- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
VLAN Tagging for Guest Network
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN Tagging for Guest Network
I've seen a couple of posts about this in the past on this forum, but all of them appear to be kinda old, and before you could uncheck the "Allow Guests to see each other and access my local network" while in AP mode. Now it looks like you can uncheck that in the version of firmware that I have (1.11.0.20).
I have my own router/DHCP/firewall/gateway that I want to keep using, so I have put my Orbi network into AP only mode. However, I would still like to have a guest network that I'm able to separate at my router. I would like to do this via VLAN tagging. So my questions are:
Is this something that Orbi is capable of now?
If not, is this something that will be available in the future? And if so, is there a way to be notified when it is available?
What actually happens when you uncheck "Allow Guests to see each other and access my local network" while in AP only mode? Does the Orbi just start NAT'ing and serving it's own DHCP at that point?
Lastly, assuming that it's not already a thing, I would like to chime in with others here and say that I would REALLY like to see VLAN tagging as an option in the advanced interface.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
@sdct989 wrote:
I have my own router/DHCP/firewall/gateway that I want to keep using, so I have put my Orbi network into AP only mode. However, I would still like to have a guest network that I'm able to separate at my router. I would like to do this via VLAN tagging. So my questions are:
Is this something that Orbi is capable of now?
If not, is this something that will be available in the future? And if so, is there a way to be notified when it is available?
What actually happens when you uncheck "Allow Guests to see each other and access my local network" while in AP only mode? Does the Orbi just start NAT'ing and serving it's own DHCP at that point?
Lastly, assuming that it's not already a thing, I would like to chime in with others here and say that I would REALLY like to see VLAN tagging as an option in the advanced interface.
hi , once in AP mode the theory is that all it is a pure wireless access point and your upstream router is doing the actual routing and vlan functionality
vlan is usually an advanced feature of the router not the ap
will have a look at this during this weekend and try and get back to you but i think the "Allow guests to see each other and access my local network" only works in router mode
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
peteytesting, thanks for the reply!
I get what you're saying about routing functions belonging to the router, but only the wireless AP knows which network/SSID the traffic came from. So it would be the only one that could augment the traffic in any way to let the router know that this traffic came from this SSID and that traffic came from that SSID. This is typically done in the form of VLAN tagging.
The way that I figured it would work, is that the AP would tag the VLAN that the traffic came from before it passes it off to the router. Forcing the VLAN tags at the AP level also has the added benefit that the client, assuming it's capable of tagging, can't just make up it's own and decide which network it wants to be a part of. It's with these VLAN tags that I can have my router do more advanced routing such as allowing certain requests through the firewall, assigning different dhcp realms, etc.
If you can suggest a different way other than VLAN tags though from my upstream router to understand which SSID a set of traffic came in on though, I could probably also work with that as well!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
There's roughly zero chance the Orbi will ever support tagging - it's just not that sophisticated (by design), intended as a "fire and forget" consumer device only.
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
That's a bummer, I had assumed because of posts like this: https://community.netgear.com/t5/Orbi/Support-for-vLAN-tagging/td-p/1266588 that it was something that they were open to, but they just hadn't gotten to at the point that post was made. I was actually hoping that it was already implemented somewhere in the interface that I hadn't found yet.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
Netgear still hasn't been convinced to provide basic fundamentals, like:
- Restoring the capability to see which node and band devices are connected to
- Providing a firmware changelog
- Allowing Ethernet backhaul
- Preventing guest networks from breaching the network perimeter over IPv6
GIven the UI complexities of implementing a proper tagging interface, and what's more, _handling_ those tags (i.e. firewalling, etc.), I'd imagine this feature would fall into the "pie in the sky" category more than anything else. Netgear will promise the world, but delivery is another matter entirely.
Naturally, I quite hope to be proved wrong on this one, but an outcome even worse than them not delivering is delivering it half-baked, which if anything might well be the most likely ending to the story. Time will tell, I suppose.
Personally, I share the gripe of many on this and other (Linksys comes to mind) forums that this "me too!" business of "mesh networking" by players with no business in the game is disenchanting to an extreme. eero, as much difficulty as I had with their (ultimately returned) product, appear to be the market leaders for good reason...they actually had a plan and are executing against it with very clear technical knowledge of the needs (if not desires) of the market they virtually single-handedly created. Now if only they could stop being so dependent on the cloud...
Rodney
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
"hi , once in AP mode the theory is that all it is a pure wireless access point and your upstream router is doing the actual routing and vlan functionality. vlan is usually an advanced feature of the router not the ap"
This is inaccurate and a common misconception. APs should have VLAN tagging support per SSID (or at least non-guest and guest). While modern routers do support VLAN technologies, APs and switches through which a given network pass are required to support the same or have compensatory systems where one or more devices does not.
Even in home deployments (that is, SOHO), having VLAN tagging is desirable. Every home network in my opinion should have at least three networks nowadays. While not typcial, my home has the following networks:
* Security: my contracted security system
* Security-Home: my backup security system
* Guest: for guests
* Internal: general family network
* Voice: voip phones/devices
* Risk: for things I must use but don't want to
* Protected: my main servers and dot1x authenticated devices
* Lab1: a lab I share with my friends/colleagues that ties to virtual networks
* Lab2: another lab like Lab1 based on virtualization
Each of the above have an IP subnet (CIDR) with dedicated security policies. At most of the edge, these methods address VLAN assignment:
* SSID (two SSIDs share a VLAN but the rest do not)
* RADIUS assigned VLAN
* MAC-based VLAN
* Port-based VLAN
* Device-tagged VLAN
There are other tecnhniques that can be used as well such as IP-based VLAN assignment.
If one did have VLAN by SSID assignment on the Orbi, the devices upstream of the AP must either leverage one or more of the above features. Normally these are the domain of the switch/bridge (such as MAC and IP based VLAN assignments) or those devices must have enough interfaces if port-based asssignment is the primary means. For example, the router must support the tagging (trunk, at which point an IRB/RVI interface is associated with the VLAN), have enough physical interfaces, and/or leverage alternate technologies (such as MAC VLAN assignment).
Because this is another Netgear's forum, I will not post to competing products that can perform the roles. However, I will comment that Netgear does sell affordable switches with the features required to do everything I just said.
Some vendors do use a NATed guest mode but this is a poor handling especially in larger homes if guest mobility is important. Such a mode also pulls certain policy application to the AP where it may not be best suited.
After having said all that, every vendor including Netgear should have VLAN tagging support in consumer equipment at this point but especially at the AP and router as those are most often directly connected. The year is 2017 - we all benefit by having better security and security is greatly aided by basic network segmentation.
Cheers.
- Matthew Kurowski
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VLAN Tagging for Guest Network
FYI: The Orbi (consumer) does actually support VLAN tagging -- in Singapore. The lack of (at least guest) VLAN tagging in the Orbi broadly is a poor decision by Netgear.
I believe (personal opinion) that this is a case where Netgear feels they can justify the decision by saying consumers don't want or can't be bothered with such complexity but, in truth, they probably don't want to erode from their other product lines or burden their consumer support teams. For instance, if the Orbi Pro adds VLAN tagging and full 802.1q support, then why would Netgear want a small office to "get by" with a consumer Orbi? The second point I mention is a valid concern of course but could be mitigated by a simple checkbox "Enabling any of the advanced or beta features of the Orbi and Orbi Pro will limit your product's support as none of the those features are supported by Netgear."
In this case, I think Netgear needs to hear the demand directly or via loss of sales on the affected products. With that said, I'm sure most consumers are happy without anything discussed in this thread... as are most without having a password, leaving their screens unlocked at home, having password postied and spreadsheets, etc. At some point, the industry needs to push consumers to better setups with or without their knowledge (for the benefit of all).
Cheers
- Matthew Kurowski
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more