Netgear Orbi discussion thread

[RogerSC]

I found something that is very interesting in the Orbi, if you turn on QOS there is no way to turn it off! Who designed this firmware? Unless I am missing something, any ideas on how to turn it off without a factory reset that was recommended on the Netgear product site?

I could offer a smart alecky answer, like "wait for the next version of firmware, which will probably fix this", but I really shouldn't.

 

[Vandergraff]

I installed an Orbi set up today.

Installation not quite as flawless as I would have liked.

1. My main PC would not log into Orbi (turns out KIS 2016 was blocking the Orbi at 192.168.1.1 - strange as I used to have no issues logging into an RT-AC68 at same address. See other thread)
2. When I try to do the firmware update it shows V1.4.0.16 as available for the router but gets stuck 'saying please wait a moment....' for the satellite. The 'upgrade all' button remains grayed out and I don't seem to be able to update the firmware.

Some questions.

1. The satellite seems to be getting a good connection - the LED goes to 'solid blue' on power up. However if I look at the Network Map in the Genie app it shows the link rate to satellite as 100 Mbps. Seems low...Speed testing (using dslreports speed test) from an iPhone 6 connected to the satellite give 180 Mbbs which my internet speed - so the satellite must have a link rate higher than 100 Mpbs. Any other way to check the signal strength / link rate between the router and satellite?

2. I enabled IPv6 but don't seem to be getting IPv6 address on router or clients. Anyone else have this working with Comcast.

3. Can you change the default log in name from admin - I don't seem to be able to find that option. I did change the password.

4. Scanning the network using 'Acrylic WiFi Professional' shows WPS enabled (I knew it would be) with the following WPS Info (config methods display). I guess I am surprised that it is reporting WPS config type as display - I thought it was push button only on the Orbi. If display is configured that would imply PIN WPS is enabled and would be a big security hole. If this is truly the case I may return the Orbi for this reason alone.

Coming from asuswrt-merlin on an RT-AC68 + RT-N66 as extender I must say I find the Netgear configuration options and user interface somewhat limited (both logging into the router and using the Genie app).

Will see how the rest of the family feels about network connections and stability - trying to avoid the calls at work saying the network is down again or needs to be reset.....

Would be nice if I could get it to upgrade its firmware as well...

Edit - I should also report that 'Acrylic WiFi Professional' show WPS disabled for the 'hidden' backhaul 1733 mbps connection. I thought the reason that WPS was enabled on the Orbi was to allow the backhaul connection to sync. I would far rather have option to completely disable WPS for the router and satellite client bands

 

[RogerSC]

1. I wouldn't bother with the Genie app, myself, it has a poor reputation on the usefulness and buginess end. I've had several Netgear routers and have never felt like I needed it...Our ISP download speed is about 200Mbps. I get about 200Mbps speed from clients connected to the satellite. Are you finding the speed of clients connected to the satellite limited? If not, I wouldn't worry about it.

2. I turned on IPv6 here for a about a day, and it worked just fine. I'm also on Comcast. Not sure what the problem is at your place.

3. Most router manufacturer's firmware that I'm acquainted with only allows you to change your password, not your user name. There is third party firmware that allows you to change your user name, but not for the Orbi.

4. I don't worry much about WPS these days...don't know if there's any current firmware where the past WPS exploits aren't prevented by various methods. On the other hand, there's nothing stopping you from opening an issue with Netgear, requesting control over client-facing WPS, if you feel that's necessary. Then you should find out if that's on their list of functionality to be added.

Yes, the firmware GUI is limited, but has gotten a little better with the latest release. More information on attached devices, etc. Plus added features and security fixes. I still miss having a log...but what I do like is that I haven't had to do any troubleshooting yet, so haven't really missed the monitoring tools that I'm used to. So far, the Orbi has just worked, been stable and provided great performance.

So you've had problems updating the firmware? Have you followed the directions on how to update the firmware in the release notes? Briefly, there's firmware for each unit that you need to download, and you update the satellite first. Then update the router unit. Curious where this process is failing for you? I haven't tried the automatic firmware update, I prefer more control over firmware updating.

 

[sfx2000]

turns out KIS 2016 was blocking the Orbi at 192.168.1.1

Someone else was having a very similar issue here...

http://www.snbforums.com/threads/ca...new-orbi-and-another-issue.36145/#post-295097

 

[sfx2000]

1. My main PC would not log into Orbi (turns out KIS 2016 was blocking the Orbi at 192.168.1.1 - strange as I used to have no issues logging into an RT-AC68 at same address. See other thread)

Bad antivirus signature file that is picking up something for the login - anyways, check out the other thread, and perhaps chase down that particular login problem there...

 

[Vandergraff]

I was trying to update the firmware using the online update option in the router menu. Manual update worked - thanks.

WPS PIN method is a huge security hole - google it and you will find many references.

Netgear acknowledges this here http://kb.netgear.com/19824/How-do-...e-force-vulnerability?cid=wmt_netgear_organic

They advise turning off WPS PIN method in the router settings - however the Orbi has no option to do this.

'Acrylic WiFi Professional' shows WPS enabled on the client bands on router and satellite - and the WPS method is indentified as 'display'. Display seems to be one of the methods that PIN can shown. From the WiFi alliance 'A fixed PIN label or sticker may be placed on a device, or a dynamic PIN can be generated and shown on the device's display (e.g., a TV screen or monitor). '

Would be good if Netgear gave us the same option to disable WPS method as they do in their other routers. As above WPS is not being advertised on the 'backhaul' band only the client bands. I assume if you push the sync button then WPS would be advertised on backhaul for a short period (which isn't an issue).

Still interested to know if there is a way to check the backhaul connection speed between Router and Satellite.

 

[sfx2000]

Would be good if Netgear gave us the same option to disable WPS

Would be a good option to disable WPS period

 

[pete y testing]

Still interested to know if there is a way to check the backhaul connection speed between Router and Satellite.

i believe you can by diving into telnet and ssh , someone posted details about it but i didnt bother keeping it as its pretty easy to do a throughput test when sat and router are close together and then move the sat further away in stages until the throughput drops , move it slightly closer and thats the optinum position

will have to check on the wps issue as i believed its was all push button

 

[RogerSC]

i believe you can by diving into telnet and ssh , someone posted details about it but i didnt bother keeping it as its pretty easy to do a throughput test when sat and router are close together and then move the sat further away in stages until the throughput drops , move it slightly closer and thats the optinum position

will have to check on the wps issue as i believed its was all push button

Telnet can be enabled on by using this admin GUI page:

192.168.1.1/debug.htm

 

[sfx2000]

Telnet can be enabled on by using this admin GUI page

why do vendors insist on telnet? ssh would be so much better...

 

[RogerSC]

I agree, and the telnet opening page says that if you set your password using the "passwd" command, that then you can use ssh, and telnet will be disabled. I've tried that, and after I set my password I couldn't log in with ssh or telnet. So they're really not very helpful in that direction, although they seem to think that they are *smile*.

 

[RogerSC]

WPS PIN method is a huge security hole - google it and you will find many references.

Netgear acknowledges this here http://kb.netgear.com/19824/How-do-...e-force-vulnerability?cid=wmt_netgear_organic

They advise turning off WPS PIN method in the router settings - however the Orbi has no option to do this.

Yes, and they also mention how they have modified the router firmware to deal with a brute force WPS PIN attack, by locking the router down for some period of time after a number of failures. This tends to defeat brute force attacks that are trying to determine the router's WPS PIN. I'd guess that by the time they would have determined my PIN, I would have noticed their car in front of my house *smile*. Anyways, while I agree that I'd like to turn off WPS, I'm also not overly concerned as you can tell. I guess everyone draws their own line of where their concern tells them "no".

 

[Vandergraff]

So the consensus is that the 100 mbps link rate that the genie app is reporting for Orbi satellite to router is incorrect?

ipv6 now seems to be working - maybe the firmware update or just it took a little time?

 

[Vandergraff]

3. Most router manufacturer's firmware that I'm acquainted with only allows you to change your password, not your user name. There is third party firmware that allows you to change your user name, but not for the Orbi.

Asus allows changing log in name - both stock and merlins firmware. Not a big deal - but....

 

[Vandergraff]

Telnet can be enabled on by using this admin GUI page:

192.168.1.1/debug.htm

Interesting

I see the option 'Allow external IPv6 hosts ping internal IPv6 hosts'

Other routers I have used recently allow this by default - explains why I got 17 out of 20 here http://ipv6-test.com/

Seems to be some discussion of whether this should be enabled.

Running asuswrt-merlin on my old RT-AC68 seems to allow this. PCs running Kaspersky on my network blocked it by default - apple devices on same network allowed it?

You can also test it here https://ipv6.chappell-family.com/ipv6tcptest/

Edit - I get a lot of 'yellows' on this test. With asuswrt-merlin everything was green apart from ICMPv6 ECHO REQUEST returned

 

[RogerSC]

You can also test it here https://ipv6.chappell-family.com/ipv6tcptest/

Edit - I get a lot of 'yellows' on this test. With asuswrt-merlin everything was green apart from ICMPv6 ECHO REQUEST returned

All green here. I turned off the firewall and antivirus on my computer the second time I ran it, all green. Again, not sure what's different there? Maybe there's something that I'm not aware of running on my computer in addition to the firewall and antivirus...I doubt it, though, I'm pretty much aware of this stuff. I suppose it could be Comcast, but you're on Comcast as well, so probably not that...And yes, the ICMPv6 ECHO REQUEST is also green, hence 17 out of 20 on the IPv6 test you were talking about.

 

[Hydro]

Comcast here too.

With the 'Allow external IPv6 hosts ping internal IPv6 hosts' option unchecked on the debug page, I get 17/20 on ipv6-test.com (with a very occaissional 19/20 every now & then ... *shrug*), and solid greens on everything in the chappell test link.

With that option checked on the debug page, I get a very snappy 19/20, and all greens on chappell with the exception of a yellow ICMPv6 ECHO REQUEST.

That testing is all via Chrome on my old Macbook Air, and I don't have any unique firewall setup or antivirus running.

Unsurprisingly, I can't tell a performance difference either way, so I'm going to leave that option checked for now... Well, until I learn that the yellow Echo Request test result is a security concern or something along those lines - I'm not smart on the intricacies of how stuff works at that level.

Cheers, Chris

 

[sm00thpapa]

With all these rave reviews of the Orbi system. I'm drooling for a chance to test them in my environment.


Sent from my iPad using Tapatalk

 

[RMerlin]

why do vendors insist on telnet? ssh would be so much better...

Probably because SSH requires to add Dropbear (or OpenSSH if you want to go over the top), while telnetd is part of busybox, so it's already in there. Laziness, basically.

 

[sfx2000]

Probably because SSH requires to add Dropbear (or OpenSSH if you want to go over the top), while telnetd is part of busybox, so it's already in there. Laziness, basically.

Yah, I'm not sure I would consider that laziness or not, but dependencies on some legacy scripts, and Netgear is putting their resources on other aspects - not many folks would be going under the hood in the target market in any case...