Reply
Highlighted
Aspirant

Orbi - Isolate Guest Network & Tagged Uplink

Hello, I realize this isn't officially supported but I've made some progress and was hoping someone might know the configuration element I am missing.  I mostly need help with identifying the naming convention for the ~dozen various physical and logical interfaces represented in linux.  I think this will help me solve the problem.  

 

 

I would like to mimic the behavior of my Airport Extreme so that the wireless guest network is truly isolated and vlan tagged on the shared phyiscal uplink to my router, which is my DHCP server.  I am in AP mode for this configuration but would be willing to change to router mode if it helped.  I don't see a way to create a secondary DHCP scope in the Orbi UI so I don't think using the Orbi as a router will work best for me.

 

After enabling telnet, I have been able to identify in the Orbi configuration where you can map the guest network to a different bridge domain.  I changed it from br0 to br1, after creating br1 using standard linux commands (brctl).  After rebooting, the Orbi automatically added what I presume are the logical radio interfaces to my new bridge.

 

 

config set i_wla_guest_br=br1
# assumes this is the A radio; guest network
config set i_wlg_guest_br=br1
# assumes this is the G radio; guest network

nvram commit
# appears to be a valid configuration option because after a reboot,
# the two logical interfaces associated with the guest radio network
# move from br0 to br1 successfully.

Looking at examples from other Netgear APs, I tried to configure the uplink to support tagging but I don't think I have it right.  This isn't exactly what I used but is the example I found.

 

 

nvram set vlan1ports="1 2 3 5*"
nvram set vlan6ports="0t 4"
nvram set port4vlans=6
nvram set vlan6hwname=et0
nvram commit

I am assuming 0t means port 0 and tagged.  This assumes port 0 is really the uplink port on the Orbi.  This person wanted the LAN port 4 to be part of the bridge untagged but part of VLAN 6.

 

 

Has anyone mastered the Netgear CLI or have any tips?

Thanks

 

 

 
Model: RBK50| Orbi AC3000 High-Performance Tri-Band WiFi System
Message 1 of 7
Highlighted
Aspirant

Re: Orbi - Isolate Guest Network & Tagged Uplink

Bottom line:  I can't confirm that vlan tagging is enabled at the kernel level.  

 

I have been able to correct a few other mistakes and figure a few things out.

 

brctl show br1   
bridge name     bridge id               STP enabled     interfaces
br1             8000.8c3bad2bbfd8       no              ath02
                                                        ath11
                                                        eth0.1003
                                                        eth1.1003

ath02 and ath11 are the guest network logical interfaces.  Eth0 appears to be the WAN port and eth1 is the LAN port.  I was able to create these units off eth0/1 with vlan tag 1003.  The isolation part of my requirement seems to work.

 

 

 

Create:
ip link add link eth0 name eth0.1003 type vlan id 1003

Verify:
ip -d link show eth0.1003
33: eth0.1003@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br1 state UP mode DEFAULT link/ether 8c:3b:ad:2b:bf:d9 brd ff:ff:ff:ff:ff:ff vlan id 1003 <REORDER_HDR>

 

When my wifi client connects, I can see the client's mac address in the correct isolated bridge domain.  That's good news.

brctl showmacs br1
port no mac addr                is local?       ageing timer
  4     8c:3b:ad:2b:bf:d8       yes                0.00
  3     8c:3b:ad:2b:bf:d9       yes                0.00
  2     92:3b:ad:2b:bf:da       yes                0.00
  1     98:01:a7:XX:XX:XX       no                28.13
  1     9a:3b:ad:2b:bf:d8       yes                0.00

However, I don't think my DHCP requests are being passed out eth0 as expected.  Also, for some reason WPA security does not work either.  

 

Checking if tagging is enabled at the kernel level:

 

root@RBR50:/# lsmod | grep 8021q
root@RBR50:/# 

root@RBR50:/# modprobe 8021q
kmod: failed to find a module named 8021q

 

 

 

 

Message 2 of 7
Highlighted
Aspirant

Re: Orbi - Isolate Guest Network & Tagged Uplink

Does anyone know if Netgear finally fixed this?

 

Apple's Airport system has been doing this for years and now with it discontinued I can't find any mesh systems that support true guest isolation.

 

I don't necessarily need the uplink port to support tagging but at least true isolation within the WLAN network would work - with differnet IP subnets.  Not the filtering they do today that doesn't even filter arp and broadcast/multicast packets (from what I've read).

Message 3 of 7
Highlighted
NETGEAR Moderator

Re: Orbi - Isolate Guest Network & Tagged Uplink

Yes we have a new firmware with guest isolation fixes you can find it here. 

 

https://community.netgear.com/t5/Orbi/Orbi-firmware-update-v2-1-4-16-availability/td-p/1584969

 

DarrenM

Message 4 of 7
Highlighted
Aspirant

Re: Orbi - Isolate Guest Network & Tagged Uplink

Thanks.  Is this just the bug fix referenced in the release notes?

 

I'm really hoping for true isolation - different IP subnets and true L2 isolation internally (not filtering).

Message 5 of 7
Highlighted
Aspirant

Re: Orbi - Isolate Guest Network & Tagged Uplink

I appreciate the information!

 

I am basically trying to replace Apple AirPort units that do this natively (guest network with isolation and vlan tagging on the ethernet uplink) but get the coverage benefits of mesh wifi networking.  I'll need to see how UniFi works in terms of coverage.  I don't know enough about the "mesh" technology to know if that's really the answer for better coverage.

 

Thanks

Message 6 of 7
Highlighted
Virtuoso

Re: Orbi - Isolate Guest Network & Tagged Uplink


@DarrenM wrote:

Yes we have a new firmware with guest isolation fixes you can find it here. 

 

https://community.netgear.com/t5/Orbi/Orbi-firmware-update-v2-1-4-16-availability/td-p/1584969

 

DarrenM


Darren,

 

Are you sure?  From what we could tell, the fix in build 16 was allowing devices on the guest network to reach resources on the primary network when isolation _isn't_ enabled.

 

Pretty deep testing suggests there's been no improvement in actual guest isolation for many builds now.

 

Rodney

Message 7 of 7
Top Contributors
Discussion stats
  • 6 replies
  • 1787 views
  • 1 kudo
  • 3 in conversation
Announcements