NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Does Access Control block OUTGOING or INCOMING connections?
Hi,
I was wondering about the settings in Access Controls, when it "blocks" connections, is it referring to blocking incoming connections (i.e., connections FROM "outside")?
Or is it referring to blocking outgoing connections (i.e., connections TO the "outside")?
For example, if a line has:
| Blocked | Samsung | 10.0.0.3 | 80:47:86:51:BE:40 5ghz wireless |
Does that mean that
(a) the Samsung device whose IP is 10.0.0.3 and whose MAC is 80:47:86:51:BE:40 is NOT allowed to connect over 5ghz wireless to the ORBI network?
or (b) does it mean that connections FROM the ORBI TO that Samsung device are not allowed?
I am specifically interested in being able to "whitelist" incoming connections, i.e., being able to specify a list of IP/MAC addresses that are allowed to make connections into the ORBI. Is that Access Control functionality able to provide that?
In other words I want to be able to specify which IPs can connect into the ORBI and when I do that, want all other IPs to be prevented from connecting into the ORBI.
Thanks!
Jim
10 Replies
Access Control is a mechanism to control which MAC addresses are allowed to connect to the Orbi Local Area Network (LAN). It has nothing to do with connections from the internet. It also has nothing to do with IP addresses.
If a device with MAC address aa:bb:cc:dd:ee:ff is "Blocked", then that device may connect to the network**, but it cannot send Ethernet packets to any other device on the network, nor can it receive packets from any other device on the network.
** Connecting to the network is different from being able to use the network. Two situations come to mind:
- Ethernet connections. Suppose that a specific Ethernet MAC address has been "Blocked" but it is connected to the Orbi router with a cable. It is definitely "connected" to the Ethernet switch built into the Orbi router. If another device is also connected to the same router, then those two devices can communicate because the switch "knows" where they are. As long as packets flow between those two devices and do not pass through the router itself, then that device is in some sort of weird state. It can communicate with other Ethernet devices connected to the same switch, but not anywhere else.
- WiFi connections are similar. If the MAC address belongs to a WiFi adapter, it can "connect" to the Orbi WiFi if it presents the correct password. But, it cannot communicate with any other device.
It would be helpful to know what you are attempting to do. Access Control may not be the appropriate mechanism.
Hello ohaya1001 ,
Welcome to the NETGEAR Community!
I understand that you would like to use access control as a whitelist to block all new devices from accessing your network.
In regards to the scenario you mentioned above, with access control enabled the Samsung device whose IP is 10.0.0.3 and whose MAC is 80:47:86:51:BE:40 will NOT be allowed to connect the Orbi wireless network.
Please be sure to connect to your Orbi network with all the devices you would like to permit on the network before enabling the access control.
Best,
Kevin
Community Team
Kevin and Crimp Guru,
Sorry I didn't notice your responses and posted another thread, but maybe we can continue here....
I will try to explain what I am looking for, and why...
So we have Orbi through our house (1 router and 4 satellites), and I mostly work from home.
I have one situation, where I had to set up a small dev environment (4 machines, one running multiple Vbox guests), and once in a while I need to provide some access to the "outside", e.g., so some colleagues can test from outside.
Usually, I try to limit how long I leave those open to the outside, but there was a situation where I had to leave one machine accessible to the outside for several hours and, from the Orbi logging I found a TON of connections.
So, if possible, I would like to basically configure an "inbound whitelist" that would prevent ANY inbound communications from outside the Orbi, other than from the devices on the whitelist.
I've been looking into how I can accomplish that, but if the Orbi could do that, that would be great!
Thanks,
Jim
You need Port Forwarding to allow connections through the router to specific devices on the LAN.
It would be up to the device to decide which connections to accept (and which to deny).
Windows Firewall, for example, seems to have this ability. (I see articles about "Permitting Teams access...")
Hi,
The ORBI that we have has Security==>Access Control configuration available.
I am trying to prevent inbound communication, e.g., I am seeking inbound "whitelisting", where I can specify a set of IP addresses and then only communications from devices on the WAN-side with those IP addresses in the whitelist will be allowed.
All communication from devices with any other IP addresses on the WAN-side must be blocked.
From the Help on the Orbi, and some searching it is unclear whether the Access Control is only to prevent communications TO the outside, or vice-versa.
Does anyone know if the Access Control in the Orbi is able to do that?
Thanks,
Jim
Orbi WiFi routers do not have this capability.
By default, any device on the LAN can initiate connections to any location on the internet. Once the connection is active, then responses can pass through the router to the device that opened the connection. There is a setting call Block Services which can be used to prevent specific devices on the LAN from opening specific types of outgoing connections (or block every type of connection).
No device on the internet can initiate connections to the LAN unless the system has been set to forward specific ports to specific devices on the LAN.
What it sounds like you are asking for is the ability to block internet addresses (or block every internet address except designated addresses) from responding.
i.e. even if a user opens a web browser and tries to open a web page at (name the site), the system will block the connection to that site unless it is "on the list".
Perhaps I have misunderstood the question.
Hi CrimpOn Guru,
I hadn't noticed that there were some responses to my earlier thread so sorry for double posting.
Perhaps we can keep the discussion on the other thread.
Also, FYI, I just posted a message on the other thread, trying to explain what I am trying to do, and why.
Thanks,
Jim
While this model of Orbi doesn't do exactly what you want in your scenario, I'd like to suggest a different possible solution. As you sound like you are running some tech on the backend that needs in/out access to the mean streets of the internet, might I suggest you think about running a small home hardware firewall such as pfSense, UniFi, or the like. There's a little bit of a learning curve but after that you will have some very granular control of what your network is allowed to do. I've run a host of Orbi products in AP mode with pfSense for years, recently switching over to Ubiquiti UniFi products, and from a security perspective it's money well spent. This might also keep you in the Netgear Orbi ecosystem since you can do what you want to do while still using the Orbi mesh products.
