×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Orbi not blocking sites in Keyword/Domain list

Conax
Guide

Orbi not blocking sites in Keyword/Domain list

The original post is here: https://community.netgear.com/t5/Orbi/Orbi-not-blocking-sites-in-Keyword-Domain-list/td-p/1845336

Netgear has not replied to that post with a solution, but closed that post due to 'inactivity'. I think that's quite lame, so here's the new post.

 

So far we know the problem is that the 'Block Sites' functionality only blocks http (non-secured) sites that matches the keyword. Some people thought that it works for Edge but does not work for Chrome. Well, the reason for that behaviour is that when you enter an URL into Chrome, Chrome defaults it to a https URL. But Edge will default it to a http URL. Let's try this:

 

1. Configure your Orbi to block "twopalyergames.org".

2. Open Chrome, enter the url "twopalyergames.org". Orbi does not block it, and you can see that the site is secured.

3. Type the full http URL into the address field "http://twoplayergames.org". Now it is blocked by Orbi in Chrome.

4. Now open Edge, enter the url "twopalyergames.org". Orbi blocks it, and you can see that the site is NOT secured.

5. Type the full https URL into the address field "https://twoplayergames.org". Now it is not blocked by Orbi in Edge, and you can see the site is secured.

 

For sites that auto redirects from http to https, you will never be able to block it. For example, http://mylotto.co.nz.

 

Come on Netgear, we paid a fortune for your product, when are you going to release the firmware to fix this issue?

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 11
schumaku
Guru

Re: Orbi not blocking sites in Keyword/Domain list

Well, the "last" answer might be it's not possible at all - certainly not without dealing with some end point security.

 

Netgear's current implementation does capture http traffic - alone this is useless nowadays (as explained several times now).

 

Up to TLS 1.2, it might be possible to find the URL called in the initial handshake. For sites using TLS 1.3 this is no longer feasible.

 

The last design approach would be capturing the plain text DNS for DNS queries ... what is easily circumvented when also using secured/encrypted DNS.

 

Now read the first line again....

 

Same limitation on advanced security appliances by the way.

Message 2 of 11
Conax
Guide

Re: Orbi not blocking sites in Keyword/Domain list

And I just found out, the free modem that came with Spark fiber can block https urls without issue. Does this mean the modem passes text url to the Orbi router for http traffic, but encrypted url for https traffic?

Message 3 of 11
schumaku
Guru

Re: Orbi not blocking sites in Keyword/Domain list


@Conax wrote:

And I just found out, the free modem that came with Spark fiber can block https urls without issue.


Don't know anything about this device implementation or the Spark service named Net Shield.

 

As I said, the https connection is either <=TLS 1.2, or the device is filtering plain text DNS.  Both is technically feasible (hey I'm not Netgear, but they kow from where I'm coming from ....) so I can say the current Keyword Blocking feature is just j**k. Try using an encrypted DNS and you might find the computer does bypass....

Message 4 of 11
CrimpOn
Guru

Re: Orbi not blocking sites in Keyword/Domain list


@Conax wrote:

And I just found out, the free modem that came with Spark fiber can block https urls without issue. Does this mean the modem passes text url to the Orbi router for http traffic, but encrypted url for https traffic?


Would love to see the brand and model number of this free modem.

Message 5 of 11
Conax
Guide

Re: Orbi not blocking sites in Keyword/Domain list

Hi @CrimpOn , it is Huawei HG659b.

 

After I did this:

Huawei Block.JPG

then I did a ipconfig /flushdns as suggested in this article:

https://blogs.msmvps.com/mickyj/blog/2020/12/22/parental-controls-on-huawei-home-gateway-hg659-url-f...

 

then when trying to browse the site, I get this:

Huawei Block 2.JPG

Message 6 of 11
Conax
Guide

Re: Orbi not blocking sites in Keyword/Domain list

Somehow the screenshots does not appear in my reply...

 

Anyway,  there is a Parental Control -> URL Filter setting in the modem.

I added "mylotto.co.nz" and "www.mylotto.co.nz" to be filtered, and then did a ipconfig /flushdns.

 

Then when trying to browse to mylotto.co.nz, Chrome displays this message:

 

This site can’t be reached

Check if there is a typo in www.mylotto.co.nz.

 

  • If spelling is correct, try running windows network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN

 

Message 7 of 11
CrimpOn
Guru

Re: Orbi not blocking sites in Keyword/Domain list


@Conax wrote:

Somehow the screenshots does not appear in my reply...

 


Another fascinating aspect of Netgear support is that the forum package does not display images placed "iin-line" using the Photos icon in the menu bar until they are approved by a forum moderator.  Images attached using the Browse button in the lower left appear immediately.

I have commented to moderators that (a) this is stupid and (b) it would save users a lot of bother if the Photos icon simply disappeared.

(to no avail).

Message 8 of 11
CrimpOn
Guru

Re: Orbi not blocking sites in Keyword/Domain list


@Conax wrote:

Hi @CrimpOn , it is Huawei HG659b.


Fascinating.  Most of us would classify this device as a combination modem/router/WiFi box, i.e. the equivalent of the Orbi RBR50, with the modem function being limited to DSL service.  When connected to the ISP with an ethernet cable, it functions the same as the Orbi.

You are using one or the other device at any given time, correct?  (not the Orbi connected to a port on the HG659b)

 

It's not clear from the User Manual how much this Windows XP/Windows 7 era router differs from the Orbi in terms of features  (Love the concept of using the USB stick as an FTP server). Did not see Access Control (which I find a bother and do not use), no DDNS, Remote Management, Open VPN, Setting DNS servers, DHCP range, etc.etc.  Like the Orbi, the Huawei User Manual probably does not list all the features available on the web management.

 

That Time Schedule is a feature that Orbi users have wanted since the Orbi came out. (and never got).

 

 

Message 9 of 11
Conax
Guide

Re: Orbi not blocking sites in Keyword/Domain list

I am connecting the Orbi to the Huawei. 😄

I bought the Orbi years ago to extend the WiFi range that the Huawei could not give me.

 

Now let's see if the image works...

 

Message 10 of 11
CrimpOn
Guru

Re: Orbi not blocking sites in Keyword/Domain list


@Conax wrote:

I am connecting the Orbi to the Huawei. 😄

I bought the Orbi years ago to extend the WiFi range that the Huawei could not give me.


One router connected to another router creates a "Double NAT" situation. 

https://kb.netgear.com/30186/What-is-Double-NAT 

Thousands of customers do this and experience no issues at all. (I set up three routers back-to-back as a test.)

This is because they do not attempt to use any capabilities that a Double NAT makes impossible, such as forwarding ports, doing web based remote management (not the Orbi app's Anywhere Access), OpenVPN, and some forms of internet gaming.

 

If the Orbi is set to get DNS from the Huawei, then any device that uses the Orbi DNS should be affected by the Huawei DNS filiter system.  Anyone able to set static DNS entries in their computer can bypass all of this filtering attempt by going directly to DNS server on the internet.

 

The Time Schedule part of the Huawei will not work because all of the Orbi devices are hidden behind the Orbi NAT.  If the Orbi were put into Access Point (AP) mode, then every device in the network would be visible to the Huawei and that function could be used as well.

Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 2284 views
  • 3 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7