Enabled "Access Control" and WiFi can't see wired devices.

You are correct.  Orbi's primary network is one network.  All devices are accessible to every other device, wired/WiFi makes no difference.  So, something is wrong and the task is to figure out what it is.

Access control is a bit tricky.  For example, there is a section of "Blocked Devices" that is at the very bottom of the web page (have to scroll down... and down some more).  I didn't even see this table for (a long time - sigh).

Another wrinkle is the Orbi "app".  Sometimes the app does weird things to Access Control.  I have yet to figure out what that "slider" control actually means.  "Pause"?  Does that mean "Blocked", or .... what?  If you have never used the Orbi app on this Orbi, then of course the app cannot play any part in this.

My approach would be to verify that everything works correct with Access Control turned off.  Can devices print and access the NAS?

Do the printers and NAS have IP addresses "assigned" in the LAN Setup?

Some devices have hard coded IPs and  even more have reservations but some are outside the DHCP lease range (100 to 199). (Wanted DNS to know the host names.)
"Access Control" is the toggle switch that makes it so the wireless can or can't see some of the wired devices. When "Access Control" is turned on nothing is on the blocked list as I had allowed everything that is on the network, so that isn't an issue.
BTW - I don't have or use the Orbi app. I have no interest in a cloud based solution for configuring a router. It serves no purpose except to create an unnecessary security risk.

Here is two IPscans from a laptop connected via WiFi made back to back after toggling the "Access Control".

----------------------------
Access Control off

IP             Ping  Hostname
172.20.20.1    3 ms  [n/a]
172.20.20.100 11 ms  [n/a]
172.20.20.101  3 ms  [n/a]
172.20.20.103  5 ms  [n/a]
172.20.20.104  3 ms  [n/a]
172.20.20.105  3 ms  Den---AVR-X2400H.local
172.20.20.106  7 ms  T-Lap
172.20.20.111  0 ms  ZB-Lap
172.20.20.113  0 ms  [n/a]
172.20.20.120  5 ms  [n/a]
172.20.20.150  3 ms  DESK
172.20.20.222  4 ms  [n/a]
172.20.20.230  5 ms  [n/a]
172.20.20.231  4 ms  [n/a]

----------------------------
Access Control on

IP             Ping  Hostname
172.20.20.1    3 ms  [n/a]
172.20.20.100  8 ms  [n/a]
172.20.20.101  1 ms  [n/a]
172.20.20.103  6 ms  [n/a]
172.20.20.104  3 ms  [n/a]
172.20.20.105  3 ms  Den---AVR-X2400H.local
172.20.20.106  7 ms  T-Lap
172.20.20.111  0 ms  ZB-Lap
172.20.20.113  0 ms  [n/a]
172.20.20.150  4 ms  DESK
172.20.20.222  5 ms  [n/a]
172.20.20.230  7 ms  [n/a]
172.20.20.231  7 ms  [n/a]

----------------------------

You can see that the HP 4000N on 172.20.20.120 disappears as soon as the Access Control is turned on. The NAS does the same thing but it is currently on a different network doing a data transfer to a new NAS.

If I leave Access Control on and plug the laptop into a patch cable the printer instantly reappears. The network's pyisical topology is rather flat. Internet comes into the Orbi. Connected to one of the LAN ports on the Orbi is a 24 port managed gig switch. The only other patch cable connected to the Orbi is the home automation hub. It is pretty simple.

The big thing is there is no doubt that the Orbi is what is blocking communication to the printer and the NAS. I'm almost afraid to turn on VPN and I'm going to need that to get secure remote access for the home automation.

Thanks for looking

Thanks for testing.  It is common for people to 'assign' IP's outside the DHCP range, and even set aside parts of the subnet for static IP's.  That's all good.

I have no experience with a "managed switch", but have read numerous comments about Orbi having problems with managed switches, specifically with IGMP.  Could you perhaps see if there is a way to disable any IGMP capability on the switch and see if that changes anything?  (Should it?  Of course not.  But, does it?)

By-the-way, I have OpenVPN running on two separate Orbi's using Dynamic IP from No-IP.com  I have a suspicion that one of them does not survive a change of public IP, but will have to wait to see if it fails again.  On my Windows machine, I installed "tunXten" so that I can switch easily between VPN's.  (Have no problem on Linux.)  Following the directions exactly was the key to getting OpenVPN to work.  I thought, "I'm a computer guy.  I don't need no stupid directions!"   As Stan said to Ollie, "what another fine mess."

There is no IGMP on this switch. IGMP is a layer 3 protocol for routing so it would be unusual to see it on a switch unless it had some routing functions added to it.
- A managed switch just means you can log into it, have some configuration of ports, error reporting, and usually you can configure VLANs. (And if you configure VLANs some switches will let you setup some routing related to the VLANs.)

My guess is that my options are:
- Reset the router to factory default and reconfigure it.
- Hope that NetGear issues a fix.
- Put in a Ubiquiti Unifi me$h.

Hate spending money twice.

Thanks.  I had to ask.  We had a question this week from a person with a 24 port "switch" that did everything but deliver coffee. Care to share the specific brand and model number of the switch?

---

@GambleHomeSec wrote:

My guess is that my options are:
- Reset the router to factory default and reconfigure it.  Unless someone suggests something else, this is the most likely "next step."
- Hope that NetGear issues a fix.  I would not count on this. Since others do not report this issue, Netgear is not likely to think a fix is necessary.
- Put in a Ubiquiti Unifi me$h. Yes, expensive.  I hear they are great, but have no personal knowledge.  Probably should spend some time on their user forum first.

---

Resetting the Orbi to factory costs only time (perhaps a LOT of time).  I would probably take this opportunity to give the printer an assigned IP address, rather than have it get a DHCP "luck of the draw."  (Maybe you already did this.)

Just for fun, what happens when the Access Control is set to "Allow all new devices to join the network"  rather than "Block all new..."  I have no idea why Netgear would make this an option (seems incompatible with the very idea of "Control"), but they do.

What is the Mfr and model# of the switch your using? 

---

@GambleHomeSec wrote:

There is no IGMP on this switch. IGMP is a layer 3 protocol for routing so it would be unusual to see it on a switch unless it had some routing functions added to it.
- A managed switch just means you can log into it, have some configuration of ports, error reporting, and usually you can configure VLANs. (And if you configure VLANs some switches will let you setup some routing related to the VLANs.)

My guess is that my options are:
- Reset the router to factory default and reconfigure it.
- Hope that NetGear issues a fix.
- Put in a Ubiquiti Unifi me$h.

Hate spending money twice.

---

The switch was a NetGear GS726TP but I had to take it out of service a couple days ago after NetGear support "helped" me with a PoE issue where the required me to do a firmware update that bricked it ... and then denied replacement of it under their "lifetime hardware warrenty" because I didn't have the original receipt. GAAAACK!

Currently it is "running" with 3 consumer grade 8 port switches daisy chained together. I had an HP 1920-24G ProCurve pulled out of a colo and it is sitting here waiting for me to replace all of them.

Yeah, frustration...

(sigh) My Google search for "NetGear GS726TP" has failed to get any hits.  Is there another model number to search for?

What a bundle of features!  http://www.downloads.netgear.com/files/GDC/datasheet/en/GS516TP-GS728TP-GS728TPP-GS752TP.pdf

So, back to IGMP.  Just for fun, is there a way to disable the IGMP snooping on the switch and see if that changes anything?

(Again, I have no idea how IGMP could possibly have any effect, but people claim that it does.)

What is the Mfr and model # of these "consumer grade" switches? 

So, if you take all the RBS and connect them directly to the RBR with out any switches, Does this configuration work as a quick test while in the same room as the RBR? 

---

@GambleHomeSec wrote:

The switch was a NetGear GS726TP but I had to take it out of service a couple days ago after NetGear support "helped" me with a PoE issue where the required me to do a firmware update that bricked it ... and then denied replacement of it under their "lifetime hardware warrenty" because I didn't have the original receipt. GAAAACK!

 

Currently it is "running" with 3 consumer grade 8 port switches daisy chained together. I had an HP 1920-24G ProCurve pulled out of a colo and it is sitting here waiting for me to replace all of them.

Yeah, frustration...

 

 

---

---

@GambleHomeSec wrote:
If you look at the previous post the GS728TP is bricked and no longer in service. Currently I have 3 desktop switches cascaded in its place. So there can be no doubt, the Orbi is not passing the traffic. Tonight I'm going to reset the router to factory defaults and also put in the replacement HP switch so I can get the rack cleaned back up.

---

Truly "my bad".  Memory flew out the window when I saw the feature list on the switch.  (The HP switch also appears to do IGMP snooping.)

I am looking for a way to replicate the problem, and not having much luck.  Turned on Access Control, New Devices "Blocked", and my wireless phone pings all my wired devices just fine.  My "plan" was to turn on the Orbi "debug" function, run the experiment (working and not working), then dump the LAN file into Wireshark and look at all the arp and ICMP packets.  Alas, my Orbi isn't acting like your Orbi.

Is it possible to attach the printer and NAS to the "top of the stack"?  i.e. the 8-port switch that the other two 8-port switches are plugged into?

Also, the Trendnet is "green" and fusses with the ethernet ports and the Netgear GS108 has our old friend "IGMP Snooping".  If there is some easy way to turn that stuff off, I would dearly love to put the IGMP issue off the table.