I don't think you're right, Seeker1437.  But I hope I'm wrong.  If there's really a way for me to create a separate IoT subnet on the G3100, please tell me and everyone else how.  The DHCP management page has no option that I can see to create more than one non-guest subnet.

Hi, Cang_Household.

I'm only familiar with Windows and iPhone, but I don't see a security benefit to isolating devices from each other.  Some guest users might very well need to communicate within their subnet.

What the firmware publisher really should do in my opinion is provide for three subnets in the router's management console -- a personal subnet, a guest subnet and an IoT subnet.   That would satisfy my needs.  But I don't see why it would be hard to update the firmware to allow users who need them to create as many subnets as they want within the last two octets.

The FBI's recommendation that IoT devices should be on their own separate subnet away from our computers and smartphones is noncontroversial, as far as I know.  The recommendations are not for the NSA and CIA.  They are for everyday folks like you and me.  Consumer router makers should make it easy instead of impossible for users to follow these noncontroversial best practices.

Along those same lines, IoT makers should also be more open about what security protocols their devices follow.  But that's an issue for another community.

Seeker1437 is right. Seeker1437 did not imply that this setting is available on G3100's DHCP server, but you do not need to use G3100's DHCP server. Any computer with Network Interface Cards can act as a DHCP server or even a router. You can disable G3100's DHCP server and setup your own DHCP server.

With your own DHCP server, you can create as many subnets as you want. G3100's Guest Network is not simply a subnet. It is like a VLAN. For security, you want your user devices and IoT on separate broadcast domains, not only on separate subnets.

---

@jlg2 wrote:

I'm only familiar with Windows and iPhone, but I don't see a security benefit to isolating devices from each other.  Some guest users might very well need to communicate within their subnet.

---

You isolate your devices from guests' for security. Why guests do not want to isolate their devices from each other?

Regarding your IoT subnetting. I have answered you above. You actually want VLANs, not only subnetting.

BHR 3 (Actiontec MI424WR) used to support VLANs. The VLAN support was dropped in BHR 4 (also known as the Quantum Gateway Router or Fios-G1100). The VLAN support was not added back in BHR 5 either (commonly known as Fios Router or Fios-G3100). The reason is twofold. 1) Average consumers do not use VLANs at home. 2) Correctly setting up VLANs require intermediate networking knowledge.

---

Thanks again, Cang_Household, for the 1/12/21 post about using Windows DHCP service.  I had not thought about that alternative.  Your post did not have enough info for me to understand how it would work though.

I understand how to provide DHCP service from Windows.  Or at least from the Pro and Education implementation of Windows.  But if you did that and disabled the router's DHCP service, how would the Windows computer rejoin the LAN?

In other words, you disable DHCP on the G3100 then you enable it on the Windows computer attached to the LAN.  I get that.  But then what?  What happens when the Windows computer, restarts?  It seems like there's a step missing here. 

Good point, Cang_Household, about isolating users on a guest network.  You're right, guests would be exposed to a less private network. 

On the other hand, most of my guests would prefer access to communicate across their private network.  You can usually increase security by decreasing capability.

I suppose the perfect solution would be for both older and newer versions of the Verizon router to be updated so that they provide an option for the router manager to choose whether he wants the addresses isolated from each other on the guest network.  Some people might even want that on their primary network.

I still think the perfect solution is for the firmware to be changed so that it easily provides three networks that are simply labeled, primary, guest and IoT, o that any fool like me can configure a secure home LAN for himself and his guests.

Failing that, the easiest thing for Verizon to do is remove the 10-connection limit on the guest network.

DHCP stands for Dynamic Host Configuration Protocol. What is the opposite of dynamic? Static.

---

@jlg2 wrote:

But if you did that and disabled the router's DHCP service, how would the Windows computer rejoin the LAN?

---

Right now, the DHCP server on your Windows is disabled, and the G3100 is acting as a DHCP server. The same question would go to G3100. How does G3100 join the LAN in the first place? Who can G3100 ask to assign it a LAN IP address? G3100 asks itself? No, it does not have that authority. The answer is static configuration. You can assign any LAN IP address to any device you want, even multiple IPs on different subnets for the same device, as long as the IPs do not conflict with other devices. (G3100 does not create the LAN. Any two network cards can create a "LAN." LAN is only a name to designate a network). As long as a network interface can access other network interfaces, it is considered to be joined (no matter whether you want to route to there or switch to there.)

Again, a Windows DHCP sever may not be your solution. Subnetting through DHCP server only ensures layer 3 isolation. What you are looking for is layer 2 isolation. The Guest Network on G3100 is layer 2 isolated from the host network. Layer 2 isolation can be easily achieved using a commercial-grade access point or switch.

---

@jlg2 wrote:

You can usually increase security by decreasing capability.

---

Not necessarily. Commercial access points and switches can achieve selective access control. You can control how much network A can access network B. For instance, if you only want the media server on network A to be accessible on network B, you can configure that in seconds.

---

@jlg2 wrote:

I suppose the perfect solution would be for both older and newer versions of the Verizon router to be updated so that they provide an option for the router manager to choose whether he wants the addresses isolated from each other on the guest network.  Some people might even want that on their primary network.

---

Major revisions to the firmware are costly and technically difficult. Considering different parts of a Verizon home network comes from at least two different vendors, they must all work together to ensure a smooth implementation. Not to mention the associated cost and lengthy approval process.

The latest g3100 firmware, 3.1.0.14, has a separate IoT subnet