I recently added a new profile in which I basically block everything when I am away from my PC for an extended time. This past weekend I went out of town and I locked down my connection using GlassWire. When I returned home this evening I noticed that my router/modem had several messages in the log that I see upon checking:
My PC is the only connection on this modem, so I’m wondering if I am blocking something that “polls” the ethernet port to keep it active or something? Previous checks of my router/modem logs have shown nothing in regards to the above messages when I am not locked down.
edited to add: This is a wired connection directly to the router/modem.
GlassWire isn’t blocking anything on the Ethernet network layers.
I imagine that this is happening because of the “extended time” you are away. Maybe you’re more likely to turn your PC off or have it got to sleep or hibernate. These are typical causes of client disconnection events in your router log.
It is possible that it is something more unusual but you’d have to do confirm this by reviewing what is happening on your PC.
1. Positively identify the device reported in the router log.
Is it your Windows PC? In other words, is 192.168.254.65 your PC?
You could also confirm that your PC/network card has the MAC address 70:9e:xx:xx:xx:xx?
2. Check what is happening on your PC
Windows Event logs
You can use the the Windows Event Viewer and see if there is a matching event for a network disconnection.
I can see connect/disconnect events in: Application and services logs > Microsoft > Windows > Network Profile > Operational log
10000 is Network connected e.g. when my PC wakes up or starts up.
10001 is a Network disconnect e.g. when my PC goes to sleep or is shutdown.
I can see telemetry checks for network availability - the times are for the check not when the network disconnected: Application and services logs > Microsoft > Windows > Universal telemetry client > Operational log
There are also command-line reporting options for all sorts of network data but I don’t remember seeing network disconnect logs unless you turn this feature on for your cabled connection. Although it is no use to you, FYI, WiFi does have more logging:
netsh wlan show wlanreport
to produce a WiFI report in e.g. C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html
My PC is positively identified as being connected with that IP via ethernet cable. Wireless is disabled on the modem/router. MAC address is confirmed as well. The only thing I have set on my PC is for the video card to shutdown after 30 minutes of inactivity. No sleep or hibernation settings are enabled.
I could find no 10000/10001 events, nor any 55/56 events that have been logged since 9/21/2020. I don’t remember stopping any services ever, so could this be an issue?
If there is no Windows event for network disconnection then Windows is probably not initiating it.
Personally, I wouldn’t be worrying about this. I would be more concerned if it was happening when I was using it or my connection was showing obvious problems like loss of throughput or lost/damaged packets. As it is only happening when you’re not using your computer then there is no real impact.
FYI, network adapters do have power saving features and Windows can use them. See my adapter settings where I have that feature turned on. But I’d expect a Windows event if that were happening - it would probably be a different event ID:
“I recently added a new profile in which I basically block everything.”
“I’m wondering if I am blocking something that “polls”… the ethernet (sic) port…?”
Obviously you are because your router/modem is reporting 192.168.254.65 is disconnected because 192.168.254.65 is “basically block(ing) everything.” “Disconnected” is the flag for all states of no communication, regardless of cause.
As such, there’s nothing on your PC which can report on what it is, because, well, as 192.168.254.65 is blocking everything, it can’t possibly know.
Nonetheless, have you not met your goal?
When I’m away for an extended period, I shut down the PC and set to power switch to Off. (For the less featured power supplies without a switch, unplug the AC cord or pull it from the wall socket, whichever is easier.)
If for some reason the PC needs to be powered, unplug the Ethernet cable at the PC or the router. Note that in sleep, hibernation AND shut down, the PC is still powered.
Edit: Well I am wrong because complete blocking does block the Windows kernel.
GlassWire doesn’t actually block everything. Most importantly, GlassWire doesn’t allow blocking of the Windows “NT Kernel & System” which is where the network drivers run.
So I doubt that GlassWire is blocking the Ethernet link which is what the router logs as disconnecting.
So just to clarify, I should not use the “block all” feature if I want to maintain my Ethernet connection to the router?
As per another post, I sometimes run game servers and I also run Folding software that needs to communicate with the main server. I’m trying to find the right balance of blocking that would still allow an active connection to my router. Thanks for following up with your team on this. The information you provided on what is blocked in “block all” mode is very helpful. Now I just have to identify which NT Kernel and System apps need to be allowed and setup a different profile accordingly.
because complete blocking does block the Windows kernel.