Orbi Router (Access Point) and Guest WI-FI Access
-
@rtonerii
OK, I figured it out!I had turned on "Block private networks and loopback addresses" on that interface.
But I still am not getting any logging for the IP range 192.168.2.0/24.
Weird
-
The Orbi is probably NATing the traffic from the guest subnet to something on it's WAN so pfSense never sees it. You would need to disable that and add the subnet as a routed subnet in pfSense. If that's possible.
Steve
-
@stephenw10 It is kind of weird, I can find some blocked entries in the firewall logs.
I just can't seem to actually control that IP range, not like the others.
I just need to get rid of the mesh network and start from scratch.
More research and more money, ugh!
-
If there's no way to switch that guest subnet to routed or a VLAN then pfSense can never filter it directly.
-
@rtonerii said in Orbi Router (Access Point) and Guest WI-FI Access:
How do I get the guest WI-FI to have internet access when it has it own IP addresses?
Here is what I did, which seems to work but YMMV
-
I enabled the guest network and connected to it. The Orbi gave me a 192.168.178.n address with 192.168.178.1 as gateway
-
I added 192.168.178.1/24 as a virtual IP alias to my LAN interface (Firewall / Virtual IP)
After that the Guest network clients have internet access
-
-
Hmm, so it was routing that and not NATing? Did you have to set anything in the Orbi to make that happen?
-
@stephenw10 I didn't do aything on the Orbi other than enabling the guest network.
But I did wonder though why the Orbi chose 192.168.178.0/24 subnet for the guest network. Bell started ringing and I realised that 192.168.178. had previously been used as the network between a FritzBox (internet provider rounter) and the pfSense. The FritzBox was disconnected a while back, or so I thought... I had only moved the WAN connection to pfSense but left the LAN connection dangling. So the DHCP server on the FritzBox responded to the Orbi's request, hence the use of 192.168.178 for the guest network.
In addition to that I found a number of disabled firewall rules relating to 192.168.178. I had been tidying up, except there were some automatically created outbound NAT rules for 192.168.178. still present..
So, somehow this very broken configurtion manages to provide internet access to the guest network.
I will remove the FritzBox completely and see how the the Guest network behaves when the Orbi llocates its own IP range.
-
@pst said in Orbi Router (Access Point) and Guest WI-FI Access:
I will remove the FritzBox completely and see how the the Guest network behaves when the Orbi llocates its own IP range.
After removing the FritzBox LAN connection the Orbi now gets the dynamic IP from pfSense, taken from the DHCP pool.
For me that would work as all my equipment have statically assigned ip addresses. Firewall rules can be set up to block any IP from the pool to access the local network, making the guest network providing only internet access. Which is what th OP (@rtonerii) wanted in the first place?
-
As I understand it OP was seeing that behaviour on the non-guest wifi ssid/subnet. It's simply bridged so pfSense hands out IPs to clients.
But clients on the guest ssid/subnet are given an IP by the Orbi and it NAT's that traffic to the same pfSense interface so individual clients cannot be seen. -
@stephenw10 A quick search on the Netgear forum made me realise that my old RBR50 and newer models works in a slightly different way. On my RBR50 the guest network always get the IP from the same subnet as the LAN.
More details here, including telnet commands to tinker with the guest network ip addresses:
https://community.netgear.com/t5/Orbi-WIFI-6-AX-AND-Wi-Fi-6E-AXE/RBR850-Changing-Guest-LAN-IP-subnet-Guest-Wireless-subnet-The-IP/m-p/1816715
-
I ended up purchasing the TP-Link EAP650, I will see if it works out, this next weekend!
