Discussion stats
Announcements

Top Contributors
Reply
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@CrimpOn wrote:

The Orbi log contains entries for my "non-Orbi DNS" computer 192.168.1.2 and for my "use Orbi DNS" computer 192.168.1.3

 

[service blocked: DNS] from source 192.168.1.2, Tuesday, May 05, 2020 11:18:00
[service blocked: DNS] from source 192.168.1.3, Tuesday, May 05, 2020 11:17:59

 

Looks like "Block" means "Block"


Right, this is a big hammer to tell those smart kids that you're a step ahead and aware of what they're trying to do.  Altnernately, you can define a rule to block DNS services if the destination IP address isn't the router/Orbi/CloudFlare/etc., IP addresses.  I would suggest DNS redirect rule instead of this.

Message 126 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

I'm not convinced that the Orbi router has the same capabilities as the pfSense box.  The only port forwarding  NAT rules affect inbound traffic from the WAN, and when DNS (port 53) is blocked, it prevents DNS from reaching the Orbi DNS.

 

Thanks for the hints.

I love my Orbi.
Message 127 of 142
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

This is a very basic firewall function that any decent router/firewall would support.  If Orbi doesn't allow this, it would be disappointed.  When I have a window to take Orbi offline to tinker with it to see if such a NAT/firewall rule can be set.  I'll circle back with the result or how-to.

Message 128 of 142
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

See the attached file/picture for an example of how it's done on pfSense router.  The goal is to setup a similar rule on the Orbi router.

 

Redirect DNS requerst.png

Message 129 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

I am not hopeful, but appreciate you giving it a try.

I love my Orbi.
Message 130 of 142
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@CrimpOn wrote:

Well, "No Cigar" for me.  In Security, I added "Block DNS" for IP range 192.168.1.2 - 192.168.1.100.  My Orbi router is 192.168.1.1.

Killed DNS completely.  My computer that is set not to use the Orbi for DNS, and my other Windows 10 computer which gets DNS from the Orbi.  The goal was to block my computer from using "non Orbi DNS", but allow computers using Orbi DNS to function.

This rule seems is correct.  If the Windows 10 client DNS server is Orbi, it should work unless Orbi applies the rule on the LAN interface instead of the WAN interface.  If that's the case, then it's really sad.

 

Can you manually define a custom rule under Service Type (assuming it's possible) and set the Windows 10 client DNS to Orbi and try this again?

 

Service Type: User Defined

Protocol: UDP

Start port: 53

End port: 53

IP address range: 192.168.1.2-100

 

First verify that Orbi itself can get through to DNS server.  Then verify the Windows 10 client.

 

By the way, if you have Pi-Hole setup, it would be simpler.  Set the Pi-Hole as DHCP/DNS servers for Orbi network, point Pi-Hole DNS server to CloudFlare, and exclude Pi-Hole IP address from IP address range.  That would be ideal!

Message 131 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@SW_ wrote:

Service Type: User Defined

Protocol: UDP

Start port: 53

End port: 53

IP address range: 192.168.1.2-100

Says this is an invalid user defined service type.

 

By the way, if you have Pi-Hole setup, it would be simpler.  Set the Pi-Hole as DHCP/DNS servers for Orbi network, point Pi-Hole DNS server to CloudFlare, and exclude Pi-Hole IP address from IP address range.  That would be ideal!


Looks like we have a winner.  Orbi does my DHCP, and I have Pi-hole set up for testing.  Blocked my PC using the Orbi, but allowed Pi-hole to act for me.  Pi-hole is too agressive on Google search results for the family (They don't realize the first hits at the top are all ad redirects.)  So, using Orbi to block alternative DNS works as long as there is a DNS relay inside the LAN that is separate from the Orbi and has an IP address outside of the single range where everything else is.

 

Really appreciate your patience working through this.

I love my Orbi.
Message 132 of 142
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

Thank you @CrimpOn for validating Pi-hole solution and Orbi's limitation!

Message 133 of 142
Highlighted
Prodigy
Prodigy

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@SW_ wrote:

To protect family/kids from malicious Internet content, DNS filtering is simplest defense and it's free.  There are quite a few of free/paid DNS filtering services out there, but I find that free DNS filtering service is sufficient for me.

 

My two favorite free services are Cloudflare Gateway and CleanBrowsing DNS Filters.

 

I've tried both services and I found that CleanBrowsing/Adult Filter is best and simplest to setup.  However, if you want a nice DNS report, flexibilty (what to block), and speed, stick with CloudFlare Gateway.  The setup process is similar for both, just point your router/Orbi DNS servers to their IP addresses.  That's it!

 

Good luck!


 

CleanBrowsing even has a guide for Orbi - How to change DNS on a NetGear Orbi Router.  

 

Message 134 of 142
Highlighted
Aspirant

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

Any tips or tricks on how to modify the default behaviour of a VPN connection getting its own subnet? 

 

My normal IP is 192.168.1.x but anything on the VPN comes in at 192.168.2.x

 

I can't see a way to modify this in the UI, was hoping I could chance something via telnet to get VPN devices on 192.168.1.x

 

My guest network current uses the same subnet, so people on the guest network are in 192.168.1.x

Message 135 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@Mehr1 wrote:

Any tips or tricks on how to modify the default behaviour of a VPN connection getting its own subnet? 

 

My normal IP is 192.168.1.x but anything on the VPN comes in at 192.168.2.x


Actually, there are two types of VPN.  OpenVPN on Windows creates a "TAP" connection, which appears in the regular primary subnet.  Smartphone and Linux both create a "TUN" connection, which appears in a different subnet.  There is no method available to users to change this.  However, it does not present a serious issue because the Orbi creates a static router between 2.x and 1.x  When I connect to VPN, I can communicate with every device on the primary (and Guest if set up that way) subnets.

 

Perhaps if you describe the specific problem being in the 2.x subnet is causing we can suggest a solution.

I love my Orbi.
Message 136 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

In the new Orbi AX (RBR850) it’s possible to set any IP range for DHCP, for VPN clients and for guest network, but unfortunately not in the Orbi AC (RBR50).

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBK50 AC3000, Router Mode, Wired Backhaul / Orbi RBK852 AX6000, Router Mode, Wireless Backhaul | Switches Netgear GS208Time Zone CET (Sweden)

Message 137 of 142
Highlighted
Aspirant

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

Thank you for your response.

 

Specifically, I am unable to see my Sky Q recordings on my mobile phone using the Sky Go app when connected via VPN, vs being on my WiFi at home and seeing them. I believe (could be wrong) this is due to the different subnet.

Message 138 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,


@Mehr1 wrote:

....

Specifically, I am unable to see my Sky Q recordings on my mobile phone using the Sky Go app when connected via VPN, vs being on my WiFi at home and seeing them. I believe (could be wrong) this is due to the different subnet.


I don't think this has to do with the different subnets. It can be a restriction in the Sky Go app, if you have the correct settings in Orbi:

In the web GUI under >> ADVANCED >> Advanced >> VNP Service >> what setting do you have for the following:

Clients will use this VPN connection to access 1. All sites on the Internet & Home Network 2. Home Network only 3. Auto

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBK50 AC3000, Router Mode, Wired Backhaul / Orbi RBK852 AX6000, Router Mode, Wireless Backhaul | Switches Netgear GS208Time Zone CET (Sweden)

Message 139 of 142
Highlighted
Aspirant

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

I have "All sites on the Internet & Home Network" selected.

 

I didn't know how Sky would be able to restrict it if both devices were on the same network due to the VPN, maybe that's my lack of understanding of networking etc.

 

Doesn't sound like I'll be able to find out for sure either way Smiley Happy. Thank you for the ideas.

Message 140 of 142
Highlighted
Master

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

Have you tried other apps that needs VPN access to work?
I have few apps that work perfectly well with VPN even with different subnets.

My Setup Internet Fiber ONT 250↓/250↑ISP Telenor | Wifi Router Orbi RBK50 AC3000, Router Mode, Wired Backhaul / Orbi RBK852 AX6000, Router Mode, Wireless Backhaul | Switches Netgear GS208Time Zone CET (Sweden)

Message 141 of 142
Highlighted

Re: ORBI RBK50/RBS50 Tips, Tricks, Hidden Secrets, etc.,

Hi,

If you run a network scanner from your smartphone while connected to the VPN and scan your internal network most scanners I’ve seen default to the network your connected to, in this case 192.168.2.x. A few scanners low you to customise the scan subnet which allows you to Select 192.168.1.x. That’ll let you scan and see your SkyQ box, but it won’t let your SkyGo app see your SkyQ box. I suspect that the Sky Go app is looking for some ‘plug n play’ data being broadcast by the SkyQ box, which it can’t see because it’s in the wrong subnet when on VPN.

If you’ve enough bandwidth when out on your VPN download the content direct to your device is my recommendation.
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 142 of 142