NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

1qwerty1's avatar
1qwerty1
Tutor
Feb 25, 2020

Outbound traffic to Amazon space

Hello, I am wondering why my Orbi AC2200 unit (running latest firmware as of 2/23/2020, RBR20) is constantly making outbound connections to the Amazon space (52.0.0.0/11) over SSL/443.   The home ...
1qwerty1's avatar
1qwerty1
Tutor
Apr 14, 2020

After mocking around, here is my final list of rules with FQDNs/subnet to block/allow (in the top-bottom order, src: Orbi router + satellite):

 

ALLOW:
www.netgear.com AppID: ping

DENY ANY:
devicelocation.ngxcld.com
fw.updates1.netgear.com
genieremote.netgear.com
http.fw.updates1.netgear.com
peernetwork.netgear.com
presence.ngxcld.com
readycloud.netgear.com
readyshare.netgear.com
registration.ngxcld.com
updates1.netgear.com

 

DENY: 52.0.0.0/11 AppID: Any

 

DENY: AppIDs: aws-iot, ftp, ping, ssl, web-browsing

icuhackn's avatar
icuhackn
Tutor
Apr 14, 2020

this is great, thanks! I just set mine up. Do you see this destination in your PA logs for ICMP?
( addr.dst in 192.168.0.120 )

I can only assume that perhaps the wifi backhaul is using that address; however, I cannot see anywhere in the WebUI configuration or general documentation that says what network it uses for backhaul connectivity between router and satellite Orbi. I have the AX6000 series devices.

 

Thanks!

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Apr 14, 2020

    The Orbi WiFi backhaul is a 5G radio link directly between the router and satellite.  Since it is encrypted in a WiFi signal, I doubt very much that this traffic will be "capturable".  (word?)

    • 1qwerty1's avatar
      1qwerty1
      Tutor
      Apr 15, 2020

      Re: the outbound 192.168.x.x address pings

       

      In my logs since the day I installed the Orbi, i see one icmp outbound packet from the Orbi router per day to 192.168.100.1 which gets denied by my src:any dst:rfc1918 subnets rule. I am not sure where this comes from.

      Btw, if you would like a complete list of URLs your Orbi devices are configured for, telnet to your router, and:

      root@RBR20:~# grep -rw '/etc' -e 'https:'

       

      Some of the domains are not related to our devices, however, a few more popped up in the config (I don't see these in the pcaps):

      advisor.qa.arloxcld.com
      registration.qa.ngxcld.com
      presence.qa.ngxcld.com
      registration.qa.ngxcld.com
      updates.netgear.com
      genieremote-qa.netgear.com
      devcom-qa.up.netgear.com
      arlo-device-staging.messaging.netgear.com
      devicelocation.dev.ngxcld.com
      devicelocation.qa.ngxcld.com
      devicelocation.ngxcld.com
      redmine.lighttpd.net

       

      It probably won't hurt to block these as well.

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Apr 15, 2020

        192.168.100.1 maybe your upstream modem? Stand alone modems usually use this address for there web page access.