NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi excessive pinging
Does anyone else see their Orbi satellites doing excessing pings to the default gateway? In my firewall log I am getting thousand of them and I don't know why. Or where to disable it. Joe
dl42 wrote:I'm running RBK13 in AP mode and I see the same high volume of pings on the gateway. Orbi is not acting as dhcp server in my environment.
I also see a large number of pings to external IP addresses. I have support cases open on these but have not had any responses.
Since the Orbi is in AP mode, I believe it is entirely "normal" for the router and satellites to ping the gateway. To us, once a second may seem excessive, but I have no idea what internet "standards" are for that kind of "keep alive" behavior.
Pings to external addresses are a different matter. Are those from the Orbi equipment?
I don't consider this "normal" for any manufacuter. For me it is only the 2 Orbi satellites I have and they are only pinging the default gateway given by the dhcp server of my firewall. I only started capturing the logs into Splunk yesterday but for 20 hours I show over 40,000 pings (screenshot attached) from the 2 sats. Is it impacting my home network performance, probably not. But does it need to be this excessive? I am a security sales engineer and when I do demos I now have to filter out this excessive garbage so it doesn't skew graphs and reports. Bit annoying.
Hopefully someone from Netgear sees this and can comment. Otherwise I'll be looking to toss the system onto ebay.
you might want to take a look at the outbound traffic too.
this lot are from the router RBR10 running in AP mode.
2020-01-10 13:20:18 Allow 8.8.4.4 ICMP
2020-01-10 13:20:18 Allow 8.8.8.8 ICMP
2020-01-10 13:20:19 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 13.227.171.99 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 13.227.171.99 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 13.227.171.99 ICMP
2020-01-10 13:20:21 Allow 143.204.192.117 ICMP
2020-01-10 13:20:21 Allow 143.204.192.117 ICMP
2020-01-10 13:20:21 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 143.204.192.117 ICMP
2020-01-10 13:20:23 Allow 143.204.192.117 ICMP
2020-01-10 13:20:23 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 13.227.171.99 ICMP
2020-01-10 13:20:24 Allow 143.204.192.117 ICMP
2020-01-10 13:20:24 Allow 13.227.171.99 ICMP
2020-01-10 13:20:24 Allow 13.227.171.99 ICMP
2020-01-10 13:20:25 Allow 13.227.171.99 ICMP
2020-01-10 13:20:25 Allow 143.204.192.117 ICMP
2020-01-10 13:20:25 Allow 13.227.171.99 ICMP
2020-01-10 13:20:26 Allow 13.227.171.99 ICMP
2020-01-10 13:20:26 Allow 13.227.171.99 ICMP
2020-01-10 13:20:45 Allow 52.30.38.228 https/tcp
2020-01-10 13:20:45 Allow 52.30.38.228 HTTP
2020-01-10 13:20:46 Allow 52.30.38.228 HTTP
2020-01-10 13:20:46 Allow 52.211.208.165 https/tcpthis lot from the satellite RBS10;
2020-01-10 13:20:18 Allow 13.227.171.99 ICMP
2020-01-10 13:20:18 Allow 143.204.192.117 ICMP
2020-01-10 13:20:19 Allow 8.8.4.4 ICMP
2020-01-10 13:20:19 Allow 8.8.8.8 ICMP
2020-01-10 13:20:19 Allow 192.168.42.254 icmp
2020-01-10 13:20:19 Allow 13.227.171.99 ICMP
2020-01-10 13:20:19 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 8.8.4.4 ICMP
2020-01-10 13:20:20 Allow 8.8.8.8 ICMP
2020-01-10 13:20:20 Allow 13.227.171.99 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:20 Allow 143.204.192.117 ICMP
2020-01-10 13:20:21 Allow 143.204.192.117 ICMP
2020-01-10 13:20:21 Allow 8.8.4.4 ICMP
2020-01-10 13:20:21 Allow 8.8.8.8 ICMP
2020-01-10 13:20:21 Allow 13.227.171.99 ICMP
2020-01-10 13:20:21 Allow 143.204.192.117 ICMP
2020-01-10 13:20:21 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 143.204.192.117 ICMP
2020-01-10 13:20:22 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 143.204.192.117 ICMP
2020-01-10 13:20:23 Allow 143.204.192.117 ICMP
2020-01-10 13:20:23 Allow 13.227.171.99 ICMP
2020-01-10 13:20:23 Allow 143.204.192.117 ICMP
2020-01-10 13:20:24 Allow 13.227.171.99 ICMP
2020-01-10 13:20:24 Allow 143.204.192.117 ICMP
2020-01-10 13:20:24 Allow 13.227.171.99 ICMP
2020-01-10 13:20:25 Allow 143.204.192.117 ICMP
2020-01-10 13:20:25 Allow 13.227.171.99 ICMP
2020-01-10 13:20:25 Allow 143.204.192.117 ICMP
2020-01-10 13:20:25 Allow 13.227.171.99 ICMP
2020-01-10 13:20:26 Allow 13.227.171.99 ICMP
2020-01-10 13:20:26 Allow 13.227.171.99 ICMPRan a search for both satellites with a 4 hour window and I got 7880 pings and only one destination IP, the default gw. Running same search (4 hours) on the main Orbi I get 213 events and 8 destination IPs. 91 are going to the default gw but the rest look valid. Definately should not be normal behaviour for any satellite AP.
Joe
I would file a support ticket and make contact with NG support about this:
https://www.netgear.com/mynetgear/registration/login.aspx
j0ebeer wrote:Ran a search for both satellites with a 4 hour window and I got 7880 pings and only one destination IP, the default gw. Running same search (4 hours) on the main Orbi I get 213 events and 8 destination IPs. 91 are going to the default gw but the rest look valid. Definately should not be normal behaviour for any satellite AP.
Joe
I checked my capture file again. My (one) satellite generated an ICMP to the gateway at least once a second, plus some "extra" here and there. Extrapolating to two satellites and 20 hours, I would expect to see more than (60sec/min * 60min/hr * 20hrs * 2 sats =) 144,000 pings. Yet the firewall logged only 40,000. Either (a) I captured at an unusual time and the satellite does not ping at the same rate all the time, (2) the satellite ping rate is adjusted when the Orbi is not the gateway (AP mode), or (3) the firewall is not capturing all of the pings. I cannot test AP mode. Just a mystery to me.
"Normal behavior" in terms of WiFi access points pinging the gateway is also a mystery. The first time I used Wireshark on my network, I was astounded at the amount of "chatter" going on. Even though I have disabled IPv6, there are IPv6 packets flying around my network. Devices are ARPing their brains out. My Tivo's seem inordinately curious, broadcasting incessantly. The WiFi access points are transmitting broadcasts several times a second (even the hidden 5G WiFi backhaul link). I am not even sure what Google search terms would produce a standards document (if there is one).
Replacing the Orbi with "something else" is sort of a crap shoot. The only way to find out what other systems do is to plug them in and see what happens. What happens if the next system does the same thing? Try another. The "bay" is going to fill up with WiFi systems. (LOVE the San Francisco pun!)
Surely the firewall has whitelist rules to exclude things from capture and reporting. That sounds (to me) like the most direct way to the end result, and also an additional "selling point." "Suppose we know that our point of sales terminals constantly contact the bank system. See how easy it is to not mark those connections as suspect."
