×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

RBR20 service blocking blocks internal traffic

RogerSA
Aspirant
Aspirant
‎2021-12-13 11:14 AM
‎2021-12-13 11:14 AM

RBR20 service blocking blocks internal traffic

I have 3 piholes with unbound running on my internal network. I set up service blocks to only permit those 3 devices to connect to the internet via tcp/udp 53 and tcp 853 (DoH). But when I enable those blocks my other systems can't resolve addresses--their DNS is set to the Orbi's address while the Orbi has those three piholes listed for its DNS. It appears that the Orbi bit buckets all internal and external traffic directed to ports 53 and 853. This doesn't make sense to me. The blocks should only impact traffic pointed to the internet while leaving internal traffic alone. My firmware version is 2.7.3.22.

 

Am I missing something or is this how the Orbi does service blocking?

Here's a cut and paste of my block settings. DNS servers are 192.168.1..225, 226, and 227. 192.168.1.2-224 and 228-254 are blocked.

 

1DNS53-53192.168.1.2-192.168.1.224
2DNS53-53192.168.1.228-192.168.1.254
3DNS over HTTPS853-853192.168.1.2-192.168.1.224
4DNS over HTTPS853-853192.168.1.228-192.168.1.254
Model: RBR20|Orbi AC2200 Tri-band WiFi Router
Message 1 of 6
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2021-12-13 01:06 PM
‎2021-12-13 01:06 PM

Re: RBR20 service blocking blocks internal traffic

I, also, have a couple of Raspberry PI's running Pi-hole.  I confess to being too chicken to impose Pi-hole on the family without more study, so I have set several computers to use the Pi-holes for DNS while the rest of my devices use the Orbi (192.168.1.1).  I will attempt to duplicate your configuration in a few hours when I have the house to myself.

 

In the meantime, I have done a few tests:

 

Set up a service block on port 53 for my desktop (192.168.1.2) which goes to the two Pi-holes. From a Command window, the desktop can ping just fine.  (It is a memory challenge to come up with URL's that will not have already been cached.  Time to learn how to clear the DNS cache on Windows.)  Expected this result.

 

I then switched the block to my cell phone (192.168.1.19), which gets DNS from the Orbi.  Ping works from the cell phone. Expected this result.

 

Then changed the desktop (1.2) to get DNS from CloudFlare and Google (1.1.1.1 and 8.8.8.8). With the Block Services "Always" on the desktop, ping still works!  Oh,crap. Did not expect this!

 

Will check back later today when I can duplicate your setup more closely.

Message 2 of 6
0 Kudos
Reply
RogerSA
Aspirant
Aspirant
‎2021-12-13 01:31 PM
‎2021-12-13 01:31 PM

Re: RBR20 service blocking blocks internal traffic

I can ping and ssh into the pihole devices just fine. It's DNS that's blocked by the router. I've verified it:

 

Ran dig a couple of ways: dig ebay.com times out. dig @192.168.1.225 ebay.com works fine (bypass the Orbi and direct connect to dns).

 

The Orbi knows the addresses of the piholes as DNS. It doesn't seem to know to direct traffic to them when it sees port 53 traffic--it just bit buckets it.

 

I'd move the piholes to the LAN that resides between my modem and the Orbi (running as a router) and do the service block on the modem but I fear the modem may operate the same as the Orbi and not let the traffic route to the piholes. Like the Orbi it lacks any sort of ACL capability that can instruct the router to, well, route to specific addresses.

 

Thanks for giving it a shot. Hopefully you'll figure out what I might be overlooking.

Message 3 of 6
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2021-12-13 02:12 PM
‎2021-12-13 02:12 PM

Re: RBR20 service blocking blocks internal traffic

I fear you may be onto something. Everyone went to the store, so I configured the Orbi to use my two Pi-hole DNS servers.  I see on the Pi-hole administration interface that it is now receiving a stream of DNS queries from 192.168.1.1 (the Orbi router).  So that part of the DNS business is working correctly.  Then, I put a DNS block on a PC, and nothing gets resolved.  The queries appear to 'die' at the Orbi.

Strangely enough, the other computer with a DNS block is merrily resolving against CloudFlare and Google.

 

My sense so far is:

  • DNS appears to be 'special' as far as the Orbi router is concerned.
    When DNS requests hit the Orbi itself, it is happy to block them from reaching the Orbi DNS mechanism.
  • When DNS requests are directed to different IP's, either on the local LAN or on the WAN, the Orbi router simply does not see them.
    They go right through. This entirely defeats the purpose of "Block Services".

What a cluster f**k.

 

Gotta put things back for a while. It is enormously frustrating not to have an answer for the question or to be able to reach anyone at Netgear who might know what is going on.

Message 4 of 6
0 Kudos
Reply
RogerSA
Aspirant
Aspirant
‎2021-12-13 02:23 PM
‎2021-12-13 02:23 PM

Re: RBR20 service blocking blocks internal traffic

Thanks for giving it a shot. You're right, this is messed up. I suspect you're seeing traffic to CloudFlare and Google because they do DNS over HTTPS (tcp port 853). I guess the best we can do is block 853 and hope for the best. 

Do better, Netgear. 

Message 5 of 6
0 Kudos
Reply
CrimpOn
Guru Guru
Guru
‎2021-12-13 02:31 PM
‎2021-12-13 02:31 PM

Re: RBR20 service blocking blocks internal traffic

My block was like yours, both 53 and 853.  and my ping was v4 (I did not add the /6 parameter).

This just sucks.

Message 6 of 6
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 5 replies
  • ‎2021-12-13 11:14 AM
  • 1032 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi WiFi 7