Orbi WiFi 7 RBE973
Reply

Blocked Sites

DCP4971
Luminary

Blocked Sites

Hi all,

 

Bit of a weird one for me. I have a number of keywords included in Block Sites on my RBR850.

 

These seem to work fine, I get an alert every time they come up, which is good.

 

However, I've had a couple of occasions where a particular site is visited, that triggers an alert for a blocked site, but is showing up as from an IP address outside of my network.

 

This is puzzling. The timings of the first in particular was a bit odd too - being 01:34 in the morning.

 

I know the RBR50 that I just retired was prone to somewhat poorly coded log entries for attacks that didn't say that they had been blocked, but am curious if anyone else has come across something like this.

 

I'm concerned that the network has been compromised.

 

I've tried testing a block alert myself and it reports it as coming from my IP address, not an external one.

 

In fact, as I have been typing this, another such alert has come in and I'm the only one in the house right now..

 

[site blocked: www.website.com] from source nnn.nnn.nnn.nnn Thursday, Jun 02,2022 17:57:57

 

Thanks in advance

Message 1 of 6
CrimpOn
Guru

Re: Blocked Sites

You are correct.  This is weird one.  Site blocking can only function with regard to devices connected to the Orbi LAN.  Devices out on the internet attempting to connect to some web site will be directed to that site IP, not to your home router.

 

I hope you are aware that the utility of site blocking on Netgear routers has diminished  as web browsers have changed.  The Orbi mechanism blocks only unencrypted (http) connections.  It does not block encrypted (https) connections.  Now that close to 100% of web sites are https, web browsers are starting to assume that any URL entered by the user that does not specifically indicate http is intended to https, and they search for the secured web site first.  Thus bypassing the Orbi site blocking capability.

 

As an example, I set up a block for the keyword "ford" and set blocking to "Always".

Open a web browser and enter http://ford.com.  Blocked by the Firewall message comes up immediately.

Enter https://ford.com, and the web site pops right up.  Not blocked.

An interesting side note. site blocking takes place after the DNS lookup.  My other site blocking entry is "sexykitten".

Search for http://sexykitten.com brings up a "site not found" response in the web browser.  (why no one has created a web site called sexykitten is a mystery.)

 

Sorry to be no help.  I cannot think of any explanation for how this sort of message could show up in the Orbi log file.

Message 2 of 6
DCP4971
Luminary

Re: Blocked Sites

Thanks for the reply, I wasn't aware that was how the blocking worked. Seems a bit lacking for a £1000 system, but not entirely surprised it's not as fully functioning as it could be, given nothing much has changed in the FW functionality for about 5 years.

 

So, I'm still puzzling about this issue, keeps coming up every few days, with little pattern and the LAN/WAN Packet Capture is next to useless as it doesn't hold the data in memory for very long and port mirroring doesn't seem to be available as an option on the 850 where is was on the 50 (though, I doubt it actually worked from what I had read).

 

Have been playing with Wireshark, but that seems overkill in terms of the amounts it captures vs the needle in a haystack that this occasional visitation of a blocked site..but maybe I need to persevere to see if I can refine what it sniffs out..

 

I loathe to just give up, I don't like being beaten, so any suggestions on what I might be able to do would be appreciated.

Message 3 of 6
CrimpOn
Guru

Re: Blocked Sites

I face the same frustration with attempting to capture information about internet traffic.  Like Alice, I went "down the rabbit hole."

  • Purchased a gigabit switch that allows mirroring ports.
    Amazon sells the Netgear GS-105Ev3 and GS-108Ev3.  I bought the 8-port because the day I looked it cost less than the 5 port.
    I had tried a TP-Link switch, but could not get the port mirroring to work.
  • Insert the switch between modem and router.
  • Mirror one of the ports (doesn't matter which) to a different port.
  • Connected that port to my PC. (Because the PC's only Ethernet port was already in use, I purchased a Gigabit to USB adapter.)
  • Opened Wireshark to capture the USB adapter.
  • Once I verified that Wireshark could capture the router-modem communication, created Wireshark Capture filters to record only the information I wanted.  (It would have worked to capture all those gigabytes of data and try to sort through it later, but this became an obsession.)  Some examples:
    • Recorded the pattern of DHCP packets when my router would ask the ISP to renew both the IPv4 lease and the IPv6 lease.
      It turns out that my ISP (Spectrum) behaves exactly as expected.
    • Recorded every time the router contacted Netgear's firmware update site.

Unless these spurious attempts come from exactly the same source IP every time, I fear you would have to capture everything and when the log shows a site being blocked, then go into Wireshark and look for packets at about that time of day.

 

So, not trivial or low cost.

 

Message 4 of 6
Godspeed117
Initiate

Re: Blocked Sites

I have the same exact issue. Did you ever find a solution?

Message 5 of 6
DCP4971
Luminary

Re: Blocked Sites

Sorry for slow reply.

 

Nah, didn't figure it out, there was just too much data from the Wireshark capture I was doing and even when the iffy site did show up, it wasn't clear what was happening - a least to my unknowledgeable mind. So, gave up..

 

It still happens periodically (have keyword block on Block Sites), I've got maybe should ask NG Support, but am now out of the support period that they graciously give us (despite having this Orbi for 5-6 months only).

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 1357 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi 770 Series