R8000P (latest firmware) Static Route settings work only for subnet 255.255.255.255. If I specify IP X.0.0.0 with subnet 255.0.0.0 for Static Route, then it should affect all addresses in X.0.0.0-10.255.255.255 range, but it doesn't affect any of them. The setting only works if I specify a specific singular IP address with subnet 255.255.255.255. Why?
There is also no way disable outbound ICMP on the router. Why?
Model: R8000P|Nighthawk X6S AC4000 Tri Band WiFi Router
As always, an actual version number would be more useful than your opinion of what's "latest" today.
Connected to what?
> [...] Static Route settings work only for [...]
Is there some actual problem which you are trying to solve by defining a static route?
> [...] The setting only works if I [...]
It might help if you revealed exactly what you're doing, and why, and which sort of "not works" we're considering.
None of that is a useful problem description. It does not say what you did. It does not say what happened when you did it. As usual, showing actual actions (commands) with their actual results (error messages, LED indicators, ...) can be more helpful than vague descriptions or interpretations.
> [...] subnet 255.0.0.0 [...]
I know nothing, but I would not expect these consumer-grade routers to cope well with anything broader than "255.255.255.0".
> There is also no way disable outbound ICMP on the router. Why?
What would be the benefit? See "Is there some actual problem [...]", above.
Router firmware version is actually not relevant because all versions are affected and the latest version, the one I use, is 1.4.1.68.
The general problem is that my ISP uses multi-NAT that is detected during traceroute/ping commands. First 3 hops that follow R8000P hop are private IP addresses from my ISP. The first private IP hop address sends back a packet that Netgear R8000P SPI detects as a "Fraggle Attack - Port 67" (a false-positive) several times per second, but it does so only as a response to outbound ICMP packets. The only 4 ways to prevent R8000P log from being filled with false-positive attacks from my ISP private IP addresses, while logging other possibe attacks, are:
1. Disable Netgear SPI/Firewall
2. Disable outbound ICMP on router (not possible on R8000P)
3. Disable outbound ICMP on all devices connected to R8000P (not possible on WiFi iOS devices and only possible on WiFi rooted Android devices with custom IPTables rules)
4. Block ISP's private IP addresses via Static Route settings
Options 4 provides the greatest benefit with the lowest cost. The specific problem is that my ISP keeps changing the first hop IP address every once in a while, but it keeps the same subnet for that private IP address. Therefore, the best solution is to use a broader subnet when blocking my ISP's private IP addresses. Using a broader subnet also ensures that private IP addresses (possibly spoofed IP addresses) are not used to whichever destination. It is a general safety rule to block all private IP addresses that do not belong to your local network.
Other router makers include more options in their consumer router settings. I don't expect DD-WRT level of customization or SSH access or even Layer 2 Guest WiFi AP Isolation on consumer routers, but there should be settings to disable outbound ICMP for all devices and disable IGMP Snooping/Querying (at least for devices connected to isolated Guest WiFi AP). Aside from not being able to stop IGMP queries, my rooted Android devices connected to isolated Guest WiFi AP actually see ARP queries for other devices connected to isolated Guest WiFi AP, even though "Allow guests to see each other and access my local network" option is disabled. Proper VLAN isolation can prevent that, but R8000P only offers VLAN settings for IPTV...
