NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jtmtech's avatar
jtmtech
Aspirant
Sep 30, 2025

Device blocking does not work on 870

I have an 870 system with router firmware V10.5.20.4_1.3.5. Device blocking does not work properly. The only time it worked is when I set a device to be blocked and happen to restart the router. When...
orbi 870 series
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Oct 01, 2025
StephenB wrote:

Note the NAS and PC I was using were both connected via switches, so it is likely that the switches still had the NAS in their MAC tables. Still, the NAS should not have gotten the IP address back when it rebooted.

I have observed this on other Orbi models.  My impression is that Netgear's implementation of Access Control does not match our human expectation.  i.e.

  • Access Control does not prevent connection.  It prevents traffic flow through the router.  Thus
    o A wired device will still receive an IP through the DHCP process, and
    o A WiFi device can still complete a WiFi "connection" and receive an IP address, but
  • Any communication that passes through the router will be blocked.
  • Any communication that does not pass through the router because it is confined to the level 2 Ethernet switches will continue.
  • Thus a PC wired to the router can communicate with a wired NAS that is connected to the router (even through switches), but
  • If one of the devices is 'wired' to a satellite, that will force the traffic to flow through the router, which will block it.

As evidence, consider the Access Control table.  When a device appears in the table with the label "Blocked", does it display an IP address?

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Oct 01, 2025
    CrimpOn wrote:

    Netgear's implementation of Access Control does not match our human expectation.

     

    It's clearly not the normal MAC address implementation, since it does allow connection. It is apparently just doing layer 2 filtering.

     

    I haven't tried "block all new devices from connecting", I guess that might be more aligned with what I expect.  One would hope that adds admission control to the filtering.

     

    Still, the help text says

    When a device is blocked, it would only be able to get an IP address from your router, but it won't be able to communicate with other devices, nor it would be able to connect to the Internet.

    That is definitely not the case with the 870 (based in my wireless iPad test).  I don't know about other models, since this is not a mechanism I've ever used.

     

    I do understand the limitations with wired - local streaming isn't disrupted on my network even when I turn the router off.  Layer-2 forwarding is enough to keep all the wired stuff working.  But I had expected that the router wouldn't give the NAS an IP address when I rebooted the NAS.