FIX for Netgear Orbi Router / Firewall blocks additional subnets
**2021-NOV Update** With the release of Orbi Router Firmware Version V2.7.3.22 the telnet option is no longer available in the debug menu. This means the steps below will not work unless you are a earlier router firmware version. I looked for other Orib solutions but didn’t find any. However, I solved this issue by using an additional firewall using NAT between VLAN74 and VLAN 75. If you find an Orbi solution, please post a comment and I’ll be glad to update this blog.
Last April 2019 I decided to update my home network with the Orbi WiFi System (RBK50) AC3000 by Netgear. My previous Netgear Wifi router worked quite well but I really needed something to support multiple locations seamlessly.
The Orbi Mesh has a primary device and allows for satellites to be connected to it. It creates a Wifi mesh that allows devices to go from room to room or building to building seamlessly. I’ve had it up for a while now and its been working out great – that is until I decided to ask it to route more than one subnet. In this blog I’ll show you the steps I took to over come this feature limitation but like all content on my blog this is for my reference. Use at your own risk.
To understand the problem we need to first understand the network layout. My Orbi Router is the Gateway of last resort and it supplies DHCP and DNS services. In my network I have two subnets which are untagged VLANS known as VLAN 74 – 172.16.74.x/24 and VLAN 75 – 172.16.75.x/24. VLAN 74 is used by my home devices and VLAN 75 is where I manage my ESXi hosts. I have enabled RIP v2 on the Orbi and on the Dell 6224 switch. The routing tables are populated correctly, and I can ping from any internal subnet to any host without issue, except when the Orbi is involved.
Issue: Hosts on VLAN 75 are not able to get to the internet. Hosts on VLAN 75 can resolve DNS names (example: yahoo.com) but it cannot ping any host on the Inet. Conversely, VLAN 74 can ping Inet hosts and get to the internet. I’d like for my hosts on VLAN 75 to have all the same functionally as my hosts on VLAN 74.
Findings: By default, the primary Orbi router is blocking any host that is not on VLAN 74 from getting to the INET. I believe Netgear enabled this block to limit the number of devices the Orbi could NAT. I can only guess that either the router just can’t handle the load or this was a maximum Netgear tested it to. I found this firewall block out by logging into the CLI of my Orbi and looking at the IPTables settings. There I could clearly see there was firewall rule blocking hosts that were not part of VLAN 74.
Solution: Adjust the Orbi to allow all VLAN traffic (USE AT YOUR OWN RISK)
- Enable Telnet access on your Primary Orbi Router.
- Go to http://{your orbi ip address}/debug.htm
- Choose ‘Enable Telnet’ (**reminder to disable this when done**)
- Telnet into the Orbi Router (I just used putty)
- Logon as root using your routers main password
- I issued the command ‘iptables -t filter -L loc2net’. Using the output of this command I can see where line 5 is dropping all traffic that is not (!) VLAN74.
- Let’s remove this firewall rule. The one I want to target is the 5th in the list, yours may vary. This command will remove it ‘iptables -t filter -D loc2net 5’
- NOTES:
- Router Firmware Version V2.5.1.16 (Noted: 10.2020) — It appears that more recent firmware updates have changed the targeting steps. I noticed in Router Firmware Version V2.5.1.16 I had to add 2 to the targeted line number to remove it with the ip tables command. This my vary for the device that is being worked on.
- Router Firmware Version V2.5.2.4 (Noted: Jan-2021) — It appears the targeting for steps are now fixed in this version.
- Again, as with all my posts, blogs, and videos are for my records and not for any intended purpose.
- Next, we need to clean up some post routing issues ‘iptables -t nat -I POSTROUTING 1 -o brwan -j MASQUERADE’
- A quick test and I can now PING and get to the internet from VLAN 75
- Disconnect from Telnet and disable it on your router.
Note: Unfortunately, this is not a permanent fix. Once you reboot your router the old settings come back. The good news is, its only two to three lines to fix this problem. Check out the links below for more information and a script.
Easy Copy Commands for my reference:
iptables -t filter -L loc2net
iptables -t filter -D loc2net 7 << Check this number
iptables -t nat -I POSTROUTING 1 -o brwan -j MASQUERADE
If you like my ‘no-nonsense’ blog articles that get straight to the point… then post a comment or let me know… Else, I’ll start writing boring blog content.
REF:
vmexplorer 
September 25, 2019 at 2:17 am
I appreciated your professional way of writing this post thanks; you have made such a nice blog. I found in your website perfect for my needs it contains wonderful and helpful posts.
LikeLike
March 12, 2020 at 12:38 am
Have you seen an issue with firmware 2.5.x where after you delete the rule it comes right back within seconds?
LikeLike
March 12, 2020 at 7:49 am
I’m currently running V2.3.5.30, and have not tested your finding. My home lab changed since I posted this blog and I have not needed to route additional subsets for a while now. I’m sure at some point I will again, and I’ll keep this comment in mind.
LikeLike
March 12, 2020 at 8:49 am
Matt, would you be able to try and either add or delete a rule in any chain then check about 30 seconds later to see if your change is still there? I’ve now downgraded back to 2.2.x and it is still doing this for me. I wonder if there is a setting that 2.5.x changed that has stuck through the downgrades. I guess I’m going to have to try a factory reset next.
Much appreciated!
LikeLike
March 13, 2020 at 1:56 pm
I’m running firmware 2.3.5.30 and I tested my blog instructions. After making the changes I checked back in 30 secs, several mins, and 30 mins later. Each time my changes were still there, it did not revert back.
LikeLike
July 7, 2020 at 11:27 am
Using firmware 2.5.1.16 and can confirm that the rule disappears after some time.
LikeLike
July 9, 2020 at 8:30 am
Hey Jude, thanks for the question. I just updated to 2.5.1.16 but the rest of my network is under construction, so I can’t check this out. I’ll post up once I have it all settled.
LikeLike
July 9, 2020 at 9:38 am
Jude, The fix for me was to reset to factory and manually configure everything again. When I tried to import previous config the problem persisted. When I reset and configured manually, the rules stuck as they should and I was back up and running. Must have been a glitch during a firmware update.
LikeLike
October 14, 2020 at 11:00 am
I noticed the targeting for the rule has changed a bit, I have updated my blog with the findings on my router.
LikeLike
November 10, 2020 at 7:09 am
Man! Thanks a billion! I’m setting up a lab at home with NSX-T, and I figured out that it was my ORBI that prevented my NSX-T segments from reaching the Internet. But I had no clue as how to fix it! You saved my lab! :-D
LikeLike
November 10, 2020 at 7:43 am
You are so welcome, and thank you for taking the time to comment. Its comments like these that keep me writing and creating videos to help others.
LikeLike
February 21, 2021 at 11:26 am
Thanks Matt! This has bugged me for ages and now I can fix it. One thing, maybe mention that “brwan” is the name of your wan interface and may be different, for example mine is ppp0 (as shown by a netstat -rn command).
LikeLike
February 22, 2021 at 8:37 am
Thank you for taking the time to leave a comment. I really do appreciate it when readers do! I’ll take a peek at your suggestion the next time I reboot my Orbi.
LikeLike