Hello,I am wondering why my Orbi AC2200 unit (running latest firmware as of 2/23/2020, RBR20) is constantly making outbound connections to the Amazon space (52.0.0.0/11) over SSL/443. The home setup with a satellite unit is stable, the router is in AP mode (PA-220 firewall is the L3 device):Spectrum -> PA-220 -> Orbi network The traffic is about 8 packets/attempts/per minute. I am purposefully dropping it on the firewall (I will update the firmware code myself manually once it is confirmed to be stable). I am aware the Netgear is hosting the firmware in the Amazon cloud and there is also an Alexa integration which I disabled. I also noticed Orbi makes an outbound connection on tcp8883/ssl as well - I believe this is the actual firmware download. Maybe a Netgear tech support can post an answer to this port - why there is such a need to verify a link to Amazon? Is Netgear collecting some global stats on a number of Orbi units deployed? Thanks!Den

Thank you for this thread ... I thought I was going crazy looking at my PA-220 logs and seeing all this traffic. I have a very similar setup as you. Going to add those to my pi-hole blacklists too. The Satellite is making outbound calls too and not just the router in AP mode.

After mocking around, here is my final list of rules with FQDNs/subnet to block/allow (in the top-bottom order, src: Orbi router + satellite): ALLOW:www.netgear.com AppID: pingDENY ANY:devicelocation.ngxcld.comfw.updates1.netgear.comgenieremote.netgear.comhttp.fw.updates1.netgear.compeernetwork.netgear.compresence.ngxcld.comreadycloud.netgear.comreadyshare.netgear.comregistration.ngxcld.comupdates1.netgear.com DENY: 52.0.0.0/11 AppID: Any DENY: AppIDs: aws-iot, ftp, ping, ssl, web-browsing

Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression I had always thought that Netgear hosted Orbi firmware on "Netgear".Here are the links I find in the Orbi parameters:x_advisor_url=https://advisor.ngxcld.com/advisor/directx_claimed_url=https://registration.ngxcld.com/registration/statusx_discovery_url=https://presence.ngxcld.com/presence/presencebase_upgrade_url=https://http.fw.updates1.netgear.com/rbr50fw_download_url=https://http.fw.updates1.netgear.com/rbr50/wwgenie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevicelast_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/wwleafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hookleafp2p_replication_url=https://readyshare.netgear.com/device/entryreadycloud_fetch_url=https://readycloud.netgear.com/device/entryreadycloud_hook_url=https://readycloud.netgear.com/device/hookreadycloud_upload_url=https://readycloud.netgear.com/directio Firmware updates seem to be hosted at Netgear.com.None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.The Arin link seems to be pointing at "security":WHOIS Source: ARINIP Address: 52.0.0.0Country: usUSA - WashingtonNetwork Name: AWS-SHELL-INTERNETOwner Name: Shell Internet (Beijing) Security Technology Co. Ltd.I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.

"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:CrimpOn wrote:Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression I had always thought that Netgear hosted Orbi firmware on "Netgear".Here are the links I find in the Orbi parameters:x_advisor_url=https://advisor.ngxcld.com/advisor/directx_claimed_url=https://registration.ngxcld.com/registration/statusx_discovery_url=https://presence.ngxcld.com/presence/presencebase_upgrade_url=https://http.fw.updates1.netgear.com/rbr50fw_download_url=https://http.fw.updates1.netgear.com/rbr50/wwgenie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevicelast_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/wwleafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hookleafp2p_replication_url=https://readyshare.netgear.com/device/entryreadycloud_fetch_url=https://readycloud.netgear.com/device/entryreadycloud_hook_url=https://readycloud.netgear.com/device/hookreadycloud_upload_url=https://readycloud.netgear.com/directio Firmware updates seem to be hosted at Netgear.com.None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.The Arin link seems to be pointing at "security":WHOIS Source: ARINIP Address: 52.0.0.0Country: usUSA - WashingtonNetwork Name: AWS-SHELL-INTERNETOwner Name: Shell Internet (Beijing) Security Technology Co. Ltd.I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.

FURRYe38 wrote:"Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:It's part of Amazon Web Services (the "AWS" part at the front). This is a useful discussion for me. I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP. Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?). It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.

Outbound traffic to Amazon space | NETGEAR Communities

40 Replies

CrimpOn
Guru - Experienced User
Feb 25, 2020
Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression

I had always thought that Netgear hosted Orbi firmware on "Netgear".
Here are the links I find in the Orbi parameters:
x_advisor_url=https://advisor.ngxcld.com/advisor/direct
x_claimed_url=https://registration.ngxcld.com/registration/status
x_discovery_url=https://presence.ngxcld.com/presence/presence
base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
leafp2p_replication_url=https://readyshare.netgear.com/device/entry
readycloud_fetch_url=https://readycloud.netgear.com/device/entry
readycloud_hook_url=https://readycloud.netgear.com/device/hook
readycloud_upload_url=https://readycloud.netgear.com/directio

Firmware updates seem to be hosted at Netgear.com.
None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.
The Arin link seems to be pointing at "security":
WHOIS Source: ARIN
IP Address: 52.0.0.0
Country: usUSA - Washington
Network Name: AWS-SHELL-INTERNET
Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.
I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.
- FURRYe38
  Guru - Experienced User
  Feb 25, 2020
  "Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:
  CrimpOn wrote:
  Alas, my impression is that Netgear engineers are not assigned to monitor the dozens of community forums. Those of us who do are simply customers who are too cheap to pay for GearHead support (and who also find that members of the community often have more nuanced insight than the "GearHeads"). So, this is my initial impression
  
  I had always thought that Netgear hosted Orbi firmware on "Netgear".
  Here are the links I find in the Orbi parameters:
  x_advisor_url=https://advisor.ngxcld.com/advisor/direct
  x_claimed_url=https://registration.ngxcld.com/registration/status
  x_discovery_url=https://presence.ngxcld.com/presence/presence
  base_upgrade_url=https://http.fw.updates1.netgear.com/rbr50
  fw_download_url=https://http.fw.updates1.netgear.com/rbr50/ww
  genie_remote_url=https://genieremote.netgear.com/genie-remote/claimDevice
  last_fw_upgrade_url=https://http.fw.updates1.netgear.com/rbr50/V2.3.5/ww
  leafp2p_remote_url=http://peernetwork.netgear.com/peernetwork/services/LeafNetsWebServiceV2
  leafp2p_replication_hook_url=https://readyshare.netgear.com/device/hook
  leafp2p_replication_url=https://readyshare.netgear.com/device/entry
  readycloud_fetch_url=https://readycloud.netgear.com/device/entry
  readycloud_hook_url=https://readycloud.netgear.com/device/hook
  readycloud_upload_url=https://readycloud.netgear.com/directio
  
  Firmware updates seem to be hosted at Netgear.com.
  None of these screams out "Amazon Cloud" directly, but the "ngxcld" appears to be in connection with Arlo cameras.
  The Arin link seems to be pointing at "security":
  WHOIS Source: ARIN
  IP Address: 52.0.0.0
  Country: usUSA - Washington
  Network Name: AWS-SHELL-INTERNET
  Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd.
  I also think it's weird that Orbi has all these links to readycloud when that feature is not implemented on the Orbi platform.
  - CrimpOn
    Guru - Experienced User
    Feb 25, 2020
    FURRYe38 wrote:
    "Owner Name: Shell Internet (Beijing) Security Technology Co. Ltd." Gee wonder what kind of data mining here collecting. Scary. :smileyfrustrated:
    It's part of Amazon Web Services (the "AWS" part at the front). This is a useful discussion for me. I had assumed that once in Access Point mode, the Orbi reverted to a dumb WiFi AP. Now that I have the occasion to reflect, it is pretty obvious that the Orbi is still going to to "maintenance things" that are not "routing", such as looking for firmware updates, managing Arlo cameras, supporting ReadyShare (Ha!), sending log files(?).
    
    It would be interesting to look at the DNS requests that led to the Orbi wanting to connect to 52.0.0.0.
1qwerty1
Tutor
Feb 25, 2020
A little more info here: www.netgear.com is being used as Internet good/disconnected status in the Orbi GUI, Basic -> Home. Allowing outbound ping to a FQDN object should be ok.

If you have a pi-hole, you can blacklist advisor.ngxcld.com - in this case, there will be no outbound traffic.
- CrimpOn
  Guru - Experienced User
  Feb 26, 2020
  1qwerty1 wrote:
  A little more info here: www.netgear.com is being used as Internet good/disconnected status in the Orbi GUI, Basic -> Home. Allowing outbound ping to a FQDN object should be ok.
  This would make for an interesting experiment. Block all outbound traffic originating from the Orbi (not "passing through") and see what the Home Page status display says. I have always wondered why the Home Page initially says, "Waiting" under Internet, and then changes to "Good". Silly me, I thought, "Don't you KNOW the internet connection is good already?" Maybe it has to connect, "just in case" before putting up a display.
  - 1qwerty1
    Tutor
    Feb 26, 2020
    Hi CrimpOn,
    I actually did the exact thing you are asking - I had all oubound connections blocked for my Orbi device.The failed pings caused the GUI Home page to show that the Internet was down. In reality the Internet was up. I allowed the pings outbound anyway to keep the home page happy. The www.netgear.com site gets pinged once every 5 minutes.
    
    My other pi-hole blacklisted sites are:
    readycloud.netgear.com
    readyshare.netgear.com
    presence.ngxcld.com
    registration.ngxcld.com
    
    My box is also making outbound FTP connections every hour at hr:02. I will capture this traffic to determine the FQDN it is using.
icuhackn
Tutor
Apr 14, 2020
Thank you for this thread ... I thought I was going crazy looking at my PA-220 logs and seeing all this traffic. I have a very similar setup as you. Going to add those to my pi-hole blacklists too. The Satellite is making outbound calls too and not just the router in AP mode.
- 1qwerty1
  Tutor
  Apr 14, 2020
  After mocking around, here is my final list of rules with FQDNs/subnet to block/allow (in the top-bottom order, src: Orbi router + satellite):
  
  ALLOW:
  www.netgear.com AppID: ping
  
  DENY ANY:
  devicelocation.ngxcld.com
  fw.updates1.netgear.com
  genieremote.netgear.com
  http.fw.updates1.netgear.com
  peernetwork.netgear.com
  presence.ngxcld.com
  readycloud.netgear.com
  readyshare.netgear.com
  registration.ngxcld.com
  updates1.netgear.com
  
  DENY: 52.0.0.0/11 AppID: Any
  
  DENY: AppIDs: aws-iot, ftp, ping, ssl, web-browsing
  - icuhackn
    Tutor
    Apr 14, 2020
    this is great, thanks! I just set mine up. Do you see this destination in your PA logs for ICMP?
    ( addr.dst in 192.168.0.120 )
    
    I can only assume that perhaps the wifi backhaul is using that address; however, I cannot see anywhere in the WebUI configuration or general documentation that says what network it uses for backhaul connectivity between router and satellite Orbi. I have the AX6000 series devices.
    
    Thanks!

Forum Discussion

Outbound traffic to Amazon space