NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Allen_non's avatar
Allen_non
Aspirant
Aug 05, 2025

Netgear router models are RAX45-100NAS and RAX54-100NAS

Hi, Allen_non here.  I'm a competent computer user, also able to set up MAC filtering, and similar level operations on routers, but am lost in the weeds when it comes to ports, channels, etc inside t...
rax54
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Aug 05, 2025

Whatever is being detected by the two Netgear routers is either:

  • Originating in the Arris router (192.168.1.254), or is
  • Passing through the Arris router,or is
  • Originating from another device connected to the RAX router (i.e. [DoS attack: NetBiosReplyDrop] from source 10.0.0.3,port 137] )
    For these, the first step is to identify what devices has IP 10.0.0.3 and why some other device would be attempting to connect to it with NetBios.

Both the Arris and the Netgear routers use Network Address Translation (NAT) which results in devices "upstream" of the router seeing packets originating from only one IP address.

https://en.wikipedia.org/wiki/Network_address_translation

In this case, there is one "Double NAT" and one "Triple NAT".

 

Thus, the Arris sees only two devices connected directly to it:

  • IP 192.168.1.121 (the RAX45), and
    (the R7000 and devices connected to it appear to the Arris as 192.168.1.121 with port numbers created by NAT.)
  • IP 192.168.1.xxx (the RAX54)

It would be interesting to know if the Arris router has a Firewall feature similar to the RAX.  i.e. does the Arris "log" suspicious packets.  If it does, then one would expect to observe similar records on the Arris that will correspond with the events in the RAX log.

 

When someone "out there" in the internet is messing around, they have only the public IP address (the Arris).  There would be no obvious way to figure out what port number to use to hack at the RAX45 or the RAX54.

 

I have a suspicion that some devices connected to the RAX45 and RAX54 have opened connections to their "cloud service" and that the cloud is attempting to communicate by sending packets to the Arris IP address with the port number that has been created (by "Double NAT" - one NAT by the RAX45, a second NAT by the Arris) and that the RAX45 is falsely detecting those as attacks.

 

The way Netgear router firewalls are supposed to work is: when packets arrive at the firewall:

  • If they are addressed to an existing open connection created by a device connected to the router, they are accepted by the router, the IP address & port are changed by the NAT process to match the desired device, and they are sent through the network to that device.
  • If they are addressed to the public IP address and match a Port Forwarding rule, they are send through the network to the internal IP address matching that rule.
  • If they are not addressed to an existing connection and they do not match a Port Forwarding rule, they are simply rejected.  The firewall may "log" them, but they go nowhere.

My assumption is that the Arris would have a similar firewall.