Guest Network able to open RDP sessions on network

@l11nad, I was concerned when I saw your question posted here.  So I duplicated your testing.  I bound my laptop to my guest network and could not access any local resources, including using Remote Desktop.  I could only use RDP to my desktop from my laptop when on my primary network.  When on the guest network, the hostname is not resolvable for my desktop, so I used the 192.168.1.X IP assigned to it and it still could not open an RDP connection.  Are you sure that you do not have RDP tunneled through the firewall to the internet in your router settings to allow this?  i.e. you allow RDP to mypc.mydomain.com from the internet?  I used firmware v2.5.1.8 on my RBR50 and RBS50 satellites for my testing, so perhaps this is an issue with your v2.3.5.30 firmware if you don't allow internet RDP access.

I did a similar test, opening Orbi Guest access and not allowing guest devices to see the primary network.  Connected my phone, and it behaves as expected.  No access.  However....

• I cannot test in AP mode (having only a modem, and I don't want to go fetch an old router to stick in the middle of all this).
• My phone did get an IP address in the primary subnet.  (This is one of the ways that Orbi WiFi 6 appears to be different from my Orbi WiFi 5.  I hear that the guest network on Orbi WiFi 6 is in a different subnet.)
  
  So, the Orbi is not going to let a guest device access the primary network, but what about the router that Orbi is connected to?
  @I11nad said "Guests have reliable internet connections and are unable to browse our network....."
  I wonder how this works?  Shouldn't the primary router just see packets from a subnet going to IP's on the same subnet?

This is very confusing.

• How was this "unable to browse" tested?
  (ping?  network scanner like Fing?  trying to use a printer?)
• Does AP mode somehow recognize IP's from the guest network and shut them out?
  Way Cool.  Pretty slick programming for an "access point".
• Or, does RDP actually go out to the internet and then back into the network?

Thanks @CrimpOn for noting that @l11nad was using AP mode, not Router mode on his Orbi.  My Orbi is in router mode, and I do not want to break things either by adding a different router between my modem and Orbi and putting the Orbi in AP mode.

@l11nad, I suspect your issue is due to your primary router allowing the access, as it has no means of distinguishing the Orbi guest and primary networks.  For this to work properly, you need to remove your primary router and let the Orbi be in router mode rather than AP mode.  You have a double NAT situation which is not recommended.  Search for "double NAT" on the community forums or google for more information about it.

---

@tomschmidt wrote:

@l11nad, I suspect your issue is due to your primary router allowing the access, as it has no means of distinguishing the Orbi guest and primary networks.  For this to work properly, you need to remove your primary router and let the Orbi be in router mode rather than AP mode.  You would then have a double NAT situation which is not recommended.  Search for "double NAT" on the community forums or google for more information about it.

---

Please see my edit above.  There is currently one router.  Putting the Orbi into router mode would create the Double-NAT.

This is a fascinating situation.  I will dig out my spare Orbi and attach it in AP mode to see what happens.  (Not a trivial exercise, so it will take some time.)  Will not duplicate the OP's router, but it's the best I can do.

I should have re-read my reply before posting.  It would only be in a double NAT situation if both routers where in router mode.  Since the Orbi is in AP mode, all clients get their DHCP assignments from the primary router in between the modem and the Orbi.  The primary router has no way to distinguish systems on the Orbi network, it won't know if they are using the wired LAN ports, primary WiFi or guest WiFi.  So if the PCs that are being allowed RDP access from the guest network are on the primary network of the primary router, then this will not be filtered from other clients on the primary router.  They would only be guests on the clients bound to the Orbi.

@l11nad, are the PCs that are being allowed RDP access from the guest WiFi on the primary router, or are they on the Orbi?

I just performed an experiment:

• Configured a second Orbi RBR50 (my spare) as an Access Point (AP) and gave it WiFi names separate from my primary Orbi.
  The Guest WiFi is set NOT to "Allow guests to see each other and access my local network."
  (The Guest network on my primary Orbi is set the same way.  NOT Allow.)
• Connected a computer to a LAN port on the AP Orbi (which should be the "primary network" for this Orbi).
• Connected a smartphone to the "Guest" WiFi on the AP Orbi.
• Ran "Fing" on the smartphone and scanned the network.  Sure enough, it picked up all the devices connected to the primary Orbi, it picked up the AP Orbi, and it picked up the computer connected to a LAN port on the AP Orbi.

My conclusion from this test is that the Orbi cannot separate "Guest" from the primary network when in Access Point mode.

Honestly, I cannot decide if this is a "bug" or if our natural assumptions were incorrect.  It's an access point.  How can the primary router know (or care) what this access point thinks are separate networks (primary and guest).  Maybe I should have tried more tests (ping, RDP, etc.), but when Fing "found it" immediately, I said, "oh, s**t" and quit.

Would be helpful if someone else could conduct a similar experiment and either substantiate or reject my results.

Guest Network depends on the use of the WAN port when in router mode to have full separation of the two networks, WAN and LAN. Thus if the Allow Guest to see each other is enabled, then the guests should have access to the LAN side of the fence. AP mode then the WAN and LAN are combined in some fashion or the WAN port gets mirrored to the LAN side while actual WAN and DHCP router services are disbled. So AP mode, everything is on the LAN side.