NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Netgear router models are RAX45-100NAS and RAX54-100NAS
Hi, Allen_non here. I'm a competent computer user, also able to set up MAC filtering, and similar level operations on routers, but am lost in the weeds when it comes to ports, channels, etc inside the guts of router magic.
I have a similar situation as So-Tired.
Set-up:
ISP is ATT fiber, going to a provided ATT router. The ATT router "feeds: my 2 Netgear routers via ethernet. Netgear router models are RAX45-100NAS and RAX54-100NAS.
On the RAX45, I have my office desktops and similar more secure devices, most connected via ethernet, very few wifi connections.
On the RAX54, I have all my smart switches, wifi cameras, thermostats, etc.
Both routers are pretty well locked down, with MAC filtering only allowing address already programmed into the router's device list.
All routers are set to automatically update their firmware, and I did verify that all are up to date.
As for other router settings, I don't change much if I don't understand the magic behind the setting, so things are fairly stock.
Narrative:
Starting about 6 weeks ago, every Tuesday at 12:26 PM, my wifi drops on both Netgear routers. The ATT router still has internet connection, which I can access by switching my phone to the ATT router wifi.
Rebooting the Netgear routers restores their connection, and afterwards everything runs fine. Until the next Tuesday.
I pulled the logs from the NG routers and right at the time of signal loss, there are about 300 log lines of attack descriptions. Examples from today's attack (Tuesday 05-Aug) are:
[DoS attack: Fraggle Attack] from source UNKNOWN,port 68 Tuesday, Aug 05, 2025 11:29:52
[DoS attack: NetBiosReplyDrop] from source 10.0.0.3,port 137 Tuesday, Aug 05, 2025 11:29:49
[DoS attack: TCP SYN Flood] from source 192.168.1.254,port 38200 Tuesday, Aug 05, 2025 16:23:37
The vast majority of the lines are the TCP SYN Flood.
I also have an old NG R7000 that is connected by ethernet to my RAX45 in my office. I use it to segregate my 3D printer from any other routers. My 3DP is turned off, only on when I'm actively printing. But, I use my phone to access the R7000 to see if it still has internet connection during these attacks, and it stays connected.
I can do a brute force fix by putting a timer on each router that cuts/ restores power around 12:30P every Tuesday to reboot the NG routers, but that is not really a fix.
Thanks in advance for any guidance you can provide.
~ Allen
13 Replies
Hi NetGear Community,
Allen_non here. I am a competent computer user, mechanical engineer, etc, so I can interact with my routers, but I don’t understand the “deep magic”, ie port forwarding, bridges, channels, etc. As such, I leave settings as factory default if I don’t know what they do. I do have all my routers set for MAC filtering to block any devices whose MAC addresses are not recorded in the Approved Device List.
I believe I’m encountering a very similar issue as “So_tired”.
Issue:
After running fine for several years, about 6 weeks ago, my 2 Netgear routers lose internet connection regularly and precisely every Tuesday around 12:25 PM EDT (daylight saving time). At that time, our NG routers lose internet and have to be rebooted to fix. I have not waited for extended times to see if they recover on their own, as several family members work from home and need the connection restored pronto.
When I checked the router logs, they show several hundred entries starting around 12:25 PM. A few sample lines read:
[DoS attack: Fraggle Attack] from source 192.168.1.254,port 67 Tuesday, Aug 05, 2025 11:29:53
[DoS attack: NetBiosReplyDrop] from source 10.0.0.3,port 137 Tuesday, Aug 05, 2025 11:29:47
whereas the vast majority of lines read :
[DoS attack: TCP SYN Flood] from source 192.168.1.254,port 38200 Tuesday, Aug 05, 2025 16:23:37
Set up:
ISP is ATT fiber going to ATT provided router (Arris BGW210). Arris “feeds” via ethernet my two NetGear routers, RAX45-100NAS and RAX54-100NAS. All 3 routers update their firmware automatically, and I recently verified they are all up to date.
I have very little running on the Arris. It supplies connection to the Netgears. I can access it via wifi or ethernet for checking settings, etc, but I generally just use it as “gateway”.
Netgear RAX-45 is used for home office, connecting 2 desktops via ethernet, and a couple of laptops via wifi. Other than that, I keep extraneous devices off this router.
RAX-54 is in our living room and networks all our various devices such as smart switches, thermostats, wifi cameras, phones, etc.
Note: I have one old Netgear R7000 router that is connected to RAX-45, that connects to our Ooma VOIP box and a 3D printer that is only on when I’m printing. Even while the RAX-45 seems to lose connectivity, the R7000 seems to maintain its connection.
I have no idea how to fix this, and appreciate any help you all have. I’d rather not have to buy 2 new routers. Nothing has materially changed in the last 6 weeks that I can think of. All routers have been rebooted several times. I can get you .cfg files and or log files if that will help. Thanks in advance!
~Allen
Both the RAX45 and the RAX54 are in 'router mode', correct? (the default)
The Arris router has assigned IP addresses to the RAX45 and RAX54 in the 192.168.1.x IP subnet?
Both the RAX45 and the RAX54 have created local networks using the 10.0.0.x subnet?
Hi, yes, both 45 & 54 are in router mode. I'm pretty sure the Arris is assigning the IP addresses. I know one of the Log entries I referenced above indicates the TCP SYN Flood is from source 192.168.1.254. How would I check that?
I can confirm that the both the 45 & 54 are assigning local IP's in the 10.0.0.x subnets.
Your profile pic looks a lot like my orange & white manx. One of the best friends I've ever had.
(I replied earlier but my reply seems to have been dropped. Sorry if this gets duplicated)
Hi, yes, both are in router mode. As far as I know, the Arris is assigning the IPs to the Netgears. On the "Internet" tab for the RAX45, it is showing "Get Dynamically from ISP" selected, with IP 192.168.1.121, and Gateway IP of 192.168.1.254. I'd have to log in to the RAX 54 to verify it's properties, but I'm pretty sure it's set up the same way.
Incidentally, the log indicates that "[DoS attack: TCP SYN Flood] from source 192.168.1.254, port 38200" with many more lines showing many other ports.
I can confidently say both NG routers are generating device IP addresses in the 10.0.0.x subnet.
The profile pic of your cat reminds me of my orange/ white Manx cat. One of the best friends I've ever had on 4 legs or 2 legs.
Whatever is being detected by the two Netgear routers is either:
- Originating in the Arris router (192.168.1.254), or is
- Passing through the Arris router,or is
- Originating from another device connected to the RAX router (i.e. [DoS attack: NetBiosReplyDrop] from source 10.0.0.3,port 137] )
For these, the first step is to identify what devices has IP 10.0.0.3 and why some other device would be attempting to connect to it with NetBios.
Both the Arris and the Netgear routers use Network Address Translation (NAT) which results in devices "upstream" of the router seeing packets originating from only one IP address.
https://en.wikipedia.org/wiki/Network_address_translation
In this case, there is one "Double NAT" and one "Triple NAT".
Thus, the Arris sees only two devices connected directly to it:
- IP 192.168.1.121 (the RAX45), and
(the R7000 and devices connected to it appear to the Arris as 192.168.1.121 with port numbers created by NAT.) - IP 192.168.1.xxx (the RAX54)
It would be interesting to know if the Arris router has a Firewall feature similar to the RAX. i.e. does the Arris "log" suspicious packets. If it does, then one would expect to observe similar records on the Arris that will correspond with the events in the RAX log.
When someone "out there" in the internet is messing around, they have only the public IP address (the Arris). There would be no obvious way to figure out what port number to use to hack at the RAX45 or the RAX54.
I have a suspicion that some devices connected to the RAX45 and RAX54 have opened connections to their "cloud service" and that the cloud is attempting to communicate by sending packets to the Arris IP address with the port number that has been created (by "Double NAT" - one NAT by the RAX45, a second NAT by the Arris) and that the RAX45 is falsely detecting those as attacks.
The way Netgear router firewalls are supposed to work is: when packets arrive at the firewall:
- If they are addressed to an existing open connection created by a device connected to the router, they are accepted by the router, the IP address & port are changed by the NAT process to match the desired device, and they are sent through the network to that device.
- If they are addressed to the public IP address and match a Port Forwarding rule, they are send through the network to the internal IP address matching that rule.
- If they are not addressed to an existing connection and they do not match a Port Forwarding rule, they are simply rejected. The firewall may "log" them, but they go nowhere.
My assumption is that the Arris would have a similar firewall.
CrimpOn, thanks for your help with this! How you can read someone else's network woes and make sense of it is quite impressive!
I do know that the 10.0.0.3 is my work laptop that I was using today to monitor the office router (RAX-45) logs looking for the precise moment the DoS attack began. It is set up by my employer's IT group, and should be pretty secure.
However, on prior Tuesdays when this occurs (always around 12:25pm), I have been at work, so my work laptop could not possibly have been part of the equation for those days.
I have had similar thoughts that maybe one of my wifi devices was communicating on its on volition to the "cloud", but none of those devices are connected to my office router RAX45. All those devices (smart thermostat, smart switches, phones, Roku, etc) are all on the living room router (RAX54) for that very reason. I wanted to keep any "sketchy" wifi devices away from my secure ones by keeping on separate routers.
I'll check my Arris to have a look at its firewall. Can you tell me what I should be looking for?
Also, the fact that both Netgear routers go down at the same time, same day, every week is intriguing to me. It would seem there is some sort of schedule involved. That first lead me to check the firmware updates, in case the updates are sent out at 12:20 pm every Tuesday and my routers stumbling on the update. But, they are all up to date, as is my Arris. My thermostats and cameras do communicate their data thru the router to the cloud, I guess, but again, they are on RAX54, so shouldn't affect RAX45 I would think.
I'm already learning from you, and though this isn't sorted yet, I very much appreciate your help! Let me know what info you need from me. I can get you router .cfg files, router event logs, etc.
Thanks, Allen
I am not familiar with the RAX router web interface. (and, I'm too cheap to buy one) On Orbi systems, there is an "Advanced Tab" that shows information about the WAN interface, specifically when the router received an IP address from the upstream router, how long the lease was for, and when it will expire.
My ISP (Spectrum) assigns my Orbi router an IPv4 lease for 86,400 seconds (one day) and an IPv6 lease for 604,800 seconds (one week). If the router follows the DHCP protocol correctly, it will seek to renew the IPv4 lease in 12 hours and the IPv6 lease in 3 1/2 days. (I have verified this by observing the Ethernet link between Orbi router and Spectrum modem.)
Can you provide more detail about what happens every week. i.e.
- Both routers (RAX45 and RAX54) stop broadcasting their WiFi signals
- What happens to devices that are 'wired' to those two routers?
By chance is IPv6 enabled or disabled on these routers?
Hi CrimpOn,
Sorry, I've had work & house stuff to deal with.
So, here is a map of my network. ATT fiber thru OTN, to ATT Arris router.
From the ATT router, there are ethernet lines to:
- Netgear router RAX45 (office)
- 4-port switch, which feeds Netgear router R7000 and Ooma VOIP box. (The R7000 provides wifi for my 3D printer only).
- upstairs bonus room, but it is only used if/ when the Netgear wifi goes down.
- Netgear router RAX 54 (living room)
RAX45 (office) provides ethernet to Desktop Black, Desktop Red, and a network printer.
RAX54 (living room) supplies ethernet to a Ring/ Eero router. Also, all my wifi devices (cameras, smart plugs, thermostats, dehumidifiers, etc) are connected to this router.
My rationale is to keep the office NG router very pristine, minimal IoT's, and let the living room NG router be the one that carries all the wifi IoT's.
All routers carry their individual SSID's, all use MAC filtered lists for devices. SSID's and router access codes are changed from the MFR default codes.
Other than that, I change very little, since beyond that I know that I don't know what I'm doing.
This arrangement has worked very well for the past 2-3 years, when I added the RAX54. Other than adding a camera or smart plug once in a while, nothing has changed. I did verify the ATT and NG routers do automatic FW updates, and all are showing as UTD.
What began this whole science project is about 6 weeks ago, on a Tuesday at 12:30pm, got a call at work from wife and son, who both WHF full time, that the internet was down. From work, using my phone on mobile data, I was able to access my cameras, thermostats, basically all my IoT's. Lacking any other immediate solutions, I had son switch to the ethernet in bonus room (from ATT router) and he was back on line immediately. I had wife reboot both the Netgear RAX45 & RAX54, and once they finished the start up routine, she was back up on the RAX 45.
The ATT router was not rebooted. The Ooma VOIP box never lost connectivity. Don't know about the R7000, since I was not 3D printing during this time.
We were hoping this was just a one-off "glitch".
Following Tuesday, almost same exact time, same thing happened. Same rebooting process. Same again the next 4-5 Tuesdays.
Finally, Tuesday 29-July, I was WFH and watching for when this was going to happen again, and it was right on schedule.
Once the wifi went down, as evidenced by no desktop or laptop connectivity, I took my android phone and did the following queries:
(Turned off mobile data first)
1- Put phone on ATT wifi- was able to access the internet with no issues. Also able to see my cameras, operate T'stats, interact with smart plugs, no issues.
2- Put phone on NG R7000 router- same thing, able to access the internet with no issues. Also able to see my cameras, operate T'stats, interact with smart plugs, no issues.
3- Put phone on NG RAX 45 - Connected/ without internet- could not interact with any of the above IoT's.
4- Put phone on NG RAX 54 - Connected/ without internet- could not interact with any of the above IoT's.
So, it appears whatever is affecting the relatively newer RAX routers is not affecting my R7000, even they both connect to the ATT router (unless the switch is doing something to filter the R7000.
Also appears that my IoT's are able to get a path thru the routers to the internet, where as long as I can get internet access on my phone, I can operate them as normal. Seems to be just getting a computer or phone to connect to internet thru these 2 routers that becomes the problem.
Finally, rebooted both RAX 45, RAX 54, and ATT router. All was fine until this latest Tuesday, 05-Aug. Again, was waiting, logged in to the office RAX-45 on the admin/ logs page, all quiet until around 12:16 pm when DoS TCP SYN Flood attacks started being recorded, approx 300 lines before I lost internet connection on a browser I had open for testing. I shut the router down and restarted. Upon reboot, there were a few more log entries of the DoS, then everything quieted back down, and all was back to normal.
Everything is running fine now, as of Friday 08-Aug, but pretty sure this next Tuesday, it will flare up again.
To answer one of your questions, when the router starts logging attacks, ethernet as well as wifi connectivity both drop off. Any IoT's appear to remain connected if I get on another network that has connectivity, like mobile data or being at work.
I will need to get back to you on whether IPv6 is enabled. I'll check all my routers and get back to you later today or tomorrow.
Sorry for the novel above, but I wanted to give you better than just half-answers....
Great detail. Thanks.
- All of these WiFi routers use the same WiFi credentials? (SSID/password), or are they different?
- Eager to hear if IPv6 is enabled on the RAX routers.**
- Can you access the management interface of the Arris router? During these episodes, does the Arris have a way to display information about "connected devices"?
- Because all three of your routers are connected to the Arris router, it should be possible for a computer connected to the R7000 to 'ping' the WAN interface of the two RAX routers. (i.e. the IP address assigned to them by the Arris.)
I have a suspicion that the "flood" is a result of the RAX routers not responding to the Fios router, causing the Fios to keep asking, "are you there?"
https://en.wikipedia.org/wiki/SYN_flood The flood may be a symptom of the underlying problem, not the cause.
** IPv6 appears to be a "hot topic" on the Forum these days. I, personally, have had IPv6 enabled on my aging Orbi router with Spectrum for YEARS and never notice any issues, but the Forum seems to have a lot of discussion about IPv6. If it IS enabled on those RAX routers, maybe turning it off would be a useful experiment.
I've been able to verify that IPv6 is disabled on all 3 Netgear routers (RAX45, RAX54, and R7000).
The ATT Arris router was less intelligible: I had to browse across several tabs to get the following:
- "IPv4 set to preferred protocol"
- Firewall status:
- Packet Filter On
- IP Passthrough Off
- NAT Default Server Off
- Firewall Advanced On
Whatever is going on, it appears to just be affecting the 2 "newer" NG routers, not affecting the older R7000, based on my testing during the Tuesday 29-July event.
I do get the idea of the flood being a symptom, rather than the cause. I ran a shields up test earlier today, connected to RAX 45 in my home office, and per their diagnostics, I was completely invisible. I do think this is something internal rather than someone parked in my driveway trying to hack my network.
I also plan to check tomorrow whether Netgear or ATT ran a FW update approx 6 weeks ago when this all started. I'm wondering if a FW update could have introduced new "sensitivities" that get logged as attacks.
In the same vein, I'm also wondering if I should turn off DoS logging in my NG routers. I've read elsewhere that prolific DoS logging can consume router resources, which could cause the wifi to drop.
Unfortunately, my test window only appears to be on Tuesdays around 12:25 pm.....
Let me know what else you need or need me to try... again, much appreciate your help!!
Forgot to mention- each router has unique SSID/ passwords, credentials, etc.
Netgear router web management typically has a screen that displays the DHCP lease the router received from the network (how long it is and when it will expire). On the Orbi systems, this is on the Advanced tab. (do not have an RAX) Would be interested to see if the lease expiration has any relationship to Tuesday at 12:25
Your intuition is correct that many users resolve "problems" by manually installing the previous firmware version.
Both the RAX45 and the RAX54 updated firmware on 5/20/2025. If this problem has become apparent since May 20, then it would be an interesting experiment to (a) manually install the previous firmware version on the router, and (b) set the router to NOT allow automatic firmware updates. (many users have downgraded firmware only to find their router upgrade almost immediately.)
20-May-2025 could very well be when this all started. Will have to debrief my family a little more intensively to see if they remember how far back this began. I've been digging into the various tabs in both router user interfaces and haven't yet found anything on "lease expiration", but I will keep searching.
I'll dig around the web management screens to see if I can find anything related to DHCP leases.
Where do I find the firmware update dates, and previous firmware update files, so I can revert to an earlier firmware?
I'll be out of town most of this coming week, but will get back to you once I get back.
