Go Back   NETGEAR Forums > Home Products > Wireless Networking Products for SOHO applications > Wireless Router & Modem Gateways > 802.11ac Routers > R7000 - AC1900 Nighthawk

Reply
 
Thread Tools Display Modes
  #1  
Old January 8th, 2014, 04:49 PM
scotte scotte is offline
Junior Member
NETGEAR Newbie
 
Join Date: Apr 2009
Posts: 5
scotte is on a distinguished road
Default R7000 & WNCE4004 Issues

I set up my R7000 a few weeks ago. Everything seemed OK. Yesterday, I added a Netgear WNCE4004 Wireless Bridge to my network. I had a Denon AVR-X3000 (which only has a wired network connection), a Sony TV and Sony BluRay (which had 2.4GHz wifi), all of which I wanted to run through the 5GHz band.

I'm running the _164 firmware and I never used the Genie app, always using 192.168.1.1 through my (Firefox) browser.

When I set it up, I had the following problems:

1) The WNCE4004 has NEVER received the proper IP address. I statically assign IP addresses for everything on my network. Sometimes the 4004 gets an open, unused address. Most of the time, it is assigned the IP address that I have allocated to the Denon. It doesn't seem to affect the operation of the Denon, but I am unable to get to the administrative interface of the 4004. In fact, I can't seem to get to the administrative interface of the 4004 under ANY circumstances.

2) Access Control no longer seems to work. It's turned on and "Block All New Devices" is checked. When I first set up the R7000, it blocked anything that wasn't in the ACL. Now, however, the 4004 and all the new (wired) MAC addresses operating through the 4004 were automatically allowed. Access Control seems to have stopped working altogether. This is a HUGE security issue for me, if I can't trust the ACL to actually block intruders.

3) There doesn't seem to be any way to manually add devices to the ACL. Contra the documentation, there is no Add, Edit or Delete buttons on the ACL page. I have a long list of devices that I occasionally connect to my network (older computers, printers, etc) that I would like to add to my ACL, but the only way to do that is to actually connect them and power them up. Arggh!

4) There doesn't seem to be any way to assign the same IP address to different MAC addresses.

Anybody else having problems like this with static IP addresses and Access Control? Note that I have powered down EVERYTHING on the network, done a hard reset of the R7000 to factory settings and restored my configuration twice in attempting to fix these problems. At least the problem is reproducible !
Reply With Quote
  #2  
Old January 10th, 2014, 03:41 PM
ubq ubq is offline
Junior Member
 
Join Date: Jan 2014
Posts: 3
ubq is on a distinguished road
Default Re: R7000 & WNCE4004 Issues

I just want to add my experience to this thread as confirmation of the problem with access control lists. I'm employing my R7000 as a standalone access point and I'm experiencing something similar.

I have the default set to block new clients and they do show up correctly in the ACL marked as blocked; however, they are not blocked in fact. Any client is freely able to associate and access the network behind the AP and the internet. Moreover, the incorrect "blocked" listing can leave a Netgear customer unaware of vulnerabilities.

While all of us who use MAC ACLs do realize that MACs can be spoofed, ACLs remain an important security tool when used in conjunction with other strong security. Ultimately, it is an advertised security feature and it would be nice to see it working properly.

I'm curious to know if this is an issue that only effects routers operating in alternate modes (bridge or AP configurations). While the argument could be made that MAC ACLs are a "routing" feature, a practical counterargument would suggest that even in AP or bridge mode, security for the wireless medium is best applied at the wireless medium. We'd like to keep unwanted visitors from ever associating at all.

Having said that, a suboptimal workaround for the ACL failure is to block all traffic from the Netgear segment with a firewall/router behind/above it and then whitelist MACs from there... at least the local network would have an additional hurdle for attackers. I don't know if that is an option using the firewall facilities of the R7000 directly. I'm guessing not, but there are several linux firewall options available if you have a box and a coupla nics handy.
Reply With Quote
  #3  
Old January 10th, 2014, 03:47 PM
ubq ubq is offline
Junior Member
 
Join Date: Jan 2014
Posts: 3
ubq is on a distinguished road
Default Re: R7000 & WNCE4004 Issues

I just want to add my experience to this thread as confirmation of the problem with access control lists. I'm employing my R7000 as a standalone access point and I'm experiencing something similar.

I have the default set to block new clients and they do show up correctly in the ACL marked as blocked; however, they are not blocked in fact. Any client is freely able to associate and access the network behind the AP and the internet. Moreover, the incorrect "blocked" listing can leave a Netgear customer unaware of vulnerabilities.

While all of us who use MAC ACLs do realize that MACs can be spoofed, ACLs remain an important security tool when used in conjunction with other strong security. Ultimately, it is an advertised security feature and it would be nice to see it working properly.

I'm curious to know if this is an issue that only effects routers operating in alternate modes (bridge or AP configurations). While the argument could be made that MAC ACLs are a "routing" feature, a practical counterargument would suggest that even in AP or bridge mode, security for the wireless medium is best applied at the wireless medium. We'd like to keep unwanted visitors from ever associating at all.

Having said that, a suboptimal workaround for the ACL failure is to block all traffic from the Netgear segment with a firewall/router behind/above it and then whitelist MACs from there... at least the local network would have an additional hurdle for attackers. I don't know if that is an option using the firewall facilities of the R7000 directly. I'm guessing not, but there are several linux firewall options available if you have a box and a coupla nics handy.
Reply With Quote
  #4  
Old January 10th, 2014, 03:56 PM
ubq ubq is offline
Junior Member
 
Join Date: Jan 2014
Posts: 3
ubq is on a distinguished road
Default Re: R7000 & WNCE4004 Issues

I just want to add my experience to this thread as confirmation of the problem with access control lists. I'm employing my R7000 as a standalone access point and I'm experiencing something similar.

I have the default set to block new clients and they do show up correctly in the ACL marked as blocked; however, they are not blocked in fact. Any client is freely able to associate and access the network behind the AP and the internet. Moreover, the incorrect "blocked" listing can leave a Netgear customer unaware of vulnerabilities.

While all of us who use MAC ACLs do realize that MACs can be spoofed, ACLs remain an important security tool when used in conjunction with other strong security. Ultimately, it is an advertised security feature and it would be nice to see it working properly.

I'm curious to know if this is an issue that only effects routers operating in alternate modes (bridge or AP configurations). While the argument could be made that MAC ACLs are a "routing" feature, a practical counterargument would suggest that even in AP or bridge mode, security for the wireless medium is best applied at the wireless medium. We'd like to keep unwanted visitors from ever associating at all.

Having said that, a suboptimal workaround for the ACL failure is to block all traffic from the Netgear segment with a firewall/router behind/above it and then whitelist MACs from there... at least the local network would have an additional hurdle for attackers. I don't know if that is an option using the firewall facilities of the R7000 directly. I'm guessing not, but there are several linux firewall options available if you have a box and a coupla nics handy.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -8. The time now is 10:04 AM.