Security Hole with Guest Wifi Network of Netgear Orbi 970 Series Quad Band Mesh WiFi 7
Summary:
There is security issue I wish to resolve involving a Firewalla Gold Pro router and an Orbi Mesh. The Orbi WiFi guest network is getting access to devices on my main Firewalla LAN. I'm not doing anything out of the ordinary so I suspect this is a common issue. Forgive give me if I've missed a resolution to this in another community thread, I've searched and not found it, please point me to if an answer already exists.
Description:
My Firewalla Gold Pro in router mode is connected to an Orbi 970 Series Quad Band Mesh WiFi 7 in AP mode (aka bridge mode). The connection is 10Gbps from LAN Port 1 on the Firewalla to the WAN port of the main Orbi 'router' (RBE971) in AP mode. I also have a wired ethernet network connected on the Firewalla, including NVR with security cameras. There are two RBE970 satellites connected to the RBE971, also using wired ethernet. Everything is on the latest firmware, but the behaviour I'm observing also applies to other recent firmware. I understand it to be intended behavior from Netgear. And I think the Firewalla is also behaving as expected.
This setup works fine for the main WiFi SSID of the Orbi. All wireless devices connecting to the main SSID are correctly getting their addresses dispensed by the Firewalla DHCP server, say LAN 192.168.151.X/24 . So if I connect a wireless tablet to the Orbi on the main SSID then Firewalla assigns it an address such as 192.168.151.195. Of note, the main Orbi RBE971 router is also dispensed an address by Firewalla, say 192.168.151.119 . It is this last address that is of importance in what follows.
Things are a bit more convoluted for the guest network. Even though the Orbi is in AP mode, the Guest Network runs its own DHCP server for the Guest SSID. All guest devices are given an address on the range 192.168.2.X/24. This is non-configurable, hard coded. There is no VLAN tagging option for the Guest Network. So if I connect a laptop to the Guest WiFi network, then it might get address 192.168.2.39 assigned by Orbi.
However all outgoing guest traffic leaving on the Orbi WAN side is mapped (tunneled?) to address 192.168.151.119, the address of the main RBE971. All Guest WiFi traffic is confounded to that single address, so there is no tracking who's doing what on the guest network at the Firewalla router, it all looks like it is from RBE971 @ 192.168.151.119. I've checked this by triggering Firewalla alarms/notifications from different guest devices.
Furthermore the address of the guest traffic is now associated with an IP address on the primary network of the Firewalla (192.168.151.X). And, so far, that means this traffic can now go anywhere. For example, from the Guest WiFi network, I am able to access my NVR Protect (cameras), etc. So there is now a gaping hole in security.
For now I've reserved an IP address for the MAC of the RBE971. This is the same MAC printed at the bottom of the router. However I need further steps to make this Guest Network secure so that my home network is protected.
Two questions:
A) Is there a best way to configure the Firewalla so that this Guest network traffic is blocked from going anywhere else except for routes to the outside world? Something based on IP address, or perhaps the MAC address itself. I can't see how to do that because the same address 192.168.151.119 is also used for other purposes than Guest WiFi traffic. For example, it is the also that address which is used to locally configure and login to the RBE971. And, differently, if I were to do a blanket exception for anything coming out of the RBE971 WAN port (possibly a new Firewalla network), I'd still want the main WiFi SSID devices (the non-Guest WiFi devices) to access the local wired network (such as the cameras). So anything is able to resolve this would be useful.
B) Is there a way for the Firewalla to recover the 192.168.2.X guest address that must be embedded somewhere in the 192.168.11.119 packets intended for guests? So that I can determine the activity of each guest separately? If so, that could also be a way to resolve what is guest traffic in a). Seems this would require some ability to do packet inspection. Hopefully they don't encrypt the address.
-
If you are on the orbi guest network, can you check if the IP address is in the same range as your other network? Can you ping from the orbi network to other devices no on the guest network?
Guest network usually is hidden behind a NAT and the wifi access point will need to block traffic from that NAT to other parts of the network on your LAN. Firewalla can't see network traffic on the LAN.
-
Thanks for the quick feedback.
I'm on guest wifi device 192.168.2.33. I can ping other guest wifi devices (see below), but I cannot ping devices on the main LAN, wherever they may be. The AP is working as you say for ping.However, although I cannot ping, I am able to directly view my camera feeds for the NVR at 192.168.151.79 (which fails the very same ping below).
> ping 192.168.2.19
Pinging 192.168.2.19 with 32 bytes of data:
Reply from 192.168.2.19: bytes=32 time=1047ms TTL=64
> ping 192.168.151.79
Pinging 192.168.151.79 with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable. -
Thanks Daniel. Yes, VLAN exist exactly for this type of scenario. My current stance is that if want to use Firewalla as a router then it might be best avoid Netgear Home WiFi routers in general if you want to have a Guest WiFi (which applies to most).
No Netgear VLAN support in AP mode, in general
The Orbi that I have supports VLAN. But nowadays Netgear removes the feature in AP mode. I don't understand this, VLAN is a layer 2 feature which makes even more sense in an AP mode. And this seems to be across all their routers, please see their generic knowledge base article KB 26765. So I'm doubtful we can find an Orbi on modern firmware that supports VLAN,
Currently this is the state of things for me:
A) With a device on the Guest Wifi Network I can ping other devices in the Guest Wifi but I cannot ping devices on the main network (aka LAN 1 in Firewalla parlance). Which seems to give me a false sense of security that the networks are isolated.
B) However from guest I can ssh and https into devices to on LAN 1, DHCPed by Firewalla. So I have a big security hole, worst with my cameras. I'm hoping the Firewalla community has a way to plug this. I can't think of a way, but there are people way more knowledgeable than I am here.
Another possibility is that I run the Orbi as the router and subscribe to a yearly cloud based Netgear Armor Plus protection. But I bought the Firewalla precisely because I do not want to do that. Worse that the cost is my internet usage being monitored in the cloud.
-
The key is Orbi will do NAT for its guest network. Main router(Firewalla) won't know what are from Orbi guest network and what are from Orbi itself. If you access another wireless device (in the main network) from the Orbi guest network, Orbi can handle the traffic even if the router is powered off.
If you want Firewalla to manage local traffic, better to introduce a separate AP for guest network or use another AP which supports different SSID mapping to VLANs ( see Tutorial: VLAN-Based Segmentation (Gold & Purple)).
-
Absolutely, there is no distinguishing the guest vs non-guest traffic at that point. I was hoping for some magical solution that I might not know about. Wishful thinking. I was thinking of going along the lines of your advice: I'll get a cheap AP that supports VLANs and experiment with it for a long while. If it does what I want they I'll upgrade to the higher end one of the same brand and then I'll retire the Orbi.
In my latest communication with Netgear support I was told that in AP mode the guest network is not supported, with them quoting the same knowledge base article KB 26765 as before. But in this case, unlike VLANs, they have still left the Guest Network feature accessible in their AP mode menus. Removing it outright could prove to be unpopular.
There are two other problems with the guest network in AP mode that I've encountered. So I'm going to cut my losses.
-
Netgear's new business product lines seem to aim at getting you to subscribe to "Insight". For example, what I understood of reviews you won't get mesh roaming across your network if you don't subscribe. No thanks. I don't see Orbi Pro as something they are actively continuing on their website. I'd like to think TP-Link EAP783 would be a good replacement, but first I'll just buy a EAP610 to test things out to see if does what I expect. Once bitten, twice shy. If not then go down the list of vendors.
-
Well Firewalla is looking to sell an AP and switches. And Ubiquity just came out with E7. So those would be American alternatives, which I do prefer to encourage when there is a choice.
WiFi 7 with a 10G wired backhaul + 10G switches with at least 8 copper ports would make me happy, especially from Firewalla. Maybe I can just run the guest WiFi off if it ain't 10G.
Please sign in to leave a comment.
Comments
10 comments