NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi RBR50 About device names
Orbi RBR50v2, two satellites. v2.7.4.24. Mac systems Question about device names in the App I always give a new device a name and have had no issues there. Recently I added a new smart hub, (Aqara...
ron111157 wrote:
I'm thinking that blocking by MAC in Access Control setting works on wireless devices, not wired.
That would make logical sense however look at this
It clearly says Wired connection. so either
1. It is misidentified as wired when it is actually wireless
2. One ethernet port has 2 MACs which should not be
Either way it was Blocked so should not of been given Access as the log states.
I agree completely that I shows "Wired" within the block list - but looking through various Knowledge Base articles on Access Control - some specifically state it's used for Wireless connectivity, some say Wired/Wireless - so it may or may not work as expected - based on which KB article you read. I've used other blocks - like blocking websites on NG's products - and the router reports that it is doing so - but really doesn't. So sometimes things report correctly, sometimes they do not.
Again, since it is WIRED (which you say it is and the system says it is) - the best way to keep it from connecting to your network - is to not PHYSICALLY connect it to your network.
Today is "Fun with Orbi Day". I, also, experimented with using Access Control to block a wired device (Epson printer):
Results were puzzling. Even though Access Control and Attached Devices clearly show the printer as Blocked:
- I could print to the printer.
- I could use a web browser to access the printer control panel.
However, when I used the actual printer controls to search for firmware update, the printer complained that it could not reach the internet. Unblock the printer and it searches for firmware update just fine (at the latest already). I will block a desktop computer next and see what happens.
The preliminary conclusion thus far is that "Blocked" is an ambiguous term, and almost certainly does not match what one might expect. i.e. the blocked device cannot originate a TCP connection, but it can respond to a connection established by an Allowed device on the network.
More to come....
MUCH clearer now. Wired devices are different from WiFi devices in one important way: they are connected to the Orbi Ethernet switch module. Since (forever?) switch modules "learn" which MAC addresses can be reached on which physical ports. It is common for even the dumbest Ethernet switch to have a MAC table holding 1,000 entries. Communication between two devices that are connected to the switch module does not go through the Orbi router unless the switch knows, "THAT MAC address is out the port to the router". My tests of Blocking were technically correct, but misleading. The Orbi cannot prevent a wired device from communicating on the wired subnet because it never "sees" the packets.
A more correct experiment is to block a wired device and see if what happens to communications that leave the switch module.
Verified this by blocking a desktop computer that is also 'wired' directly to the router.
- It happily pings other devices that are wired to the router Ethernet module (or to a switch that is wired to the module because they both learn which port leads to specific MAC addresses).
- Other wired devices can ping it.
- BUT.. anything that has to pass through the router fails:
- Trying to ping a WiFi device fails.
- Trying to ping the desktop from a WiFi device fails.
None of my satellites have anything with a keyboard attached to them. My guess is that devices 'wired' to satellites will also not be able to communicate to/from a wired device that is 'Blocked'. The satellites each have Ethernet switch modules which learn MAC addresses, but they are separate switches. They will say, "I know that MAC. Use the router connection to reach it."
So, I am moreconfident that terminology is the root of the problem. We humans want "Blocked" to mean "Do not let this thing connect to the network. Don't give it an IP address.", whereas Netgear means, "This thing can connect (because it can be plugged in or because it knows the WiFi SSID/password), but nothing involving this device will get through the router.
If a device is Blocked in Access Control, then for all practical purposes it is completely isolated. It cannot reach the internet. The internet cannot reach it. The only thing it can do is interact with other devices that are wired to the same Orbi unit switch module. How does it take orders from its Evil Master? How does it report sensitive information?
So, I am moreconfident that terminology is the root of the problem. We humans want "Blocked" to mean "Do not let this thing connect to the network. Don't give it an IP address.", whereas Netgear means, "This thing can connect (because it can be plugged in or because it knows the WiFi SSID/password), but nothing involving this device will get through the router.
If a device is Blocked in Access Control, then for all practical purposes it is completely isolated. It cannot reach the internet. The internet cannot reach it. The only thing it can do is interact with other devices that are wired to the same Orbi unit switch module. How does it take orders from its Evil Master? How does it report sensitive information?
That gives some measure of comfort. It stays within the LAN
ron111157 wrote:
That gives some measure of comfort. It stays within the LAN
Within the Ethernet switch module and any switches connected directly to it. The LAN includes everything behind the router: satellites, WiFi, etc. For example, if a Blocked device was the only thing wired to a satellite, I am confident it could not communicate with anything.
For example, if Access Control is set to "Block all new devices from connecting" and someone sneaks into the garage and connects a laptop to the satellite that is in there, it will not be able to do anything. (Notice how Netgear used incorrect terminology. "Connecting" rather than "Block all new devices from being able to do anything except on the Ethernet switch module - if they are connected with a cable.")
