NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Why does blocking ICMP cause constant Orbi reboots?
OK, I'll start this by saying please do not respond if you are only going to comment, "why do you care about ICMP, why are you blocking it, etc.". This is just an academic question from my own curio...
I appreciate all the input, it's nice to see a forum where people actually help one another. While it is annoying to have 30k unnecessary pings a day in my firewall logs, I can just filter them out in the future. I did notice during some packet inspection that all of the Orbi satellites are also pinging the router, however blocking these doesn't seem to cause the Orbi to reboot for some reason, so I'll just leave those blocked.
Thanks everyone, see you all next time I have an obscure networking question.
F_V wrote:
My question is this: Why does this Orbi not allow you to block ICMP between the router and the firewall/gateway appliance? If I allow ICMP, it works as expected, but as soon as I block ICMP traffic, the Orbi just reboots constantly, making it impossible to connect for more than a few seconds. Does blocking ICMP tell the Orbi that it's offline and cause constant reboots?
I have been out of touch and just came across this post. My guess is that your analysis is exactly correct. Some time sensitive routine inside the Orbi RBRE960 periodically uses ICMP to verify that "something" is there on the WAN interface. i.e., it is "connected". It is fairly clear that the physical Ethernet connection being "up" is not enough. I would venture to guess that the Orbi is looking for either:
- The device which assigned an IP address to the Orbi using DHCP, or
- Some specific resource on the internet, such as a DNS server or even Netgear itself.
"Oh, crap. The DHCP server that gave me an IP is no longer "THERE". I better start over."
This would not happen when the Orbi is in router mode because Orbi can function perfectly well as a stand-along network with no connection to the outside world. (Not particularly useful to most of us, but adequate for specific needs.)
Notice on the web admin Basic tab, the option to "Test" the internet connection:
How about using the pfSense to capture traffic from the Orbi WAN port. This would reveal what the Test function is doing (in router mode), and might also reveal what address the Orbi is attempting to Ping in Access Point mode.
Well, I haven't generated a .pcap capture but even with pfTop on the firewall you can see the Orbi (in AP Mode) 192.168.2.2 CONSTANTLY pinging the firewall 192.168.1.1, seems to be at a rate of between every 1 or 2 seconds.
Topology is cable modem LAN port plugged into pfSense WAN port, then pfSense LAN port plugged into unmanaged network switch, then network switch plugged directly into Orbi WAN port. The switch has many other items plugged into it as well, however none of these items are pinging the pfSense. As soon as I tell pfSense not to respond to the pings, immediate and repeated restarts of the Orbi.
This looks pretty clear (to me). Orbi engineers wanted some mechanism to validate that "something is out there" and decided to Ping the device that assigned its IP address with DHCP. The standard DHCP process does not typically include further connections until half of the lease time has expired. With typical lease times being 86,400 seconds (one day), that would be a long time. This conjecture could be validated by changing the DHCP server (temporarily) to a different IP and watching to see if the Orbi begins to Ping that host instead of the pfSense itself.
My guess is that the issue is resolved:
no ICMP response means "No Network".
Very creative experiment.
I remember seeing a similar thing happen after getting my 8 series. After NG pushed everyone to v4 from v3 FW and causes problems, I wanted to check to see if we could block certain auto update addresses. We could block but noticed that the RBR wouldn't work right or the front LED came on PINK and it lost internet services. Figured NG put something in the FW that if certain addresses were blocked, the RBR wouldn't work. Kinda creative to keep there services tied to operation. 🙄
I appreciate all the input, it's nice to see a forum where people actually help one another. While it is annoying to have 30k unnecessary pings a day in my firewall logs, I can just filter them out in the future. I did notice during some packet inspection that all of the Orbi satellites are also pinging the router, however blocking these doesn't seem to cause the Orbi to reboot for some reason, so I'll just leave those blocked.
Thanks everyone, see you all next time I have an obscure networking question.
