Orbi Wifi6 RBR 850 and satellite packed with security issues and bugs

---

@Annoyeduser1 wrote:

No surprise this thing's user interface is insecure and buggy since the AC Orbi's also had a buggy UI.

 

So far:

1. It is impossible to configure HTTPS for local management on the router or satellite.  Come on! Most router mfrs don't implement HTTPS on the LAN side web page. Unless you seem to allow unknown nefarious users access to your LAN side network. Not much call for HTTPS on the LAN side web page UI. Been like this for a while. NG doesnt' seem to wanna change this. 

2. It is impossible to directly set the satellite SSID in AP mode, and it does not change to match the router even when resynced.

3. Painfully slow built in web server makes it agonizing to use. When settting the RBR to AP mode, the RBS doesnt' need to change it's mode. It follows and connect to the RBR regardless of mode. 

4. There is no place to change timeout for admin login.  I love logging back in again and again every few minutes when I'm configuring and testing things. Something to ask about here: https://community.netgear.com/t5/Idea-Exchange-For-Home/idb-p/idea-exchange-for-home

5. Satellite connection status is a lie.  It will show "Good" when it is not, you can tell when it is lying to you because its device name will be wrong. Device name will be wrong? What do you mean by this? 

6. Use the reset button on a satellite and forget ever logging into it directly again.  The password gets changed to somethind random. Means the RBS hasn't synced correctly to the RBR. I know that when wired, the RBS doesnt' sync correctly and uses "password" for the PW. Wirelessly connected, the RBS if correctly synced will get the PW that you set on the RBR. Mine does. What is the distance between the router and satellite(s)? 30 feet is recommended in between them to begin with depending upon building materials when wirelessly connected.

 

 

 

---

1. Home networks are zero trust networks.  Wireless networks with a shared key are also zero trust networks.  Unless you connect directly with a hard line to the router to perform administration, you are putting your login credentials at risk because any compromised or unpatchable device (landfill android, IoT etc) could capture those frames and collect the password over the air interface or using ARP spoofing on the physical interface. Not having HTTPS support for the admin interface on a $700 router is exceptionally poor design and reflects Netgear's relentlessly lazy approach to security across its product line.  Even Netgear's M4300 series switches have crap security design.

3. No, the satellite does not.  In wired backhaul it simply does not work at all in AP mode.  It will show connected on the router but it will not actually create a second AP location.  This functionality is totally broken out of the box.

4. The unchangeable admin timeout is shorter than the 6 minute window it tells you to wait in its own UI for rebooting and syncing a satellite again.  This unchangeable timeout is a bug.

5. The router UI that shows connected devices will even show the satellite connection status as good when the satellite is unplugged from power, and the device name (Netbios broadcast name) will randomly reflect another connected device on the network instead until the router eventually figures out that it is not actually connected to the satellite.  This means the status is refreshing so slowly and inaccurately as to be useless and the underlying logic in the UI does not reliably map the netbios broadcast name of devices against their MAC and IP in the connected devices list.  So connected devices is untrustworthy and broken.

6. The satellite sadly does not fail back to "password" when you use the reset button and it does not resync to use the same password as the router.  If you reset it, it cannot be logged into again, ever.

Some of these issues are known to NG. I have seen the issue of the RBS not syncing correctly when wire connected. I have filed a report regarding this. 

The HTTPS issue for users and the routers web page has been like this for years and also seen on other Mfr routers as well. there are issues surrounding the use of HTTPS on the LAN side web page for all Mfrs. IF your overly concerned with this, then I recommend that you find a router system that supports HTTPS on the routers web page. NG users have been asking for this from NG for years along with other models. Not sure if anything will be done with this.HTTPS cert/Private keys should be stored securely and currently most of these devices do not have something like secure enclave to store private keys. This isn't a major issue for most and has not presented any issues with the router mfrs or appeared as a problem. Again this is a LAN side feature that a hacker would need to have access to your LAN side network to really do anything. And should they get access, what are they going to do with the router? There going to go after your data on your PCs and devices then really mess with a router. There is nothing on a router that most hackers want unless there trying to redirect your traffic. Again, this needs LAN side access. 

I've been using HTTP on the web page for years and have had zero issues. If your needs are for HTTPS then I would get into something that does. 

THe time out bug mabye a new feature that NG is implementing to help keep the UI from acces from others on your network. Leaving it open or having no timeout and just closing the browser could allow someone access even though the browser was closed. I see this with other router mfrs and NG maybe following suite. So mabye not a bug rather a change in there browser timeout policy. Something users will have to get used to. 

Overall, there are issues with the FW and limited features. NG is working on them and the fw will mature, just like it did with the Orbi AC systems. Maybe not ready for you and you should come back at a later date if this isn't to your liking.