How to enable connection monitoring and block-listing

There are two parts to this:

• In Access Point (AP) mode, the Orbi router performs no traffic management.
  No port forwarding. No port triggering. No DHCP server.
  No Parental Controls.
  No Site Blocking.
  My understanding is that this is pretty standard when devices are set up as AP's rather than routers.
  
• Orbi's blacklisting (not block) capabilities in router mode are pathetic.
  Orbi does indeed scan URL's for prohibited words and will block web requests based on them.
  BUT.. (and this is a BIG But) Orbi scans only http web requests, not httpS (secured) requests.
  Now that modern browsers are fixated on preferring connections to secure web sites, not blocking https renders the situation worthless.

The people who seem happiest with their efforts at traffic management often report signing up with OpenDNS and creating filters.

I have not done so myself, so I am not aware of the particulars (and cost).

Netgear's preferred solution is their partnership with Disney Circle (which I also declined to activate).

Took me a while to locate the Netgear article on which features are not available in AP mode:

https://kb.netgear.com/000061277/Disabled-Features-on-the-Orbi-when-set-to-AP-Mode 

https://kb.netgear.com/26765/Disabled-Features-on-the-Router-when-set-to-AP-Mode

Thanks for this FURRYe38.

The credibility of the Orbi programme management team has just taken a serious knock.

Even the guest wifi password has complexity and the main one also has good length but tha

Why would a network manager not want to know who was connected to the WiFi network, active and how active? Why would they not want to be able to block a device that was foreign or one that was known hostile?  How can NETGEAR not realise that the net is hostile and that even home networks are under constant attack these days? 

When a supplier as big as NETGEAR clearly doesn't give a damn about customer security, it adds to the hostility of the net and the risks we have to accept when we buy and use NETGEAR products.  Even TP-link offered these features on an immature product.

As you might sense,I find this really annoying. Is this inept or is deliberate?

---

@SmilingEddie wrote:

Thanks for this FURRYe38.

Why would a network manager not want to know who was connected to the WiFi network, active and how active? Why would they not want to be able to block a device that was foreign or one that was known hostile?  How can NETGEAR not realise that the net is hostile and that even home networks are under constant attack these days? 

 

When a supplier as big as NETGEAR clearly doesn't give a damn about customer security, it adds to the hostility of the net and the risks we have to accept when we buy and use NETGEAR products.  Even TP-link offered these features on an immature product.

 

As you might sense,I find this really annoying. Is this inept or is deliberate?

 

 

Although monitoring provided by personal line routers satisfy homeowners, any professional network manager I know would not use monitoring provided by personal line routers. They would use more sophisticated firewall and network management systems.

TP-link offers limited monitoring on some products, as an advertising tool, but it is very ineffective for a professional, but satisfying for the Novice. 

if you would like to learn more about network monitoring, you can online search the many professional monitoring systems provided by Cisco and other pro network management companies.

I think you fail to realize that for home class routers, AP mode is just that AP mode. No router or security features are enabled when in AP MODE. AP mode is just access point were wifi devices can connect to the wifi signal is all that happens in AP Mode. This is not just NG, this is also industry wide for home class wifi that support AP mode. Seen this in many other router mfrs for home class products. Maybe some business class APs offer some security features on there products, however in home class products AP mode is simlified for home users. Also please understand that when IN AP mode, this transfers any router or security and blocking handling to the main host router which in all cases if not most, should be handling the routing and security management of the network system.

NG design is not inept or flawed. I would presume that maybe your needs for security are mis-placed when in comes to APs and you need to find something better suited for your needs. Security needs are and should be handled by the host router or a firewall device if one wants something of that caliber for home use. 

Good Luck. 

---

@SmilingEddie wrote:

Thanks for this FURRYe38.

The credibility of the Orbi programme management team has just taken a serious knock.

 

Even the guest wifi password has complexity and the main one also has good length but tha

 

Why would a network manager not want to know who was connected to the WiFi network, active and how active? Why would they not want to be able to block a device that was foreign or one that was known hostile?  How can NETGEAR not realise that the net is hostile and that even home networks are under constant attack these days? 

 

When a supplier as big as NETGEAR clearly doesn't give a damn about customer security, it adds to the hostility of the net and the risks we have to accept when we buy and use NETGEAR products.  Even TP-link offered these features on an immature product.

 

As you might sense,I find this really annoying. Is this inept or is deliberate?

 

 

---

There is a mismatch here. Just because its configured as AP rather than router, doesn’t mean that it is somehow not a route into the internal LAN. It therefore still has a security obligation.

OK, we can hide SSID broadcasts, and use long, complex, passwords with good crypto properties but we need to know that these controls are working as expected. More importantly, we need to know when the aren’t. It’s called Security in depth: multiple independent controls should have to fail before you’re in trouble.

The main router in our network also includes the firewall. It is Internet/ISP-facing, i.e. it guards the front door to our LAN. The NETGEAR router and satellites have a lot of great features but guarding the back door to our LAN is something it doesn’t do adequately.

If you think that only big businesses are under attack, you’re likely to have a very unpleasant surprise. I hope you and your data survive it with a tolerable impact.  

We live in a world where even state-sponsor scumbags, theft of sensitive personal data and information to support fraudulent activity which trashes the victim’s credit history, ransomware and blackmail… all have to be considered to ensure survival.

NETGEAR customers who care about their personal data, and have even the slightest awareness of how hostile the digital world can be, have an expectation the products they have bought will include basic features that let them see when a security control, such as a Wifi password, has failed. They should be able to contain the threat. Even the cheapy TP-link Deco home Wifi router and satellites managed that in AP mode. Sure, it had flaws, such as obsolete crypto, but it was still better than that big name NETGEAR.

 Your brand loyalty is commendable but until NETGEAR supports security that better equips customers to defend their homes from WiFi-sourced attacks, it is definitely misplaced.

You cleverly sorted out an annoying problem for me in another Orbi link. I hope you can do it again for me here.

---

@SmilingEddie wrote:

Even the cheapy TP-link Deco home Wifi router and satellites managed that in AP mode.

---

I find the Deco User Manual about as (un)informative about operating mode as the Orbi User Manual. On page 24

https://static.tp-link.com/2020/202006/20200628/1910012596_Deco%20M5_V2&V3_UG_2.0.pdf 

Router Mode: "Connects to the internet.... NAT and DHCP server are enabled by default."

Access Point Mode: "Functions like NAT, Parental Controls, and QoS are not supported in this mode."

I cannot determine from this what happens to features like DHCP, address reservation, new device detection, IPTV, etc. etc. in access point mode.  If some other device is the DHCP server, how does a WiFi access point know which IPs or MAC addresses are valid (or invalid)?

There is probably a good reason that highly sensitive operations take place in "secure" locations: Faraday shields.  Employees forbidden to bring cell phones inside the room. etc. etc.

I think it is very clear by now that the only way to prevent access by someone who has deciphered the WiFi password and can thus connect to the WiFi network with a bogus static IP is to have MAC level access control which the Orbi does in router mode, but not in access point mode.

Exactly my point, as a product, the Deco 9 Plus v2 is only a grade above Minimum Viable Product. These guys are new-comers in a market where NETGEAR has dominance and mature products but even TP-link have recognised the basic need for multiple layers of defence where a customer already has DHCP, NAT etc.  They even offer the option of alerting when a new device connects.

In short, the dogs in the street know how important an adequate security implementation is these days and yet Orbi programme management, with the R&D budget don't.  I've previously expressed a view of how that might have come about. 

I would express your idea to Netgear direct. They may listen and add that feature in a future firmware or new product release.

If I truly wanted full protection, I would never rely on any personal line device for firewall, virus, malware, etc., protection, but rather go with the professional business class smart switches and software, provided by Cisco, Fortinet and other quality manufacturers.

Home use is usually not as important, so the best solution is personal firewall protection using the Orbi system, or if set in Bridge mode, using the initial router, as well as setup MAC level access control. Also Disable guest access, even though I find it to be totally safe.

Use the many offered firewall/virus/malware protection provided by Apple, Microsoft, or any of the many choices to choose from, such as, ( not in any specific order), Norton, Kapersky, McAffee, Webroot, AVG, Avast, etc..

Firewall protection is a little overrated for personal use, as most networks are on private IP addrersses. Virus, malware, bloatware protection for personal computers have come a long way, with many choices. I myself use Microsoft's built in Windows Security protection, and have found it to be perfect, as it upgrades almost daily and runs effortlessly in the background.There are also many choices for Apple devices as well.