the packets are destined to the internet then the wndr will  be reforward out though your internet modem.

 

For this to work the Orbi needs to either replace the wndr.  You don't want double NAT going on due to issues with port forwarding for services such as gaming, VoIP etc.

Message 17 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

Hi Ron,

Yes, that would certainly muck things up. However, my topo is this:

-----------------
| Internet      |
|  172.x.x.x    |
-----------------
            |
            |
--------W----------
|      wndr          |
|  192.168.2.2  |
---------L-----------

As noted, I have an access point across the house to amplify the signal, but during testing I unplugged it to verify problem still exists.

Cheers

Message 18 of 21
RonV42
Luminary

Re: Enabling Guest Network

So where in the diagram is the Orbi router connected?

Message 19 of 21
wodehouse
Aspirant

Re: Enabling Guest Network

There isn't one. I joined this thread because it popped up on a search for guest network problems. Didn't notice the Orbi part at the time, but since this is a responsive group and the firmware likely isn't greatly different between netgear devices I didn't restart elsewhere. Been trying to be clear about the equipment I have (the router and WAP).

 

cheers

Roger

Message 20 of 21
RonV42
Luminary

Re: Enabling Guest Network

wodehouse,

 

I would suggest you post in  the proper forum:

 

https://community.netgear.com/t5/WiFi-Routers/ct-p/home-wifi-routers

 

This forum and assocated threads are for Orbi.  Sorry....

Message 21 of 21
Top Contributors
Discussion stats
  • 20 replies
  • 5558 views
  • 1 kudo
  • 6 in conversation
Announcements

Orbi WiFi 7