- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: Orbi - Isolate Guest Network & Tagged Uplink
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Orbi - Isolate Guest Network & Tagged Uplink
Hello, I realize this isn't officially supported but I've made some progress and was hoping someone might know the configuration element I am missing. I mostly need help with identifying the naming convention for the ~dozen various physical and logical interfaces represented in linux. I think this will help me solve the problem.
I would like to mimic the behavior of my Airport Extreme so that the wireless guest network is truly isolated and vlan tagged on the shared phyiscal uplink to my router, which is my DHCP server. I am in AP mode for this configuration but would be willing to change to router mode if it helped. I don't see a way to create a secondary DHCP scope in the Orbi UI so I don't think using the Orbi as a router will work best for me.
After enabling telnet, I have been able to identify in the Orbi configuration where you can map the guest network to a different bridge domain. I changed it from br0 to br1, after creating br1 using standard linux commands (brctl). After rebooting, the Orbi automatically added what I presume are the logical radio interfaces to my new bridge.
config set i_wla_guest_br=br1
# assumes this is the A radio; guest network
config set i_wlg_guest_br=br1
# assumes this is the G radio; guest network
nvram commit
# appears to be a valid configuration option because after a reboot,
# the two logical interfaces associated with the guest radio network
# move from br0 to br1 successfully.
Looking at examples from other Netgear APs, I tried to configure the uplink to support tagging but I don't think I have it right. This isn't exactly what I used but is the example I found.
nvram set vlan1ports="1 2 3 5*" nvram set vlan6ports="0t 4" nvram set port4vlans=6 nvram set vlan6hwname=et0 nvram commit
I am assuming 0t means port 0 and tagged. This assumes port 0 is really the uplink port on the Orbi. This person wanted the LAN port 4 to be part of the bridge untagged but part of VLAN 6.
Has anyone mastered the Netgear CLI or have any tips?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
Bottom line: I can't confirm that vlan tagging is enabled at the kernel level.
I have been able to correct a few other mistakes and figure a few things out.
brctl show br1 bridge name bridge id STP enabled interfaces br1 8000.8c3bad2bbfd8 no ath02 ath11 eth0.1003 eth1.1003
ath02 and ath11 are the guest network logical interfaces. Eth0 appears to be the WAN port and eth1 is the LAN port. I was able to create these units off eth0/1 with vlan tag 1003. The isolation part of my requirement seems to work.
Create:
ip link add link eth0 name eth0.1003 type vlan id 1003
Verify:
ip -d link show eth0.1003
33: eth0.1003@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP mode DEFAULT link/ether 8c:3b:ad:2b:bf:d9 brd ff:ff:ff:ff:ff:ff vlan id 1003 <REORDER_HDR>
When my wifi client connects, I can see the client's mac address in the correct isolated bridge domain. That's good news.
brctl showmacs br1 port no mac addr is local? ageing timer 4 8c:3b:ad:2b:bf:d8 yes 0.00 3 8c:3b:ad:2b:bf:d9 yes 0.00 2 92:3b:ad:2b:bf:da yes 0.00 1 98:01:a7:XX:XX:XX no 28.13 1 9a:3b:ad:2b:bf:d8 yes 0.00
However, I don't think my DHCP requests are being passed out eth0 as expected. Also, for some reason WPA security does not work either.
Checking if tagging is enabled at the kernel level:
root@RBR50:/# lsmod | grep 8021q root@RBR50:/# root@RBR50:/# modprobe 8021q kmod: failed to find a module named 8021q
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
Does anyone know if Netgear finally fixed this?
Apple's Airport system has been doing this for years and now with it discontinued I can't find any mesh systems that support true guest isolation.
I don't necessarily need the uplink port to support tagging but at least true isolation within the WLAN network would work - with differnet IP subnets. Not the filtering they do today that doesn't even filter arp and broadcast/multicast packets (from what I've read).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
Yes we have a new firmware with guest isolation fixes you can find it here.
https://community.netgear.com/t5/Orbi/Orbi-firmware-update-v2-1-4-16-availability/td-p/1584969
DarrenM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
Thanks. Is this just the bug fix referenced in the release notes?
I'm really hoping for true isolation - different IP subnets and true L2 isolation internally (not filtering).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
I appreciate the information!
I am basically trying to replace Apple AirPort units that do this natively (guest network with isolation and vlan tagging on the ethernet uplink) but get the coverage benefits of mesh wifi networking. I'll need to see how UniFi works in terms of coverage. I don't know enough about the "mesh" technology to know if that's really the answer for better coverage.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Orbi - Isolate Guest Network & Tagged Uplink
@DarrenM wrote:
Yes we have a new firmware with guest isolation fixes you can find it here.
https://community.netgear.com/t5/Orbi/Orbi-firmware-update-v2-1-4-16-availability/td-p/1584969
DarrenM
Darren,
Are you sure? From what we could tell, the fix in build 16 was allowing devices on the guest network to reach resources on the primary network when isolation _isn't_ enabled.
Pretty deep testing suggests there's been no improvement in actual guest isolation for many builds now.
Rodney
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more