That allows for inboudn rules, but does not seem to allow for more specific rules - allowing that forward ONLY for a given remote external IP
It might be that this simply isn't a feature provided by the Orbi, though it seems a bit odd given if that is the case, given it is a fairly common requirement.
The unit also does not seem to manage local dns...? So if I have a device with hostname "thing" and I try to ping it, the ORBI will not resolve that. Instead I wouod have to rely on mDns
I can work around both of these issues by using the Orbi in AP mod ans using openWrt to do my routing, but again local DNS resolving seems a very basic feature, so I wonder whether perhaps I have just missed the setting....
I guess I'll have to stick with the current setup of the Orbi as an AP and openWRT as a router/firewall. It seems a pity, but so long as the mesh works well it's not a major problem.
But I don't seem to be able to be more restrictive, and say:
Forward incoming connections on port 1234 from IP 1.2.3.4 ONLY to internal IP 5.6.7.8 port 5678
This seems a very basic feature for a router....am I looking in the wrong place?
You are not finding it because Orbi does not provide the ability to restrict port forwarding by external IP address. I can see the appeal. (If a port is forwarded to an internal server, then the 'entire world' will soon discover the open port and begin attempting to access the internal server.)
There seem to be two alternatives:
Device Firewall. The Windows Firewall, for example, allows incoming rules to be limited by external IP address. Since the Windows Firewall will block connection attempts, then the port will not appear to be 'open'. (The Orbi router never responds to connection attempts on forwarded ports. The connection request gets passed to the internal LAN. If the internal server does not respond, then the connection attempt just 'disappears'.)
OpenVPN. If connections need to be restricted to a single IP address, that implies (to me) that there is some organizational relationship between exactly two computer networks which are not constantly changing. Enabling the OpenVPN host on the Orbi allows a remote computer which has the required SSL certificates to connect to the local LAN - and thus to the internal server. For example, if an FTP server is set up on the LAN, no one will ever see Port 21 open except someone who has opened a VPN connection to the Orbi.
There is an "Idea Exchange" where customers suggest new features. The request could be posted there. (I have very low expectations that anything would come soon - if ever.)
I guess I'll have to stick with the current setup of the Orbi as an AP and openWRT as a router/firewall. It seems a pity, but so long as the mesh works well it's not a major problem.
I was busy typing when this message came through. Fine solution.
Having put my main device into AP mode, the two satellites have now both gone offline entirely and can't be rediscovered. Time to try a factory reset of the satellite. I can't face a reset of the main unit - that took hours of retries not crash the app on initial install!
OMG. There is a tempest on the forum regarding 750 firmware. (Not my model, so I do not follow the posts closely, but the sense I get is of issues with satellites when the 750 is in AP mode.)
Might be worth a few minutes to make a stiff drink and read through the long threads regarding 750 firmware.
I am pretty confident that Netgear has an official Quality Assurance process before releasing firmware versions. I also have an impression that the number of customers who use Access Point mode is pretty small. (I certainly don't.) Those firmware posts are a struggle to wade through. A lot of frustration and anger.
There remains yet another alternative.
Front the Orbi with OpenWRT
Place the Orbi in router mode
On OpenWRT, restict the port forwarding to the Orbi IP address.
On the Orbi forward the port to the internal server.
People fear the dreaded "Double NAT", and indeed there are specific situations where more than one router causes havok. Port forwarding is not one of them. I have deliberately set up a stack of three routers. Every 'ordinary' form of internet use works fine. Then, I set up a web server on LAN#3. Forwarded port 80 on router #1 to router #2. Forwarded port 80 on router #2 to router #3. Forwarded port 80 on router #3 to the web server. No Problem.
Do I recommend this as a regular practice? Hell, no.
I'll raise a ticket and see where it gets me. Certainly nothing I can do currently is making the satellites pair - which would seem to be a fairly easy problem to pick up in soak, but who knows!
Fingers crossed they can offer a resolution, if not I suppose I'll have to try another company - but haven't given up yet!
Although the kit arrived from Amazon new today, apparently my support expired in 2021
It doesn't really fill me with confidence if Netgear won't offer support for brand new products with iffy firmware. Maybe I'll try to proxy the support request via Amazon 🙂
I'll also raise a specific thread here to avoid topic-creep!
There are times when Amazon customers register a product with Netgear and then decide to return it. Being disappointed with their purchase, they feel no incentive to cancel the registration. (And, cancelling a registration appeared on the Netgear web just within the past month.) Amazon has no mechanism to detect or remedy that situation. If they reseal the package and sell it to a new customer, this sort of thing happens.
Did MyNetgear.com show this product already registered to you?
What has worked for others in the past is to contact one of the forum moderators (by clicking on their screen name, such as @Blanca_O ).
Put the important details in a private message (Amazon order date and number).
So few people who come to the forum have time remaining on their "90 days" that I would hate to have anyone miss their chance. (I came to the form when my Orbi was already two years old.)
