The good news: Guest access works. The bad news: You can't do guest isolation in AP mode, apparently - the option is greyed out. That makes it rather useless, unfortunately - why is this? Rodney

I used to think so as well - except eero got this right. In AP mode, they use iptables to block any packets that aren't destined to TCP/UDP port 53 or DHCP broadcast to any local CIDR, based on eero's own IP addresses (v4 and v6). It's quite clever and works very well. Rodney

Ok, I see how that could work. Thanks for pointing it out.

Yes, Orbi should enable client isolation option for guest network even in AP Mode. Open-Mesh also supports this invaluable feature.

Well AP mode isolation nice to have yes but from what I have just discovered Orbi doesn't even do proper isolation in router mode. See my post here: https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-guests/m-p/1221867#U1221867

This is not unique to the Orbi. An AP has no way of isolating guest traffic on your internal network. It would have to do something like put it in a VLAN to send to the router but the router would also have to support VLANs.

Guest isolation not supported in AP mode?

11 Replies

TheEther
Guru
Nov 26, 2016
This is not unique to the Orbi. An AP has no way of isolating guest traffic on your internal network. It would have to do something like put it in a VLAN to send to the router but the router would also have to support VLANs.
- peteytesting
  Hero
  Nov 26, 2016
  have to agree here , the device would not really be working in AP mode if it where handling router features
  - rhester72
    Virtuoso
    Nov 27, 2016
    I used to think so as well - except eero got this right. In AP mode, they use iptables to block any packets that aren't destined to TCP/UDP port 53 or DHCP broadcast to any local CIDR, based on eero's own IP addresses (v4 and v6). It's quite clever and works very well.
    
    Rodney
- fbg
  Initiate
  Feb 03, 2017
  I thinks this warrants some discussion. If client A tries to talke to client B, both on wifi, what happens? The frames don't go directly from A to B via radio (ignoring ad hoc mode wifi). They go to the access point / wireless router. If that access point is an Orbi in AP mode, the Orbi could either deliver the frames, or just send them out the wire and let the downstream router decide what to do with them. I don't know which one it does, and I can't test it since I'm still looking into buying or not... Ideally I would want the Orbi to offer either behavior as an option.
  
  Assuming the Orbi doesn't simply deliver the frames, the next question is: what will the downstream router do? If it is acting as a simple layer 2 / layer 3 device, it will deliver the frames. A and B are on the same layer 2 segment, so they should "see" eachother normally. However, if the downstream router is a firewall, it may be able to actually apply policy and not transmit the frames back out the interface, or perhaps bump the decision to layer 3 and only do so if the hosts in question match an ACL, etc...
  
  I don't know without testing, but I expect the abstract scenario will give different results for different APs and different down-wire routers. Does anyone have more info on this?
  
  In short I don't think this is a simple "no AP can do this" issue.
  - anschmid
    Apprentice
    Feb 03, 2017
    Well AP mode isolation nice to have yes but from what I have just discovered Orbi doesn't even do proper isolation in router mode.
    
    See my post here: https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-guests/m-p/1221867#U1221867
Miles267
Apprentice
Dec 31, 2016
Yes, Orbi should enable client isolation option for guest network even in AP Mode. Open-Mesh also supports this invaluable feature.

Forum Discussion

Guest isolation not supported in AP mode?