NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Bay510's avatar
Bay510
Guide
Oct 07, 2019

RBR50 - VPN assigns IP address to different subnet

HI Everyone, I have the Orbi RBR50 w/ FW v2.3.5.30.  The issue I'm having is when I connect via VPN (openvpn ios app), the IP address assigned is on a different subnet.  (ie: my internal addresses a...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Oct 08, 2019
Bay510 wrote:

So in my case, the only option I have is to "allow" access to my cams, but block all ports.  My last question is if I block all ports (tcp/upd) is this essentially the same as using "block" in access control?

 

I am probably missing the point somehow.  If the cameras are set to Allow, that means that the cameras can access the internet, and once they open a connection to someplace, that connection can be used for two-way communication.  It does not mean that someone on the internet can open a connection to the camera from outside.

 

Go ahead, try it.  The Orbi has a public IP address.  Open a web browser and try to get through the Orbi to one of the cameras.  The Orbi is doing "NAT" so that each time a device on the Orbi LAN opens a connection, it gets assigned a port number by NAT.  Until the device opens a connection, the router has no mechanism to connect something on the outside to it.

 

There are only three ways a connection can be opened from outside: (1) using VPN, (2) by "opening a port" to a specific internal IP address, and (3) by putting one device in the DMZ.

Bay510's avatar
Bay510
Guide
Oct 08, 2019

Thank you for all your help CrimpOn!  I appreciate the explanation.  My concern with securing the cams is to block them from being able to establish outbound connections to the internet entirely.  Basically to secure against any back doors that the cams may contain and/ or prevent them from broadcasting and exposing themselves to attack.  At the same time, I need to be able to access them from my network and when away from my network (VPN).  That's why I was attempting to do this at the router, not the cams themselves. 

 

So I set up "Block services" on the router to block all TCP/UDP ports for the ip address range of my cams.  I set accesss control to "allow" for the ip address range of my cams.  Doing this I am able to VPN in and directly access the ip address of my cams.  So for what its worth this method seems to work. 

One strange note is that when I logged into my router today, all my reserved ip addresses were gone, as well as the block services rules I had set up.  Had to set them up all over again.  This is the part that is a little disconcerting,  I have no idea how that happened, seems random and if it was random, I am worried about truly securing my cams with Orbi. 

 

Thank you ekhalil for your help!  I appreciate the explanation.  Yes I agree that the issue is with "Access Control".  My confusion is really in how it works/ implemented.  Seems if you are on the same subnet as a blocked device, you can access it.  However, if you are not on the same subnet you cannot.  If access control just blocks all ports then I have even more confusion as I have set up a rule to block all ports for my cams, yet when i vpn in and am on a different subnet I can now access the cams by ip address. 

 

My networking knowledge is limited, I'll admit (I know enough to be dangerous :) )   I do google/ read alot for my understanding of things, but this has me scratching my head. 

 

Again, THANK YOU BOTH!!!!! for taking the time to help, trouble shoot, explain things.  I really do appreciate it!