RBR50: What exactly does Allow Access do?

jmmmmh · ‎2023-03-28

I've got the RBR50 with 2 satellites. In the iOS app/web UI, I can toggle Allow Access for a specific device.

My thinking was I could use this to block internet access from a particularly (cheap) and chatty IP camera which is connected via wifi to one of the satellites. Its got an rtsp stream that I want to access locally from a machine connected directly to the router.

Disabling "Allow Access" works as intended to suppress internet connectivity, but, it renders the camera inaccessible from either the main RBR50 router, or the satellite the IP camera isn't connected to. I've run nmap when connected to the satellite and the rtsp port is open; flipping to the main router its inaccessible.

So, what does Allow Access actually do at a network level? Is it a vlan? Is there an alternative using stock firmware to block internet access (e.g. no gateway) for a single device or do I need to think about another solution? All devices use DHCP so I guess I could change the camera to be statically configured and fudge the gateway, but I'm keen to see if the router can help!

Any help appreciated!

(Semi-related: I have an aged Philips Hue hub connect to a satellite through a *wired* connection and its accessible from the router and all of the satellites, despite it being "Allow Access" toggled off...so it seems unique to wifi devices).

CrimpOn · ‎2023-03-28

I have never seen a written description of what sliding the Allow Access to "off" is supposed to accomplish. (These days, consumers no longer seem to expect old-fashioned User Manuals.) I have experimented with the corresponding Access Control feature of the Orbi web interface. (http://orbilogin.net ). This is found on the Advanced Tab on the Security Menu.

Enabling Access Control and then Blocking a specific device stops any communication between the device and the network that passed through the router. This would include traffic to/from WiFi devices and the internet. I does not affect communication between the device and devices wired to the same router (or satellite). This is because those devices are connected to a small Ethernet switch. (In many routers this is a 4-port switch module.) Ethernet switches have a table of MAC addresses that they have learned over time. When a data packet comes into the switch, the switch looks in the table to find which port to send the packet through. It is common for the switch table to hold 100's of MAC addresses. Devices on the network have internal Address Resolution Protocol (ARP) tables which they use to convert IP addresses into MAC addresses.

When a wired device sends a packet to another device that is also wired to the Ethernet switch:

The device looks in its ARP table to find out which MAC adress corresponds to the IP address and sends the packet to the network.
The Ethernet switch looks in its tables and finds that the packet needs to go out of of the switch ports, so the packet goes out.
If the MAC is one that is not connected directly to the switch, then the packet is sent to the router.
The router says, "Oh, no. You're Blocked." and stops the packet.

It works the same way in the other direction. When a wired device attempts to send to the Blocked device, it gets through the Ethernet switch just fine. If it has to pass through the router, it is blocked.

Users may find it strange that "Blocking" a device (or not Allowing Access) does not remove the device from the network. "Why does it even get an IP address???" It appears (to me) that this is simply practical. How can I "unblock" something that does not exist?

There is another feature on the web Security menu called Block Services.If you block all services for that camera, then it will no longer be able to access the internet. See page 51 of the User Manual:

https://www.downloads.netgear.com/files/GDC/RBK50/Orbi_UM_EN.pdf

RBR50: What exactly does Allow Access do?

RBR50: What exactly does Allow Access do?

Re: RBR50: What exactly does Allow Access do?