Reply

Re: White Listing IP address

TeddyLu
Tutor

White Listing IP address

I have a WNDR3800 router that is connected to a modem provided by my ISP provider.

I'm currently trying to white list certain external inbound IP addresses so they can do a scan on my network for my business, but I cannot find that option anywhere or obviously stated within the setup menu after I log into my router.

 

Can anyone help me guide to the right path for this? I also have a EX6200 wifi extender that is connected to this router, would I also need to add the white listing of the same IP addresses on the set-up of the extender?

 

Currently the business that is trying to scan my network, cannot detect my out-face public IP address and causing me some issues.

 

Thanks!

Model: WNDR3800|N600 Wireless Dual Band Gigabit Router|EOL
Message 1 of 13
TheEther
Guru

Re: White Listing IP address

There is no option to whitelist inbound IP addresses. It wouldn't help. The NAT function performed by the router would get in the way.

Honestly, the idea of letting someone on the Internet do a scan on your home network sounds really sketchy. Are you sure they're legitimate?
Message 2 of 13
TeddyLu
Tutor

Re: White Listing IP address

Yes, I am sure. They're working with a trusted bank of mine. And we need them to get our IP detected or they're going to start to charge us extra for each month, which is a little bit absurd, but I'm trying to figure it out right now. 

 

Is there really no way to go around about it?

Message 3 of 13
antinode
Guru

Re: White Listing IP address

> [...] Is there really no way to go around about it?

   It's possible that no one here knows what "do a scan on my network"
actually means, in which case, no one can tell you how to make it
possible.  (I certainly don't.)

   As previously stated, a NAT router generally blocks incoming
connections from the outside world, unless specific action is taken to
enable them.  But doing that requires more information than "do a scan
on my network".  If you can find out what that phrase actually means,
then there might be some hope.

Message 4 of 13
TeddyLu
Tutor

Re: White Listing IP address

I honestly wouldn't know myself as this scan is coming from them, or I would tell you exactly how it's done...I just need to know how to white list those IPs with the current router I have and that's about it. 

 

Is there a way to modify the NAT feature to let outside communication come in specific to the IP's they requested or no. That's all I need to know.

Message 5 of 13
antinode
Guru

Re: White Listing IP address

> I just need to know how to white list those IPs with the current
> router I have and that's about it.

   I think that you need to know more than that.

> Is there a way to modify the NAT feature to let outside communication
> come in specific to the IP's they requested or no. That's all I need to
> know.

   No, you need to know what "outside communication come in" means.
Without such information, no accurate answer is possible.  If you want
to interpret that as "no", then you can do that.

Message 6 of 13
TeddyLu
Tutor

Re: White Listing IP address

@Case850

There is writing for this, however, it's as basic as you can get it. They just state to white list the IP addresses that scan originates from their server, no more, no less, and talking to their technical person has really been talking to a wall, since they don't know anything about how Netgear router works, which is why I'm here. 

 

@antinode

Okay, since you guys are the experts, why don't you tell me what KIND of outside communication can be applied here, instead of telling me, "no, you need to find that out yourself." (I already contacted the company that the scan is coming from, and they just repeat the same answer of white listing the IPs)

 

I'm curious as to why I'm getting such vague and almost negative tone replies, from a question that I'm honestly trying to figure out. Yeah, my question may be vague due to the fact that I don't know any information on the Netgear router myself, but at least give steps on how to clear it up instead of saying, "find out yourself". Like explain how the NAT feature works in simple layman terms so I can understand what's going on, and if there is a way to modify that to let certain outside communication in, and what kind of communication.

 

All in all, I do appreciate you guys taking your time to reply, but just give me directions on how to make it easier for you to help me.

 

 

Message 7 of 13
antinode
Guru

Re: White Listing IP address

> [...] they don't know anything about how Netgear router works, which
> is why I'm here.

   It works the same as every other home/small-office router (made by
anyone) which uses NAT to allow multiple devices to share one public IP
address.  NAT allows multiple devices on the LAN to originate
connections to the outside world; it watches what goes out, and directs
replies from the outside world to the appropriate LAN device.

   Incoming connections require special handling, because you have only
one public IP address, so someone in the outside world has no way to
specify any particular device on your LAN (because, from the outside,
all your devices are seen as having the same public IP address).

   Other types of routers (or a non-NAT configuration of a NAT-capable
router) can expose individual LAN devices to the outside world, but that
would require your getting a larger block of public IP addresses from
your ISP, and a more sophisticated firewall to protect such exposed LAN
devices from a hostile outside world.  Many/most home/small-office users
don't want this kind of complexity and expense.

> Okay, since you guys are the experts, why don't you tell me what KIND
> of outside communication can be applied here, instead of telling me,
> "no, you need to find that out yourself."

   With my weak psychic powers, I know exactly nothing about what this
"scan" involves, that is, what they really want to do.  The fact that
the people whom you've asked know nothing doesn't mean that I know more.

   What I _can_ say is that this sort of Netgear router has no such
"white list" (and no "black list", either), because it normally does not
allow _any_ incoming connections.  It does have the ability to accept
specific kinds of incoming connections, but those must be enabled by
specific configuration options (such as port forwarding), which have
specific destinations.  There is, in general, no way to allow an
outside-world entity to poke around your LAN in unspecified ways through
a NAT router.

> I'm curious as to why I'm getting such vague and almost negative tone
> replies, [...]

   Perhaps because no one here knows what "do a scan on my network"
actually means.

> There is no option to whitelist inbound IP addresses. [...]

  So, you can't get what you requested.  It might be possible to get
something useful, but not without some actual information about what the
actual requirements are, and "do a scan on my network" is not good
enough.

> [...] explain how the NAT feature works [...]

   It's just possible that someone has already written something on that
subject.  Perhaps this new Inter-Web thing can help with that.

Message 8 of 13
antinode
Guru

Re: White Listing IP address

   Possibly related:

      https://community.netgear.com/t5/x/x/m-p/1574866

But, again, "scan" is not described, and "white list" is not the answer.

Message 9 of 13
Greenlaw
Tutor

Re: White Listing IP address

My processor (heartland) requires the same scan (via ControlScan). I called Heartland and confirmed that ControlScan is legitimate and is a third party that they use to verify PCI compliance. I changed my scan speed to “Slow” and added their range of IP addresses to the security tab selection under “Remote Access”. They ran the scan this morning and it went thru with a “Pass”. Hope this info helps.
Message 10 of 13
antinode
Guru

Re: White Listing IP address

> [...] I changed my scan speed to "Slow" [...]

   That's with something other than your router?

> [...] and added their range of IP addresses to the security tab
> selection under "Remote Access".

   You lost me.  Are you talking about ADVANCED > Advanced Setup >
Remote Management : Allow Remote Access By: ...?  (And, if not, then
what?)

Message 11 of 13
Greenlaw
Tutor

Re: White Listing IP address

I understand your frusteration with the lack of information being provided by the people asking about this issue. However, the issue is that ControlScan is not giving much info on their scan. (see their response below)     All that said, it looks like the fix is as simple as changing the scan speed within the ControlScan Portal to "slow".

 

ControlScan -> Compliance Overview -> Schedule Scan -> Scan Speed -> Slow

 

Contrary to my initial post, after reviewing my router settings, I did not save the changes in "Advanced Setup-> Remote Management->Allow Access by IP Range".    So the solution was as simple as changing the scan speed within their Portal.

 

 

Here is the email with instructions from ControlScan:

"Greetings,

For the scan blocking threats please have your web host/admin configure your IPS so that it does not react to our scanner IP range: XXX.XXX.99.0 - XXX.XXX.99.62 (XXX.XXX.99.0/26). As well as on any allowed lists for firewalls so that we can have a complete scan run for your location. Also you would want to check to make sure that the model of firewall doesn't have settings that would need to be changed to allow for a port scan that might keep a scan from completing.

We are not asking you to isolate our IP address to just one address, but to add the range because the scans may come from any one of those IPs based on how busy the rest are at any given moment.

Once those settings are confirmed, or if you do not have such a device, run the scan on slow speed.  This will have less of an impact on your network, and can often resolve a blocked scan result.  This setting is available in our merchant portal, www.mycontrolscan.com, in the schedule scan window.

Watchguard firewalls will sometimes have an additional port scan blocking feature.  It may be necessary to temporarily disable this feature.  Here are the general steps to disable the port scan blocking option on the Watchguard firewall:

Watch Guard Firewall Scan Blocked issue.

Policy Manager -> Setup menu -> Default Threat Protection -> Default Packet Handling, uncheck "Block Port Space Probes"

Once you have disabled this and run a new scan at slow speed, please re-enable the option as we do not wish to have you leave a hole open on your network.

Please let us know if you have any further questions or issues."

 

**I hid their full IP with XXX.XXX. **

 

Message 12 of 13
TeddyLu
Tutor

Re: White Listing IP address

@antinode

 

Thank you so much for going out of your way in trying to find an answer for me, what you have posted earlier is really relative to what I'm currently trying to do. The scan comes from a company called "Trustwave" and this is what they stated on their "guide" to fix my problem, but so far it hasn't been much help. My problem falls under "host(s) not detected"

 

https://www3.trustwave.com/support/kb/Article20965.aspx

 

If you scroll all the way to the bottom, it shows all the IP ranges that I need to supposedly white list for them to detect my front facing IP address.

 

@Greenlaw

Thank you for your insight, even though your problem fall along mine, it is not exactly the same unfortunately. 

Message 13 of 13
Discussion stats
  • 12 replies
  • 6168 views
  • 1 kudo
  • 4 in conversation
Announcements