D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-825 => Topic started by: bbear on January 25, 2012, 09:35:08 PM
-
Hello,
Some time ago, after some digging I managed to set up my DIR-825 to block https/SSL accesses from one of the computers in my house. I recall doing this by setting up a port filter rule to block port 443 for UDP.
Unfortunately my DIR-825 got majorly screwed up the other day and I ended up loosing my setup because of having to do a factory reset. I did have a save config, but unfortunately it was before I figured out the SSL blocking stuff.
I had scoured these forums again and thought that I had found the original post which helped me (http://forums.dlink.com/index.php?topic=8057.msg47863#msg47863) but for some reason it is not working now.
I have two rules set up under Advanced/Access Control
The first rule (named: 'SslBlock') is set up as follows:
Filtering=Block some access
Logged=No
Schedule=StudyTime (5pm to 9pm weekdays)
MAC address (ending in 66:09)
Apply Web Filter
Advanced Port Filters
The advanced port filter is set up for the full IP range, Port 443, UDP protocol
The second rule (named 'Exceptions_1') is set up as follows:
Filtering=Log web access only
Logged=yes
Schedule=Always
MAC address (ending in D8:C3, which is the main/administrator PC)
The problem I am getting is that when I enable the first rule, it blocks all internet traffic to BOTH computers. From what I can figure out, it should NOT affect the main/admin PC (MAC ending in D8:C3) because of the 'exception' rule which I created.
My DIR-825 is flashed to 2.05NA
Could someone please help?
thanks in advance
-
What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
Some things to try:
Ensure DNS IP addresses are being filled in under Setup/Internet/Manual? You can find these under Status/Device Info/Wan section.
Turn off ALL QoS (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking.
-
Thanks for your help and suggestions, before I answer your questions I wanted to mention that over the weekend I did a 30-30-30 reset procedure, then update (with some difficulty) to 2.06NA firmware. Unfortunately I am still seeing the same problems. On to your questions:
ISP service: ADSL
ISP Modem: TP-LINK ADSL2+, Model TD-8816 (this is a replacement which I bought for my ISP supplied Siemens router (which I used in bridge mode). The Siemens broke down). I have been using this TP-Link for some time and has never given me problems.
You suggestions:
1) Ensure DNS IP addresses are being filled..
I am not sure what you mean, do you mean that I should check that all devices in my DHCP Reservations List should be assigned the IP I specified?
2) Turn off ALL QoS..
Don't I need this enabled for my home network to run smoothly? (given that I am streaming HD media, and do a variety of different things on my network)
3) Turn off Advanced DNS Services..
This is already turned OFF
4) Turn on DNS Relay..
This is already ON
5) Set up DHCP reserved IP addresses..
Do you mean that I should do this for all the devices which are physically connected to my DIR-825, or do I also need to include wireless devices?
6) Enable uPnP and Multi-cast Streaming..
uPnP was already ON. Multicast was only enabled for IPv6
Note,
I had set up my DIR-825 previously and had it working where it would block SSL access for only certain MACs and only during a particular schedule. I cannot figure out why the same configuration isn't working any more. I am pretty sure also that I was running 2.06NA firmware when it was working.
I have had many occasions however where I would need to go in and turn off an access rule, or turn one on and the rules were not being applied as according to the ones in the list which the check-marks by them. One 'workaround' that seemed to work some of the time was to turn off all Access Control and enable it again.
I had assumed that it was because I had accumulated a load of junk in the NVRAM (hence the 30-30-30 reset), but maybe it was an indicator of some bigger issue.
-
Thanks for your help and suggestions, before I answer your questions I wanted to mention that over the weekend I did a 30-30-30 reset procedure, then update (with some difficulty) to 2.06NA firmware. Unfortunately I am still seeing the same problems. On to your questions:
Review the FW Update sticky for update processes.
http://forums.dlink.com/index.php?topic=42442.0 (http://forums.dlink.com/index.php?topic=42442.0)
ISP service: ADSL
ISP Modem: TP-LINK ADSL2+, Model TD-8816 (this is a replacement which I bought for my ISP supplied Siemens router (which I used in bridge mode). The Siemens broke down). I have been using this TP-Link for some time and has never given me problems.
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
You suggestions:
1) Ensure DNS IP addresses are being filled..
I am not sure what you mean, do you mean that I should check that all devices in my DHCP Reservations List should be assigned the IP I specified?
Ensure DNS IP addresses are being filled in under Setup/Internet/Manual on the router.
2) Turn off ALL QoS..
Don't I need this enabled for my home network to run smoothly? (given that I am streaming HD media, and do a variety of different things on my network)
This is only temporarily so that we can eliminate router processing while were trying to figure out the correct configuration. Can turn this back on later.
3) Turn off Advanced DNS Services..
This is already turned OFF
4) Turn on DNS Relay..
This is already ON
5) Set up DHCP reserved IP addresses..
Do you mean that I should do this for all the devices which are physically connected to my DIR-825, or do I also need to include wireless devices?
ALL devices, wired and wireless.
6) Enable uPnP and Multi-cast Streaming..
uPnP was already ON. Multicast was only enabled for IPv6
Note,
I had set up my DIR-825 previously and had it working where it would block SSL access for only certain MACs and only during a particular schedule. I cannot figure out why the same configuration isn't working any more. I am pretty sure also that I was running 2.06NA firmware when it was working.
What FW version was previously loaded before you updated to 2.06?
I have had many occasions however where I would need to go in and turn off an access rule, or turn one on and the rules were not being applied as according to the ones in the list which the check-marks by them. One 'workaround' that seemed to work some of the time was to turn off all Access Control and enable it again.
Any possible mis-configuration on how your are entering the rules in? How are you inputing the infromation? Need more detail here.
I had assumed that it was because I had accumulated a load of junk in the NVRAM (hence the 30-30-30 reset), but maybe it was an indicator of some bigger issue.
Not sure if the 30 30 30 is supported on these routers. I use the FW process in the FW Update sticky for all updates when needed.
Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic. Also could interfere with router and Internet connections.
What are your Firewall settings set for?
-
I will try your suggestions and gather the information when I get home tonight. However I wanted to bring up a concern I have with regards to the firmware upgrade which I performed. I am wondering if I should do another firmware upgrade (the proper way this time) before continuing with the investigations.
Before I upgraded to 2.06NA I was running 2.05NA. Does this constitute a ‘major firmware upgrade’ and therefore requires me to start configuring from scratch (as opposed to loading my saved config)?
I wish that I had read that sticky on firmware update procedure. I realize now that in doing the 30-30-30 procedure I had in fact performed the disaster recovery. The PC I was running it from was connected via an Ethernet cable and was set to static IP so I fulfilled that requirement ok – so that was very fortunate.
The ‘with difficulty’ I mentioned earlier was because it never returned with ‘success’ at the end of the 30-30-30 reset. At this point I was nervous about removing power from the device so because of having no better idea I slammed the Dlink install CD into my PC (the disk which came with the router originally) and was able to get the router up that way. The router is now up and running (apart from the original issue we are trying to resolve here) so presumably the ‘unconventional’ method hasn’t done any damage.
Note, since the upgrade to 2.06NA I sometimes have problems logging into the router as admin, it is as if it thinks I am typing the password badly. I have seen this issue before on occasion and every time it makes me panic thinking I might never be able to log into it again.
Is this a known issue and do you think it warrants me doing the firmware upgrade again?
-
I will try your suggestions and gather the information when I get home tonight. However I wanted to bring up a concern I have with regards to the firmware upgrade which I performed. I am wondering if I should do another firmware upgrade (the proper way this time) before continuing with the investigations.
Before I upgraded to 2.06NA I was running 2.05NA. Does this constitute a ‘major firmware upgrade’ and therefore requires me to start configuring from scratch (as opposed to loading my saved config)?
Revision Info: ¤ Fixed: IPv6 issue.
¤ Added: IPv6 routing table in status. So this was the only item that was done for 2.06. When I got my 825, it had 2.02 on it and it worked well then and it's not now at 2.05. I'm not upgrading to 2.06 unless DLink wants me to, to test to compare with another user or when my ISP starts to support IPv6. I recommend that if your ISP doesn't support IPv6 at this time, you really don't need 2.06. I would go back to 2.05 or the last know good working FW version that worked for you.
I wish that I had read that sticky on firmware update procedure. I realize now that in doing the 30-30-30 procedure I had in fact performed the disaster recovery. The PC I was running it from was connected via an Ethernet cable and was set to static IP so I fulfilled that requirement ok – so that was very fortunate.
The ‘with difficulty’ I mentioned earlier was because it never returned with ‘success’ at the end of the 30-30-30 reset. At this point I was nervous about removing power from the device so because of having no better idea I slammed the Dlink install CD into my PC (the disk which came with the router originally) and was able to get the router up that way. The router is now up and running (apart from the original issue we are trying to resolve here) so presumably the ‘unconventional’ method hasn’t done any damage.
Note, since the upgrade to 2.06NA I sometimes have problems logging into the router as admin, it is as if it thinks I am typing the password badly. I have seen this issue before on occasion and every time it makes me panic thinking I might never be able to log into it again. I have seen some issues with this however usually on my mac. There are some routers, specially with the DGL-4500 that if you type in the PW and then hit enter on the keyboard, for some reason the router returns an incorrect log in message. However if you click on the Log-In button with the mouse it goes in correctly. What browser do you use? I use Opera and IE 9, mostly Opera. Try a different browser like Opera or FF.
Is this a known issue and do you think it warrants me doing the firmware upgrade again?
I recommend going back to 2.05. Even though mines working as an AP right now, when I had it as host router, it was very solid and working VERY well.
Maybe someone can review your router settings with you using teamviewer. (http://www.teamviewer.com)
Keep us posted.
-
Sorry for the delay but my children had had exams all week and have been studying and I have been unable to spend time messing with my DIR-825 as they need reliable internet access for their studies.
I have managed to try some of the things you suggested but nothing has worked yet, here are the ones which I have tried..
1) Ensure DNS IP addresses are being filled - DONE
2) Turn off ALL QoS - DONE
3) Turn off Advanced DNS Services. (already DONE)
4) Turn on DNS Relay.. (already DONE)
6) Enable uPnP and Multi-cast Streaming.. - DONE
I have NOT yet tried your suggestion..
5) Set up DHCP reserved IP addresses..
I will try this at the weekend. If that doesn't fix the issue I plan to do a factory reset and reconfigure from scratch. And if that fails I will downgrade to 2.05NA firmware and configure that from scratch.
thanks for your help
-
Ok, keep us posted.
-
Well, I discovered a very interesting problem which makes absolutely no sense. Here is what I did..
1. performed factory reset
2. installed 2.05 firmware (part 1, then part 2)
3. installed 2.06 firmware
4. configured the router from scratch, matching the settings to what I had previously (which I had conveniently printed screenshots). Note, before configuring access control page I saved the config
At this point the router seemed to be working perfectly (apart from the access control stuff since I had not added this yet).
Next I set about adding the access control settings. I kept it simple, creating two rules, one lists all the computers which I want to block access to, the other rule is for the computers which I want to be excluded (i.e. wifi printer, Skype phone, my admin PC (the one directly connected to the router))
What I discovered is that there is one MAC, ending in 37 (an iPod touch) which when I add it to the Block rule it kills access to the internet on my admin PC - even though the admin PC is in the exclusion rule!
Here is what the rules look like:
Rule: Test_Block
Machines:
xx:xx:xx:xx:xx:83
xx:xx:xx:xx:xx:09
xx:xx:xx:xx:xx:34
xx:xx:xx:xx:xx:14
xx:xx:xx:xx:xx:37
xx:xx:xx:xx:xx:6d
Filtering: Block some access (applies a web filter)
Schedule: always
Rule: Test_Exceptions
Machines:
xx:xx:xx:xx:xx:85
xx:xx:xx:xx:xx:63
xx:xx:xx:xx:xx:18
xx:xx:xx:xx:xx:83
Filtering: Log web access only
Schedule: always
The machine ending in 63 is the admin PC, i.e. the one which is directly connected to the router via Ethernet cable.
If I remove the machine ending in 37 from the Test_Block rule everything works fine on the admin PC,
BTW, I remember now one reason why I updated to 2.06 f/w was to fix a problem where a particular MAC address could not be entered when using the 2.05 f/w. I can't remember what was special with the address, but it 2.06 fixed the problem. For this reason I would prefer to stick with 2.06
-
wow so the ipod and it's MAC address breaks the Mac Filtering rule you set up if you include it ?
-
Yes that's what is happening. Also, the MAC just has to assigned to Test_Block access rule, the ipod itself does not have to be turned on for the problem to happen.
-
Well sounds like you foudn the problem. Not sure if this is a bug in FW or what. I presume that if that particular MAC isn't used on the 825 that everything works correctly?
-
Yes, if I omit that MAC from the Test_Block rule then the router appears to work ok. However, today I did some more experimenting and discovered something which may point to the root of the problem:
First let me mention that not all of the MAC addresses which I included in the Test_Block rule were available via the 'Computer Name' pull-down. Instead, because I had previously written down the MAC addresses for all the computers in my household (including iPods, etc), I added the MAC addresses for everything I wanted blocked even if it was available in the pull-down or not.
So, looking again at the original Test_Block list:
Rule: Test_Block
Machines:
xx:xx:xx:xx:xx:83
xx:xx:xx:xx:xx:09
xx:xx:xx:xx:xx:34
xx:xx:xx:xx:xx:14
xx:xx:xx:xx:xx:37
xx:xx:xx:xx:xx:6d
Of the above, only the one ending in 14 does not appear in the 'Computer Name' pull down. (presumably because that computer had not been power up since I reset and reconfigured the router). This is actually the one before the iPod (37) which removing from the list appeared to ‘fix’ the issue before.
So I tried deleting the 14 entry from the rule but at that point my admin PC (one connected via Ethernet cable to the router) became disconnected and would not re-connect. I ended up power-cycling my router to recover from this state.
So what I did next was to disable the rule first, then delete the MAC ending in 14. This worked, and it saved the modified rule and everything is working fine again!
So it appears that there is an issue with the DIR-825 if you enter MAC addresses which are not available via that pull-down 'Computer Name'.
It seems crazy to me that the router provides a field which you can type any MAC address, real or not (so long as it is a proper/legal format) yet if it is not one which is available in the pull-down the router gets majorly screwed up.
It is not practical for me to go around my house turning every single device on which might at some point be connected to the router.
Do you think that creating a DHCP reservation for every single MAC in my house and using that in the rule instead might work?
Should I report this issue to Dlink support, do they monitor these forums anyway?
-
First off reason that names don't appear in the dynamic clietns is the the the host name isn't filled in on the device.
Yes, it's recommended to turn off ALL devices then add them to the reservation one at a time ON the router.
-
It is not that the names don't appear (although it is true that some they show as 'UNKNOWN') rather it is that the MAC address doesn't appear in the pull-down. If I enter a MAC address which has not been previously recognized by the router then it screws up.
I will try adding all of them to the DHCP reservations list.
thanks
-
I created a DHCP reservation for every single device in my household. I created two access rules from scratch, one for the Block list and one for the Exception list, however this time instead of referencing the MAC addresses I used the IP. Note that like before, not all of the IPs were available via that Machine Name pull-down so I just typed the address in by hand.
Result: Same issue as before, i.e. when I enable the Block rule, everything on my home network looses access to the internet, even the computers which appear in the Exceptions rule.
I don't know what else to try, I am wondering now if I have something fundamentally wrong with the way I have set up the rules. Here is an overview of the rules which I have set:
The first rule (named: 'SslBlock') is set up as follows:
Filtering=Block some access
Logged=No
Schedule=StudyTime (5pm to 9pm weekdays)
IP address ending in 21
IP address ending in 22
IP address ending in 25
Apply Web Filter
Advanced Port Filters
The advanced port filter is set up for the full IP range, Port 443, UDP protocol
The second rule (named 'Exceptions_1') is set up as follows:
Filtering=Log web access only
Logged=yes
Schedule=Always
IP address ending in 20
IP address ending in 23
IP address ending in 24
IP address ending in 26
IP address ending in 30
IP ending in 20 is the administrator PC
Can you think of anything wrong with the rules which I have set?
-
Looks good...
What happens if you take out all manges devices and just set up the one MAC address that seems to cause the issue?
-
Well, from my experiments today I am left totally confused, it is as if the whole access control thing is broken ..
This time I am starting with much the same set of IPs as before but for the Exceptions rule I changed it to use the same schedule (which at the moment should NOT be active as it is only defined for some weekdays, and it is Saturday today..
The first rule (named: 'SslBlock') is set up as follows:
Filtering=Block some access
Logged=No
Schedule=StudyTime (5pm to 9pm weekdays)
IP address ending in 21
IP address ending in 22
IP address ending in 25
Apply Web Filter
Advanced Port Filters
The advanced port filter is set up for the full IP range, Port 443, UDP protocol
The second rule (named 'Exceptions_1') is set up as follows:
Filtering=Log web access only
Logged=yes
Schedule=StudyTime (5pm to 9pm weekdays)
IP address ending in 20
IP address ending in 23
IP address ending in 24
IP address ending in 26
IP address ending in 30
IP ending in 20 is the administrator PC
The following is the sequence that I used in deleting the IP addresses from each of the rules. Whilst doing this I was pinging my ISP to check when I lost internet connection and when it came back:
Step 1) Starting IP setup (above), RESULT: No internet
Step 2) Remove IP ending in 21, RESULT: when hit the save button the router rebooted! Came back up with No internet
Step 3) Removed 22, RESULT: saved OK, No internet
Step 4) Removed 30, RESULT: saved OK, No internet
Step 5) Removed 26, RESULT: saved OK, No internet
Step 6) Removed 24, RESULT: saved OK, No internet
Step 7) Removed 23, RESULT: saved OK, No internet
So at this point my rules are basically:
'SslBlock':
IP address ending in 25
'Exceptions_1':
IP address ending in 30
And I still have no internet access!
Onto the next step ..
Step 8 Disabled the SslBlock rule, RESULT: Still no internet!
Step 9) Disabled the Exceptions_1, RESULT: Internet working again
At this point I haven't a clue what's going on, the access control/schedules seem to be following no logical pattern that I can determine
-
Have you tried to just add one device per rule that you set up and test the rule out? If it works with one, then graduate to adding the next device.
-
I did as you suggested, I set about creating two completely new rules ..
I started by creating the first rule (the blocking rule). As soon as I entered the UDP port start (443) and port end (443) and saved it, I lost connection to the internet. This was despite the following:
1. It was not within the time defined in the schedule I had applied to the rule
2. The computer I lost connection to the internet (the admin PC) was not the IP which the rule applied to
Is there something illegal which I am doing with the UDP port range or something?
-
Suppose you don't have a another router to test this out on. I suppose I should break out my 825 and test this out. Sounds like it might be a illegal parameter or configuration possibly.
-
Unfortunately I don't have any other router. Thanks for offering to try on your 825, do you want me to send you my saved config?
I have the config as I have it now, also I saved the config before I started adding the access rules
-
Ya that would be great, since we have the same Rev router it should work. Just make sure you remove any WiFi and Admin log in passwords then save off the config file. You can email it to my address listed in my profile.
Also curious, does this happen if you use a different port? Something not 443?
-
hello,
I was wondering if you have had a chance to test out my config on your DIR-825
thanks
-
Hey Bear, Sorry I have been doing some other things with router lately. I do have your config file and have reviewed it. I'll go play with this after work today and see if I can reproduce this. ;)
-
So I loaded it this evening and can't get in. Can you disable the graphical CAPTCHA and set the admin PW blank then save the config once more and email it to me.