NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Why does blocking ICMP cause constant Orbi reboots?
OK, I'll start this by saying please do not respond if you are only going to comment, "why do you care about ICMP, why are you blocking it, etc.". This is just an academic question from my own curiosity, as well as the fact that no other Orbi I've owned has done this before.
I have an RBRE960 Orbi Mesh system, 1 router and 2 satellites running in AP mode. My DHCP, DNS, VPN, etc., is handled by a pfSense firewall, and the Orbi router is plugged directly into this. This setup has worked flawlessly for ages, and my rule sets are such that I only allow required ports, and block everything else. Not for need, but just because I like to tinker.
My question is this: Why does this Orbi not allow you to block ICMP between the router and the firewall/gateway appliance? If I allow ICMP, it works as expected, but as soon as I block ICMP traffic, the Orbi just reboots constantly, making it impossible to connect for more than a few seconds. Does blocking ICMP tell the Orbi that it's offline and cause constant reboots?
Also, I will say for others getting constant reboots, which I see all over the forums, is that this may be the culprit. Some internet facing hardware may not reply to ICMP. Turning this on/using hardware that does reply to ICMP may fix it.
Curious...
I appreciate all the input, it's nice to see a forum where people actually help one another. While it is annoying to have 30k unnecessary pings a day in my firewall logs, I can just filter them out in the future. I did notice during some packet inspection that all of the Orbi satellites are also pinging the router, however blocking these doesn't seem to cause the Orbi to reboot for some reason, so I'll just leave those blocked.
Thanks everyone, see you all next time I have an obscure networking question.
21 Replies
Interesting. I had a lot of reboots in AP mode as well (would even cause the ISP modem to restart!). In Router mode, it presented more as disconnects and the ISP modem didn't reboot. It seemed to be related to IPv6 as disabling it helped, but before I could get too far testing that, support gave me some beta firmware to try.
You might sign up for the beta software and try that. It seems to have solved most of my problems although I have not tried AP mode again. And now Xfinity is doing some work / upgrades and our system is chaos, so testing anything this week is impossible. I'm lucky to get internet at all now. 🙄Thanks for the reply. Yes, these reboots are a direct result of me blocking ICMP replies back to the Orbi while in AP Mode. If it doesn't see the ICMP reply, the Orbi reboots over and over until I unblock ICMP. I've also disabled IPv6 on all devices that I'm able to on my LAN, no real reason to run that behind NAT in my opinion. Of course my Chromecast is happily jabbering away blasting out data via IPv6, though unfortunately for it, nobody is listening 🙂
Not sure about signing up the the beta Firmware, on the one hand I do love to tinker, on the other hand I've been burned by Netgear firmware updates enough times to be wary about changing from a working firmware version. Are there any added features to the beta?
F_V wrote:
My question is this: Why does this Orbi not allow you to block ICMP between the router and the firewall/gateway appliance? If I allow ICMP, it works as expected, but as soon as I block ICMP traffic, the Orbi just reboots constantly, making it impossible to connect for more than a few seconds. Does blocking ICMP tell the Orbi that it's offline and cause constant reboots?
I have been out of touch and just came across this post. My guess is that your analysis is exactly correct. Some time sensitive routine inside the Orbi RBRE960 periodically uses ICMP to verify that "something" is there on the WAN interface. i.e., it is "connected". It is fairly clear that the physical Ethernet connection being "up" is not enough. I would venture to guess that the Orbi is looking for either:
- The device which assigned an IP address to the Orbi using DHCP, or
- Some specific resource on the internet, such as a DNS server or even Netgear itself.
"Oh, crap. The DHCP server that gave me an IP is no longer "THERE". I better start over."
This would not happen when the Orbi is in router mode because Orbi can function perfectly well as a stand-along network with no connection to the outside world. (Not particularly useful to most of us, but adequate for specific needs.)
Notice on the web admin Basic tab, the option to "Test" the internet connection:
How about using the pfSense to capture traffic from the Orbi WAN port. This would reveal what the Test function is doing (in router mode), and might also reveal what address the Orbi is attempting to Ping in Access Point mode.
Well, I haven't generated a .pcap capture but even with pfTop on the firewall you can see the Orbi (in AP Mode) 192.168.2.2 CONSTANTLY pinging the firewall 192.168.1.1, seems to be at a rate of between every 1 or 2 seconds.
Topology is cable modem LAN port plugged into pfSense WAN port, then pfSense LAN port plugged into unmanaged network switch, then network switch plugged directly into Orbi WAN port. The switch has many other items plugged into it as well, however none of these items are pinging the pfSense. As soon as I tell pfSense not to respond to the pings, immediate and repeated restarts of the Orbi.
This looks pretty clear (to me). Orbi engineers wanted some mechanism to validate that "something is out there" and decided to Ping the device that assigned its IP address with DHCP. The standard DHCP process does not typically include further connections until half of the lease time has expired. With typical lease times being 86,400 seconds (one day), that would be a long time. This conjecture could be validated by changing the DHCP server (temporarily) to a different IP and watching to see if the Orbi begins to Ping that host instead of the pfSense itself.
My guess is that the issue is resolved:
no ICMP response means "No Network".
Very creative experiment.
