NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

1qwerty1's avatar
1qwerty1
Tutor
Feb 25, 2020

Outbound traffic to Amazon space

Hello, I am wondering why my Orbi AC2200 unit (running latest firmware as of 2/23/2020, RBR20) is constantly making outbound connections to the Amazon space (52.0.0.0/11) over SSL/443.   The home ...
icuhackn's avatar
icuhackn
Tutor
Apr 14, 2020

Thank you for this thread ... I thought I was going crazy looking at my PA-220 logs and seeing all this traffic. I have a very similar setup as you. Going to add those to my pi-hole blacklists too. The Satellite is making outbound calls too and not just the router in AP mode.

1qwerty1's avatar
1qwerty1
Tutor
Apr 14, 2020

After mocking around, here is my final list of rules with FQDNs/subnet to block/allow (in the top-bottom order, src: Orbi router + satellite):

 

ALLOW:
www.netgear.com AppID: ping

DENY ANY:
devicelocation.ngxcld.com
fw.updates1.netgear.com
genieremote.netgear.com
http.fw.updates1.netgear.com
peernetwork.netgear.com
presence.ngxcld.com
readycloud.netgear.com
readyshare.netgear.com
registration.ngxcld.com
updates1.netgear.com

 

DENY: 52.0.0.0/11 AppID: Any

 

DENY: AppIDs: aws-iot, ftp, ping, ssl, web-browsing

  • icuhackn's avatar
    icuhackn
    Tutor
    Apr 14, 2020

    this is great, thanks! I just set mine up. Do you see this destination in your PA logs for ICMP?
    ( addr.dst in 192.168.0.120 )

    I can only assume that perhaps the wifi backhaul is using that address; however, I cannot see anywhere in the WebUI configuration or general documentation that says what network it uses for backhaul connectivity between router and satellite Orbi. I have the AX6000 series devices.

     

    Thanks!

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Apr 14, 2020

      The Orbi WiFi backhaul is a 5G radio link directly between the router and satellite.  Since it is encrypted in a WiFi signal, I doubt very much that this traffic will be "capturable".  (word?)

      • 1qwerty1's avatar
        1qwerty1
        Tutor
        Apr 15, 2020

        Re: the outbound 192.168.x.x address pings

         

        In my logs since the day I installed the Orbi, i see one icmp outbound packet from the Orbi router per day to 192.168.100.1 which gets denied by my src:any dst:rfc1918 subnets rule. I am not sure where this comes from.

        Btw, if you would like a complete list of URLs your Orbi devices are configured for, telnet to your router, and:

        root@RBR20:~# grep -rw '/etc' -e 'https:'

         

        Some of the domains are not related to our devices, however, a few more popped up in the config (I don't see these in the pcaps):

        advisor.qa.arloxcld.com
        registration.qa.ngxcld.com
        presence.qa.ngxcld.com
        registration.qa.ngxcld.com
        updates.netgear.com
        genieremote-qa.netgear.com
        devcom-qa.up.netgear.com
        arlo-device-staging.messaging.netgear.com
        devicelocation.dev.ngxcld.com
        devicelocation.qa.ngxcld.com
        devicelocation.ngxcld.com
        redmine.lighttpd.net

         

        It probably won't hurt to block these as well.