NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Nighthawk MR60 spying on my Internet usage
I installed a new Nighthawk AX1800 WiFi 6 Mesh System only to find that it is now the top user of DNS in my network and it's looking up the hostname of every IP any of my devices visit on the interne...
Did anyone notice all the reverse IP lookups it's doing? Bunch of cloudflare sites in addition to a ton of other lookups.
I need to turn off whatever is causing so many DNS lookups because the network is being provided via a Nighthawk LAX20 over LTE and I can't have all this gratuitous traffic being generated by the MR60. It's costing me too much data on Verizon.
Clearly the MR60 isn't doing the lookups for no reason, it must also be connecting to the various sites.
At first I thought it might be the Anywhere Connect, opening sessions out through the LAX20 + Verizon doubl NAT to Cloudflare infrastructure, so that the Nighthawk app can get back through the double NAT to reach the MR60, but I have the Anywhere Connect turned off, so it shouldn't be doing that.
The MR60 is the most active device on the network. It's rediculous that a router that isn't even serving as a router would be the most active device on my network. :-(
I ultimately blocked the MR60's ability to reach port 53 on my pi-hole DHCP+DNS server a la (where 12.168.1.2 is the MR60 via DHCP reservation):
$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j DROP
$ sudo /sbin/iptables -A INPUT -s 192.168.1.2 -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -j DROP
Now the MR60 is no longer the most active client using my Verizon LTE data. But this is not a perfect solution.
I want the router to be able to check for firmware automatically. It can't do that if it can't use DNS.
I just need to shut down whatever is doing all the gratuitous lookups and related traffic.
So far the images are not loading and the reddit post has no images.
Wanted to also add that some netgear products will do OUI lookups in order to provide more relevant information on the attached device list, which functions even when a device is in AP mode.
While none of the images are working yet, are you able to do a packet capture of the lookups it is doing to see what data is actually being sent and received?
Aside from that you will occasionally see traffic to one of the Netgear update servers when it checks for firmware updates. If you want to block all of those functions, you can keep it in router mode, and assign it a static IP for the web UI, disable its DHCP server, and then connect it to your main router viia a LAN to LAN instead od LAN to WAN, then all of those requests will effectively be sent to a physical Ethernet port has has no connection.
Wanted to also add, if it supports the Netgear Armor service then the processes associated with it will remain partially active in performing various lookups on devices that connect to the network in order to deliver mobile alerts to the nighthawk app.
Hi, Razor512.
I wanted to ask for clarification on your earlier insights.
If I switch from AP to regular/router mode, and switch the physical connection and DHCP reservation for LAN to LAN instead od LAN to WAN, turn off DHCP, and all other unwanted services, does that effectively block all of the things you mentioned?
1) OUI lookups in order to provide more relevant information on the attached device list
2) Connections to Netgear update servers to check for firmware updates
3) Netgear Armor lookups -> alerts to Nighthawk app
And another I don't need:
4) Connections to Netgear for Nighthawk app, "Anywhere Connect" tunneling (which I've already disabled anyway, but at this point I trust nothing about what this router claims to be doing and not doing).
I need a complete solution, for turning those things off. I'm not using the Nighthawk since it can do next to nothing for me re: the advanced settings I need for my configuration.
I have no interest in paying money to Verizon for gratuitous traffic going to Netgear and related cloudflare infrastructure.
Thanks for your help so far. I appreciate it.
When you do a LAN to LAN setup, (requires you to change the LAN IP of the router, e.g., if it is 192.168.1.1, change it to something else in the same range, e.g., 192.168.1.10 or anything not being used.
Then disable DHCP on the MR60. After disabling the DHCP server, then do a LAN to LAN connection, and it should still work pretty seamlessly.
All WAN directed stuff should stop at that point, though certain LAN facing items will still be present, such as when it scans for devices on the LAN as the attached devices list will still work, it just won't be able to grab additional infor from the WAN.
Only downside is that you will no longer get automatic firmware updates, and the manual check will also fail, thus updating will require you to go to https://www.netgear.com/support/download/ and manually download updates and inftall them.