NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Blocked Sites
Hi all, Bit of a weird one for me. I have a number of keywords included in Block Sites on my RBR850. These seem to work fine, I get an alert every time they come up, which is good. Howeve...
You are correct. This is weird one. Site blocking can only function with regard to devices connected to the Orbi LAN. Devices out on the internet attempting to connect to some web site will be directed to that site IP, not to your home router.
I hope you are aware that the utility of site blocking on Netgear routers has diminished as web browsers have changed. The Orbi mechanism blocks only unencrypted (http) connections. It does not block encrypted (https) connections. Now that close to 100% of web sites are https, web browsers are starting to assume that any URL entered by the user that does not specifically indicate http is intended to https, and they search for the secured web site first. Thus bypassing the Orbi site blocking capability.
As an example, I set up a block for the keyword "ford" and set blocking to "Always".
Open a web browser and enter http://ford.com. Blocked by the Firewall message comes up immediately.
Enter https://ford.com, and the web site pops right up. Not blocked.
An interesting side note. site blocking takes place after the DNS lookup. My other site blocking entry is "sexykitten".
Search for http://sexykitten.com brings up a "site not found" response in the web browser. (why no one has created a web site called sexykitten is a mystery.)
Sorry to be no help. I cannot think of any explanation for how this sort of message could show up in the Orbi log file.
Thanks for the reply, I wasn't aware that was how the blocking worked. Seems a bit lacking for a £1000 system, but not entirely surprised it's not as fully functioning as it could be, given nothing much has changed in the FW functionality for about 5 years.
So, I'm still puzzling about this issue, keeps coming up every few days, with little pattern and the LAN/WAN Packet Capture is next to useless as it doesn't hold the data in memory for very long and port mirroring doesn't seem to be available as an option on the 850 where is was on the 50 (though, I doubt it actually worked from what I had read).
Have been playing with Wireshark, but that seems overkill in terms of the amounts it captures vs the needle in a haystack that this occasional visitation of a blocked site..but maybe I need to persevere to see if I can refine what it sniffs out..
I loathe to just give up, I don't like being beaten, so any suggestions on what I might be able to do would be appreciated.
I face the same frustration with attempting to capture information about internet traffic. Like Alice, I went "down the rabbit hole."
- Purchased a gigabit switch that allows mirroring ports.
Amazon sells the Netgear GS-105Ev3 and GS-108Ev3. I bought the 8-port because the day I looked it cost less than the 5 port.
I had tried a TP-Link switch, but could not get the port mirroring to work. - Insert the switch between modem and router.
- Mirror one of the ports (doesn't matter which) to a different port.
- Connected that port to my PC. (Because the PC's only Ethernet port was already in use, I purchased a Gigabit to USB adapter.)
- Opened Wireshark to capture the USB adapter.
- Once I verified that Wireshark could capture the router-modem communication, created Wireshark Capture filters to record only the information I wanted. (It would have worked to capture all those gigabytes of data and try to sort through it later, but this became an obsession.) Some examples:
- Recorded the pattern of DHCP packets when my router would ask the ISP to renew both the IPv4 lease and the IPv6 lease.
It turns out that my ISP (Spectrum) behaves exactly as expected. - Recorded every time the router contacted Netgear's firmware update site.
- Recorded the pattern of DHCP packets when my router would ask the ISP to renew both the IPv4 lease and the IPv6 lease.
Unless these spurious attempts come from exactly the same source IP every time, I fear you would have to capture everything and when the log shows a site being blocked, then go into Wireshark and look for packets at about that time of day.
So, not trivial or low cost.
- Purchased a gigabit switch that allows mirroring ports.