Reply
Highlighted
Luminary

Is there a way to get the VPN to connect with the primary (not guest) network?

I find the built-in VPN to be very useful for personal network security when on shared/public networks -- and when traveling internationally (I appear to be home, which is what I want).  However, I'd like to be able to access resources on my home (primary) network.  However, by default (probably for understandable security reasons) the VPN seems to only attach to the guest network I set up for visitors.  So I'm unable to access any of my internal home network services.

 

The question: Is there a way to configure the Orbi to put the VPN on the primary network?

Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 1 of 23

Accepted Solutions
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@Stev3D

 

You are the first person to report that Orbi's guest network is on a separate subnet from the main network.  See post #1 and many other posts in the below thread.

https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-gues...

 

I switched my Orbi to router mode just to test, and confirmed that for my Orbi the guest network is on the same subnet as the main network.  In my case the Orbi is at 192.168.1.1 and the guest gets an IP of 192.168.1.5, which is on the same subnet. This is what I mean by "Orbi does not have a separate guest network." Yes, there is a separate SSID, but all clients are on the same subnet.

 

Furthermore, there is no setting in Orbi that I see that allows one to choose a different subnet for the guest network.

 

So, either you are using a different router than Orbi, you are using some new unreleased firmware, or there is something misconfigured with your network.

 

Where is the Orbi setup page where you can set a different IP for the guest network?

What firmware version are you running?

 

 

View solution in original post

Message 13 of 23

All Replies
Highlighted
Guru

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@DarrenM


My Setup (Cable 900Mbps/50Mbps)>CAX80>RBK853 v3.1.16.6(Router Mode)
Additional NG HW: C7800/CM1100/CM1200/CM2000, Orbi CBK40, RBK50, R7800, R7960P,
EX7500/EX7700, XR450 and WNHDE111
Message 2 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@DarrenM, I’m not sure what you are telling me.  You seem to have a three-router setup, but if the Orbi is serving VPN (and presumably you don’t have a guest network given your three-router configuration), then the Orbi’s network that is admitting the inbound VPN traffic is on the WAN side of your other two routers — which wouldn’t permit access to local services (which I surmise are behind the R7800).  Please explain how this example would help address my issue.

 

Thank you

Message 3 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

Amending my previous post, it was @FURRYe38 who posted that reply.

Message 4 of 23
Highlighted
Guru

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

I was tagging DarrenM for his review and comment and help. 

 

The information you see for my signature is the items I currently have and test with. The top line is actually deployed in my home. The second line is items I have at my disposal for use. 

 

Hopefully Darren will review this by tomorrow...

Good Luck. 


My Setup (Cable 900Mbps/50Mbps)>CAX80>RBK853 v3.1.16.6(Router Mode)
Additional NG HW: C7800/CM1100/CM1200/CM2000, Orbi CBK40, RBK50, R7800, R7960P,
EX7500/EX7700, XR450 and WNHDE111
Message 5 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

Based on the fact that nobody was able to offer a recommendation, I have to conclude that is is not possible to specify the primary network as the VPN target — we are stuck with the guest network on the Orbi
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 6 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

I agree with you - there is not a way to do it.  

 

(I have the same need you do)

Message 7 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?


@Stev3D wrote:

I find the built-in VPN to be very useful for personal network security when on shared/public networks -- and when traveling internationally (I appear to be home, which is what I want).  However, I'd like to be able to access resources on my home (primary) network.  However, by default (probably for understandable security reasons) the VPN seems to only attach to the guest network I set up for visitors.  So I'm unable to access any of my internal home network services.

 

The question: Is there a way to configure the Orbi to put the VPN on the primary network?


I haven't used Orbi's VPN yet, because I use Orbi in AP mode, but it's not supposed to work that way.  Also, Orbi does not have a separate guest network, so what are you seeing that makes you believe the VPN is attaching to a guest network?

 

Did you read the manul sections regarding VPN?

https://www.downloads.netgear.com/files/GDC/RBK50/Orbi_UM_EN.pdf

 

There are settings for allowing access to the home network and the Internet over the VPN.  Check those.

 

Also note the comment on page 119 and make sure this isn't the issue:

"For the VPN tunnel to work, the local LAN IP address of the remote router must use a different LAN IP scheme from that of the local LAN where your VPN client computer is connected. If both networks use the same LAN IP scheme, when the VPN tunnel is established, you cannot access your home router or your home network with the OpenVPN software."

 

 

Message 8 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

A more technical way to respond is to say that the VPN subnet assigned / used for VPN clients is a different one than the local LAN, and there doesn't seem to be any way to assign/control/change any of those settings.  And when on a VPN subnet, it doesn't seem to openly communicate (route) to the local LAN subnet so you can access resources directly.  It appears to isolate them no matter what you set per instructions on page 119.  

 

So my example - when on VPN I can't ping any resources on the regular Orbi LAN, and I can't access my DVR from 'inside' like I would hope to.  

 

(Related but unrelated - this problem would sort of be the opposite of where there is a checkbox for allowing Guest wireless clients to see the regular lan and vice versa - there is a checkbox for that, but it doesn't work, and that is well documented on this forum)

Message 9 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

Having VPN clients on a different subnet is normal, and shouldn’t be a problem.

 

However, note that Windows firewall by default will block any communications with a computer on a different subnet.  So you won’t be able to ping or connect to any Windows machine on your home LAN unless you add firewall rules to allow it, or disable the firewall. You might need to do the same on the VPN client computer, depending on how it’s setup.

Message 10 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

Yeah, that is not the issue here. At least for me.
Message 11 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@st_shaw, thank you for responding.  

I don’t understand what you mean by “Orbi does not have a separate guest network?” I know that here is an entire section on setting one up in the manual you linked (in Chapter 6). I’ve established a guest network (different IP address, different SSID, different WPA2 password) so visiting friends can use my ISP but do not have access to my internal services.

 

The answer to your question “So what are you seeing that makes you believe the VPN is attaching to a guest network?” is that the apparent VPN LAN subnet address matches that of my guest network — which differs from that of my primary network (and the local LAN I was tunneling in from). 

 

I’ve been through the the manual (several times) — which is fairly thin on VPN technical details (spends a lot of time on elementary step-by-step for client setup).  I use a fairly non-standard number for the third octet on my LANs (and the primary network and the guest networks differ by one), and not the default.  The probability of a collision is small (one out of 254 for a Class C private network, and zero if its Class A or B).  I know for sure that the “the LAN IP scheme” isn’t the issue.

 

Since my guest network can’t route to my primary network (by design), having the VPN tunnel terminate on the guest network prevents me from accessing services.  Being on separate subnet is a non-problem when they are routed, but the point of a guest network is to keep untrusted devices away from the “inner sanctum,” so that isolation (not routing between them) is intentional.  If the VPN setup in the Orbi gave us a choice of having the tunnel land in one or the other, I’d be able to do what I want.

 

Aside: I’m not using any Windows devices, so Windows firewall is not part of the equation.

 

@Jeremyinsf, I quite agree with your assessment of the situation.

 

Thanks to all who responded.  It would be great if someone form Netgear weighed in.

Message 12 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@Stev3D

 

You are the first person to report that Orbi's guest network is on a separate subnet from the main network.  See post #1 and many other posts in the below thread.

https://community.netgear.com/t5/Orbi/CAUTION-Orbi-s-Wifi-Guest-Network-does-not-really-isolate-gues...

 

I switched my Orbi to router mode just to test, and confirmed that for my Orbi the guest network is on the same subnet as the main network.  In my case the Orbi is at 192.168.1.1 and the guest gets an IP of 192.168.1.5, which is on the same subnet. This is what I mean by "Orbi does not have a separate guest network." Yes, there is a separate SSID, but all clients are on the same subnet.

 

Furthermore, there is no setting in Orbi that I see that allows one to choose a different subnet for the guest network.

 

So, either you are using a different router than Orbi, you are using some new unreleased firmware, or there is something misconfigured with your network.

 

Where is the Orbi setup page where you can set a different IP for the guest network?

What firmware version are you running?

 

 

View solution in original post

Message 13 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@st_shaw I accidentally hit the “solved” button here, don’t know how to de-select it. This is not solved.

 

Milne is a standard-issue RBK50 set (one RBR50 base, one RBS50 satellite) running the standard firmeware that was released a couple of weeks ago.

 

One doesnt’t manually set the guest subnet.  In the case where the the option to “Allow guests to see each other and access my local network” is de-selected (see p78 of the manual), the Orbi automatically creates the guest network on a different subnet, apparently incrementing the base subnet IP address by one (e.g., if the primary subnet is 192.168.200.0/24, the guest subnet will be 192.168.201.0/24).  That’s what I’m seeing.  In effect, when I VPN in, my remote device gets the address (in this example) of 192.168.200.5 with a 24-bit subnet.

 

I’m not making this up.

Message 14 of 23
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@DarrenM or @AmitR or @Dustin_V — is there any way to turn off the “solved” label for this thread?  It is not solved; I accidentally hit the “Solved” button when scrolling on my iPad, and I can’t find a way to turn it off.   Thank you.

Message 15 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

 


@Stev3D wrote:

 

 In the case where the the option to “Allow guests to see each other and access my local network” is de-selected (see p78 of the manual), the Orbi automatically creates the guest network on a different subnet, apparently incrementing the base subnet IP address by one (e.g., if the primary subnet is 192.168.200.0/24, the guest subnet will be 192.168.201.0/24).  That’s what I’m seeing.  In effect, when I VPN in, my remote device gets the address (in this example) of 192.168.200.5 with a 24-bit subnet.

 

I’m not making this up.


I have the "allow guests to see each other..." de-selected.  The behavior you describe is not what I am seeing. The router is at 192.168.1.1 the guests are at 192.168.1.X.

 

Are you sure you don't have a second router, or a second AP other than Orbi that's your "guest" network, or a second DHCP server somewhere on your network?  That's about the only thing I can imagine that would describe what you are seeing: two subnets and having the VPN blocked.

 

Do you have some IP addresses hardcoded into your devices?

 

What devices are in your network and what's the topology?

 

The behavior you describe is not normal.  I would look for causes other than Orbi first.  If you can definitively rule those out, then I would try a hard reset of Orbi.

 

 

 

Message 16 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

I de-selected the option so it matches yours, but I still get the same behavior.  It increases the subnet (3rd octet) by one digit for VPN clients.

 

There is no other router (no other DHCP server), etc etc etc.

Message 17 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?


@Jeremyinsf wrote:

I de-selected the option so it matches yours, but I still get the same behavior.  It increases the subnet (3rd octet) by one digit for VPN clients.

 

There is no other router (no other DHCP server), etc etc etc.


Strange. I would try resetting.

 

What firmware version? I have 2.1.4.16.

 

I enabled the VPN server to see if that had any effect.  It didn't.

 

I didn't go as far as connecting to the VPN, because I don't currently use OpenVPN and that would require extensive reconfiguration.

Message 18 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

I am using the same version.

 

I appreciate that you are trying to help, but, since you aren't actually using this feature, you can't see the effect of the settings.  And it's very frustrating to many on here when the response is to reset the whole thing and start all over, every time a feature/setting doesn't work.  I've been through all that, and don't need that suggestion from you (or Furry) every time it doesn't work the way you think it should.  I'm not trying to be rude here, I just don't want others to go down this rabbit hole again and again for no reason, especially when you aren't even using this feature or able to fully test it to see the effect of what you are talking about.

Message 19 of 23
Highlighted
Master

Re: Is there a way to get the VPN to connect with the primary (not guest) network?


@Jeremyinsf wrote:

I am using the same version.

 

I appreciate that you are trying to help, but, since you aren't actually using this feature, you can't see the effect of the settings.  And it's very frustrating to many on here when the response is to reset the whole thing and start all over, every time a feature/setting doesn't work.  I've been through all that, and don't need that suggestion from you (or Furry) every time it doesn't work the way you think it should.  I'm not trying to be rude here, I just don't want others to go down this rabbit hole again and again for no reason, especially when you aren't even using this feature or able to fully test it to see the effect of what you are talking about.


Well, I did turn on the guest network and I did turn on the VPN, so I am using both of those features, and it does not behave like yours. You are also the only one to report the guest network is on a separate subnet, while there are dozens of people complaining that Orbi doesn't do this.

 

I also spent significant time on this.   If you don't "need" my suggestion, then good luck solving this on your own.

 

Message 20 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

I appreciate your time, but you said:

 

"I didn't go as far as connecting to the VPN, because I don't currently use OpenVPN and that would require extensive reconfiguration."

 

So you aren't actually duplicating the problem here - and you want us to just go ahead and erase everything and start all over for no real reason.  Someone else on here always tells people the same thing, and it starts to drag down the forum.  Please don't take offense for my push back.  I do appreciate you are trying to help, and thought I made that point.

Message 21 of 23
Highlighted
Luminary

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

@Jeremyinsf I resonate with your sentiment.  Frequently when I post an issue to a forum like this, the going-in assumption by frequent posters is that I’m a “retractable cup-holder user” (total novice, didn’t even bother to read the manual before writing in— very much not the case here) or that I’ve done something uninformed and screwed up a configuration — so the only solution offered is to wipe it and start over (which is nearly always a complete waste of time).  The idea that the system may not work as expected (and it is not user problem) usually takes five to ten back-and-forths before it is considered.  I think we are finally getting there.  

 

I very much appreciate the effort that people have put into responding to our inquiries. Unfortunately, I don’t think we are any closer to a solution than we were at the start.  

 

It would be great if someone from Netgear engaged in this discussion, someone who could confirm (or refute) there is a problem.  I suspect that this issue is tied into some of the other posts I’ve seen where the operation of the guest network is inconsistent (incomplete isolation, etc.).  I have discovered that the guest network is NOT on a different MAC than the primary network — unlike other router/access points I’ve owned (and tested).  I think that’s a flaw — one that may be tied into this whole situation.

Message 22 of 23
Highlighted
Apprentice

Re: Is there a way to get the VPN to connect with the primary (not guest) network?

Thank you @Stev3D for taking the time to reply and chime in here.  I realize I'm not alone with my feelings (and frustrations) with responses here in the Community - or, as you point out, the lack thereof from those at Netgear.

 

When working properly, it's a great product with even greater potential.  It's too bad so many have had problems, and I do feel bad for those without technical know-how to work around issues or even determine when there is a real problem (i.e. bug) or what expected behavior should be.  I hope it gets better, and I do expect the firmware to be more stable in the future.  

 

Thank you again for your reply.

Message 23 of 23
Top Contributors
Discussion stats
  • 22 replies
  • 7199 views
  • 3 kudos
  • 4 in conversation
Announcements