NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Reposting here as a new idea, based upon recommendations from a separate discussion thread...
I am asking for a feature that selectively blocks inbound traffic that would otherwise be allowed, based on set of IP address ranges. This is a standard feature in all commercial-grade firewalls, and it's used almost ubiquitously for a variety of reasons. It's all about defense in depth -- mitigating the effect of other weaknesses and holes.
One such use case has to do with uPnP. Practically speaking, since the uPnP service is enabled by default, inbound traffic is NOT effectively blocked by default. In today's homes, there are often one or more devices that will open up the LAN to inbound traffic via uPnP, when available. While I would argue that uPnP is a bad idea and should simply be disabled (at least by default), the ability to block inbound IP addresses would be useful in locking down uPnP without disabling it completely, especially if you could selectively block IP ranges by inbound service type.
It would also be useful if such a feature allowed specifying the IP addresses to be blocked both explicitly (as a range) and by consulting with some of the readily available blocklists. For example, some of the spamblocking lists are things like dialup networks, which as a class might be good to block, depending upon your needs. Also blocking by geographic region can be immensely helpful, as so many attacks originate in Russia and China.
There are many other good reasons for this feature, including to provide some protection against bugs in Netgear's code.
So, please consider adding this feature. It is much needed!
Thanks!
18 Comments
I agree completely with the above request, it would be a shame to have to use a public firmware to overcome the issue like Kong or tomato. This should be a standard feature in this world of constant attacks by outside nations, I get hit by China , Russia and Brazil almost incessantly, and I dont travel there so they would be an easy block for me.
I also agree that a feature should be introduced that blocks unwanted incoming traffic (or permits the traffic I choose) to open ports. I have a security camera system that requires ports be opened to access remotely. I should be able permit traffic by IP or MAC address so that only my known devices get access. My last D-Link has this capability, but chose to upgrade with Netgear not knowing my open ports would be so exposed.
Hi BillVE,
Thank you for submitting your idea on selectively blocking inbound traffic. Your idea will be reviewed for consideration. :]
- Jason N
This is becoming more of an issue with scans, DDOS and hack attemps increasing. It is available on other consumer routers, as well as third-party firmware for several Netgear routers. Let's get this feature implemented ASAP, please.
I have some clown continually trying to guess the password on my mail server. It would be good to block that IP address and stop his errors filling up the system logs.
Hi
I have just bought an orbi system and use the port forwarding for my NAS and some services.
Having some of these locked to specific IP addresses should be available in any port forwarding service as that alllows traffic into a pricate network.
How likely is it that this will be implemented as I thought this feature would have been available.
Thanks
I would also like to see this. It gives us additional control that we do not have right now. Standard firewalls have this functionality, so if the Orbi is going to be viewed as a legitimate firewall then please add this in the next firmware rev. You already have much of the functionality available in Blocked Sites.
Customers really need this feature, definitely. Even if they currently don't realize it. I was just amazed to find out my new Netgear R7000 doesn't offer inbound traffic blocking at all. Wasn't expecting that of a premium home router by a premium brand. Now I'll need to find another solution to my problem -continuous inbound attacks- which seems to be loading public firmware. Something I prefer not to do, but it looks like I'm running out of options.
Would be nice to block by country. Say China.. I to get hit by tons on incoming attacks and i don't have to have to keep creating static routes to no where.
I completely agree also! With an other router I was able to limit a port forwarding rule to a specific external IP or range. With my new router that is no longer possible. Now if I set up a rule, I get attacked by tons of hackers trying to access my port forwarding rule. This is a major security oversight and I can't believe Netgear removed this feature from an older version of the router to the new routers! This isn't progress, this is a step backwards!!!!