Phoenix

FIX for Netgear Orbi Router / Firewall blocks additional subnets

Posted on Updated on

Last April my trusty Netgear Switch finally gave in.  I bought a nifty Dell PowerConnect 6224 switch and have been working with it off an on.  About the same time, I decided to update my home network with the Orbi WiFi System (RBK50) AC3000 by Netgear.  My previous Netgear Wifi router worked quite well but I really needed something to support multiple locations seamlessly.

The Orbi Mesh has a primary device and allows for satellites to be connected to it.  It creates a Wifi mesh that allows devices to go from room to room or building to building seamlessly.  I’ve had it up for a while now and its been working out great – that is until I decided to ask it to route more than one subnet.   In this blog I’ll show you the steps I took to over come this feature limitation but like all content on my blog this is for my reference – travel, use, or follow at your own risk.

To understand the problem we need to first understand the network layout.   My Orbi Router is the Gateway of last resort and it supplies DHCP and DNS services. In my network I have two subnets which are untagged VLANS known as VLAN 74 – 172.16.74.x/24 and VLAN 75 – 172.16.75.x/24.   VLAN 74 is used by my home devices and VLAN 75 is where I manage my ESXi hosts.  I have enabled RIP v2 on the Orbi and on the PC6224 switch.  The routing tables are populated correctly, and I can ping from any subnet to any host without issue.

Issue:  Hosts on VLAN 75 are not able to get to the internet.  Hosts on VLAN 75 can resolve DNS names (example: yahoo.com) but it cannot ping any host on the Inet, where VLAN 74 can ping Inet hosts and get to the internet.  I’d like for my hosts on VLAN 75 to have all the same functionally as my hosts on VLAN 74.

Findings:  By default, the primary Orbi router is blocking any host that is not on VLAN 74 from getting to the INET.  I believe Netgear enable this block to limit the number of devices the Orbi could NAT.  I can only guess that either the router just can’t handle the load or this was a maximum Netger tested it to.  I found this block out by logging into the routers CLI and looking at the IPTables settings.  There I could clearly see there was firewall rule blocking hosts that were not part of VLAN 74.

Solution:  Adjust the Orbi to allow all VLAN traffic (USE AT YOUR OWN RISK)

  1. Enable Telnet access on your Primary Orbi Router.
    1. Go to http://{your orbi ip address}/debug.htm
    2. Choose ‘Enable Telnet’ (**reminder to disable this when done**)
    3. Telnet into the Orbi Router
  2. I issued the command ‘iptables -t filter -L loc2net’. In the output of this command you can see where its dropping all traffic that is not (!) VLAN74
  3. Let’s remove this firewall rule. The one I want to target is 5th in the list, yours may vary.  This command will remove it ‘iptables -t filter -D loc2net 5’
  4. Next, we need to clean up some post routing issues ‘iptables -t nat -I POSTROUTING 1 -o brwan -j MASQUERADE’
  5. A quick test and I can now PING and get to the internet.
  6. Disconnect from Telnet and Disable it on your router.

Note:  Unfortunately, this is not a permanent fix.  Once you reboot your router the old settings come back.  The good news is, its only two to three lines to fix this problem.  Check out the links below for more information and a script.

If you like my ‘no-nonsense’ blog articles that get straight to the point… then post a comment or let me know… Else, I’ll start writing boring blog content.

REF:

 

 

10-30-2015 Phoenix VMUG this event is going to be EPIC!

Posted on Updated on

Back in the day when I lead the Phoenix VMUG the other leaders and I put our attention on the quality of the event vs. trying to drive attendance. We knew producing quality events would lead to more users wanting to attend. Man were we right. Our first VMUG in 2008 drew a crowd of 65, not too bad for our first showing. However we worked hard, listened to our attendees, and in just 2 years time we built an event framework to support 300-500 users and 20+ sponsors ever quarter! The framework we created was so successful it was key in creating the framework for the VMUG UserCon.

Flash forward to October-30-2015 and one of the most EPIC VMUG events ever is about to take place in Phoenix! I never use the word epic unless there is something absolutely stunning. Example – Me doing a selfie drinking a soda is not epic. However – when VMware COO Carl Eschenbach, Principal Architect Rawlinson Rivera, Senior Technical Marketing Architect Doug Baer, Chris Wahl, Josh Atwell, Instructor lead labs, 30+ Partners/Sponsors, multiple breakout sessions, and cocktails at the end of the day come to your VMUG, then this is EPIC!

I know that was quite a bit to take in but like it said EPIC, for now I’d recommend registering for the event and downloading the VMUG UserCon App.

Registration – To register for this event go here >> https://www.vmug.com/p/cm/ld/fid=10175

Download the App – To help you manage your day at this event. Install the VMUG UserCon App >> https://www.vmug.com/p/cm/ld/fid=9653

The overall agenda should be posted soon, and when it does I’ll post up my recommendations around this event!