Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[bbear]

Hello,
Some time ago, after some digging I managed to set up my DIR-825 to block https/SSL accesses from one of the computers in my house. I recall doing this by setting up a port filter rule to block port 443 for UDP.

Unfortunately my DIR-825 got majorly screwed up the other day and I ended up loosing my setup because of having to do a factory reset. I did have a save config, but unfortunately it was before I figured out the SSL blocking stuff.

I had scoured these forums again and thought that I had found the original post which helped me (http://forums.dlink.com/index.php?topic=8057.msg47863#msg47863) but for some reason it is not working now.

I have two rules set up under Advanced/Access Control

The first rule (named: 'SslBlock') is set up as follows:

  Filtering=Block some access
  Logged=No
  Schedule=StudyTime (5pm to 9pm weekdays)
  MAC address (ending in 66:09)
  Apply Web Filter
  Advanced Port Filters

The advanced port filter is set up for the full IP range, Port 443, UDP protocol


The second rule (named 'Exceptions_1') is set up as follows:

  Filtering=Log web access only
  Logged=yes
  Schedule=Always
  MAC address (ending in D8:C3, which is the main/administrator PC)

The problem I am getting is that when I enable the first rule, it blocks all internet traffic to BOTH computers. From what I can figure out, it should NOT affect the main/admin PC (MAC ending in D8:C3) because of the 'exception' rule which I created.

My DIR-825 is flashed to 2.05NA

Could someone please help?

thanks in advance

[FurryNutz]

What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.

Some things to try:
Ensure DNS IP addresses are being filled in under Setup/Internet/Manual? You can find these under Status/Device Info/Wan section.
Turn off ALL QoS (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking.

[bbear]

Thanks for your help and suggestions, before I answer your questions I wanted to mention that over the weekend I did a 30-30-30 reset procedure, then update (with some difficulty) to 2.06NA firmware. Unfortunately I am still seeing the same problems. On to your questions:

ISP service: ADSL
ISP Modem: TP-LINK ADSL2+, Model TD-8816 (this is a replacement which I bought for my ISP supplied Siemens router (which I used in bridge mode). The Siemens broke down). I have been using this TP-Link for some time and has never given me problems.

You suggestions:
1) Ensure DNS IP addresses are being filled..
I am not sure what you mean, do you mean that I should check that all devices in my DHCP Reservations List should be assigned the IP I specified?

2) Turn off ALL QoS..
Don't I need this enabled for my home network to run smoothly? (given that I am streaming HD media, and do a variety of different things on my network)

3) Turn off Advanced DNS Services..
This is already turned OFF

4) Turn on DNS Relay..
This is already ON

5) Set up DHCP reserved IP addresses..
Do you mean that I should do this for all the devices which are physically connected to my DIR-825, or do I also need to include wireless devices?

6) Enable uPnP and Multi-cast Streaming..
uPnP was already ON. Multicast was only enabled for IPv6

Note,
I had set up my DIR-825 previously and had it working where it would block SSL access for only certain MACs and only during a particular schedule. I cannot figure out why the same configuration isn't working any more. I am pretty sure also that I was running 2.06NA firmware when it was working.

I have had many occasions however where I would need to go in and turn off an access rule, or turn one on and the rules were not being applied as according to the ones in the list which the check-marks by them. One 'workaround' that seemed to work some of the time was to turn off all Access Control and enable it again.

I had assumed that it was because I had accumulated a load of junk in the NVRAM (hence the 30-30-30 reset), but maybe it was an indicator of some bigger issue.

[FurryNutz]

Thanks for your help and suggestions, before I answer your questions I wanted to mention that over the weekend I did a 30-30-30 reset procedure, then update (with some difficulty) to 2.06NA firmware. Unfortunately I am still seeing the same problems. On to your questions:
Review the FW Update sticky for update processes.
http://forums.dlink.com/index.php?topic=42442.0

ISP service: ADSL
ISP Modem: TP-LINK ADSL2+, Model TD-8816 (this is a replacement which I bought for my ISP supplied Siemens router (which I used in bridge mode). The Siemens broke down). I have been using this TP-Link for some time and has never given me problems.
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.

You suggestions:
1) Ensure DNS IP addresses are being filled..
I am not sure what you mean, do you mean that I should check that all devices in my DHCP Reservations List should be assigned the IP I specified?
Ensure DNS IP addresses are being filled in under Setup/Internet/Manual on the router.

2) Turn off ALL QoS..
Don't I need this enabled for my home network to run smoothly? (given that I am streaming HD media, and do a variety of different things on my network)
This is only temporarily so that we can eliminate router processing while were trying to figure out the correct configuration. Can turn this back on later.

3) Turn off Advanced DNS Services..
This is already turned OFF

4) Turn on DNS Relay..
This is already ON

5) Set up DHCP reserved IP addresses..
Do you mean that I should do this for all the devices which are physically connected to my DIR-825, or do I also need to include wireless devices?
ALL devices, wired and wireless.

6) Enable uPnP and Multi-cast Streaming..
uPnP was already ON. Multicast was only enabled for IPv6

Note,
I had set up my DIR-825 previously and had it working where it would block SSL access for only certain MACs and only during a particular schedule. I cannot figure out why the same configuration isn't working any more. I am pretty sure also that I was running 2.06NA firmware when it was working.
What FW version was previously loaded before you updated to 2.06?

I have had many occasions however where I would need to go in and turn off an access rule, or turn one on and the rules were not being applied as according to the ones in the list which the check-marks by them. One 'workaround' that seemed to work some of the time was to turn off all Access Control and enable it again.
Any possible mis-configuration on how your are entering the rules in? How are you inputing the infromation? Need more detail here.

I had assumed that it was because I had accumulated a load of junk in the NVRAM (hence the 30-30-30 reset), but maybe it was an indicator of some bigger issue.
Not sure if the 30 30 30 is supported on these routers. I use the FW process in the FW Update sticky for all updates when needed.

Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic. Also could interfere with router and Internet connections.

What are your Firewall settings set for?

[bbear]

I will try your suggestions and gather the information when I get home tonight. However I wanted to bring up a concern I have with regards to the firmware upgrade which I performed. I am wondering if I should do another firmware upgrade (the proper way this time) before continuing with the investigations.

Before I upgraded to 2.06NA I was running 2.05NA. Does this constitute a ‘major firmware upgrade’ and therefore requires me to start configuring from scratch (as opposed to loading my saved config)?

I wish that I had read that sticky on firmware update procedure. I realize now that in doing the 30-30-30 procedure I had in fact performed the disaster recovery. The PC I was running it from was connected via an Ethernet cable and was set to static IP so I fulfilled that requirement ok – so that was very fortunate.

The ‘with difficulty’ I mentioned earlier was because it never returned with ‘success’ at the end of the 30-30-30 reset. At this point I was nervous about removing power from the device so because of having no better idea I slammed the Dlink install CD into my PC (the disk which came with the router originally) and was able to get the router up that way. The router is now up and running (apart from the original issue we are trying to resolve here) so presumably the ‘unconventional’ method hasn’t done any damage.

Note, since the upgrade to 2.06NA I sometimes have problems logging into the router as admin, it is as if it thinks I am typing the password badly. I have seen this issue before on occasion and every time it makes me panic thinking  I might never be able to log into it again.

Is this a known issue and do you think it warrants me doing the firmware upgrade again?

[FurryNutz]

I will try your suggestions and gather the information when I get home tonight. However I wanted to bring up a concern I have with regards to the firmware upgrade which I performed. I am wondering if I should do another firmware upgrade (the proper way this time) before continuing with the investigations.

Before I upgraded to 2.06NA I was running 2.05NA. Does this constitute a ‘major firmware upgrade’ and therefore requires me to start configuring from scratch (as opposed to loading my saved config)?
Revision Info:   ¤ Fixed: IPv6 issue.
 ¤ Added: IPv6 routing table in status. So this was the only item that was done for 2.06. When I got my 825, it had 2.02 on it and it worked well then and it's not now at 2.05. I'm not upgrading to 2.06 unless DLink wants me to, to test to compare with another user or when my ISP starts to support IPv6. I recommend that if your ISP doesn't support IPv6 at this time, you really don't need 2.06. I would go back to 2.05 or the last know good working FW version that worked for you.

I wish that I had read that sticky on firmware update procedure. I realize now that in doing the 30-30-30 procedure I had in fact performed the disaster recovery. The PC I was running it from was connected via an Ethernet cable and was set to static IP so I fulfilled that requirement ok – so that was very fortunate.

The ‘with difficulty’ I mentioned earlier was because it never returned with ‘success’ at the end of the 30-30-30 reset. At this point I was nervous about removing power from the device so because of having no better idea I slammed the Dlink install CD into my PC (the disk which came with the router originally) and was able to get the router up that way. The router is now up and running (apart from the original issue we are trying to resolve here) so presumably the ‘unconventional’ method hasn’t done any damage.

Note, since the upgrade to 2.06NA I sometimes have problems logging into the router as admin, it is as if it thinks I am typing the password badly. I have seen this issue before on occasion and every time it makes me panic thinking  I might never be able to log into it again. I have seen some issues with this however usually on my mac. There are some routers, specially with the DGL-4500 that if you type in the PW and then hit enter on the keyboard, for some reason the router returns an incorrect log in message. However if you click on the Log-In button with the mouse it goes in correctly. What browser do you use? I use Opera and IE 9, mostly Opera. Try a different browser like Opera or FF.


Is this a known issue and do you think it warrants me doing the firmware upgrade again?
I recommend going back to 2.05. Even though mines working as an AP right now, when I had it as host router, it was very solid and working VERY well.

Maybe someone can review your router settings with you using teamviewer.

Keep us posted.

[bbear]

Sorry for the delay but my children had had exams all week and have been studying and I have been unable to spend time messing with my DIR-825 as they need reliable internet access for their studies.

I have managed to try some of the things you suggested but nothing has worked yet, here are the ones which I have tried..

1) Ensure DNS IP addresses are being filled - DONE
2) Turn off ALL QoS - DONE
3) Turn off Advanced DNS Services. (already DONE)
4) Turn on DNS Relay.. (already DONE)
6) Enable uPnP and Multi-cast Streaming.. - DONE

I have NOT yet tried your suggestion..
5) Set up DHCP reserved IP addresses..

I will try this at the weekend. If that doesn't fix the issue I plan to do a factory reset and reconfigure from scratch. And if that fails I will downgrade to 2.05NA firmware and configure that from scratch.

thanks for your help

[FurryNutz]

Ok, keep us posted.

[bbear]

Well, I discovered a very interesting problem which makes absolutely no sense. Here is what I did..

1. performed factory reset
2. installed 2.05 firmware (part 1, then part 2)
3. installed 2.06 firmware
4. configured the router from scratch, matching the settings to what I had previously (which I had conveniently printed screenshots). Note, before configuring access control page I saved the config

At this point the router seemed to be working perfectly (apart from the access control stuff since I had not added this yet).

Next I set about adding the access control settings. I kept it simple, creating two rules, one lists all the computers which I want to block access to, the other rule is for the computers which I want to be excluded (i.e. wifi printer, Skype phone, my admin PC (the one directly connected to the router))

What I discovered is that there is one MAC, ending in 37 (an iPod touch) which when I add it to the Block rule it kills access to the internet on my admin PC - even though the admin PC is in the exclusion rule!

Here is what the rules look like:

Rule: Test_Block
Machines:
xx:xx:xx:xx:xx:83
xx:xx:xx:xx:xx:09
xx:xx:xx:xx:xx:34
xx:xx:xx:xx:xx:14
xx:xx:xx:xx:xx:37
xx:xx:xx:xx:xx:6d
Filtering: Block some access (applies a web filter)
Schedule: always


Rule: Test_Exceptions
Machines:
xx:xx:xx:xx:xx:85
xx:xx:xx:xx:xx:63
xx:xx:xx:xx:xx:18
xx:xx:xx:xx:xx:83
Filtering: Log web access only
Schedule: always

The machine ending in 63 is the admin PC, i.e. the one which is directly connected to the router via Ethernet cable.

If I remove the machine ending in 37 from the Test_Block rule everything works fine on the admin PC,

BTW, I remember now one reason why I updated to 2.06 f/w was to fix a problem where a particular MAC address could not be entered when using the 2.05 f/w. I can't remember what was special with the address, but it 2.06 fixed the problem. For this reason I would prefer to stick with 2.06




     

[FurryNutz]

wow so the ipod and it's MAC address breaks the Mac Filtering rule you set up if you include it ?

[bbear]

Yes that's what is happening. Also, the MAC just has to assigned to Test_Block access rule, the ipod itself does not have to be turned on for the problem to happen.

[FurryNutz]

Well sounds like you foudn the problem. Not sure if this is a bug in FW or what. I presume that if that particular MAC isn't used on the 825 that everything works correctly?

[bbear]

Yes, if I omit that MAC from the Test_Block rule then the router appears to work ok. However, today I did some more experimenting and discovered something which may point to the root of the problem:

First let me mention that not all of the MAC addresses which I included in the Test_Block rule were available via the 'Computer Name' pull-down. Instead, because I had previously written down the MAC addresses for all the computers in my household (including iPods, etc), I added the MAC addresses for everything I wanted blocked even if it was available in the pull-down or not.

So, looking again at the original Test_Block list:

Rule: Test_Block
Machines:
xx:xx:xx:xx:xx:83
xx:xx:xx:xx:xx:09
xx:xx:xx:xx:xx:34
xx:xx:xx:xx:xx:14
xx:xx:xx:xx:xx:37
xx:xx:xx:xx:xx:6d

Of the above, only the one ending in 14 does not appear in the 'Computer Name' pull down. (presumably because that computer had not been power up since I reset and reconfigured the router). This is actually the one before the iPod (37) which removing from the list appeared to ‘fix’ the issue before.

So I tried deleting the 14 entry from the rule but at that point my admin PC (one connected via Ethernet cable to the router) became disconnected and would not re-connect. I ended up power-cycling my router to recover from this state.

So what I did next was to disable the rule first, then delete the MAC ending in 14. This worked, and it saved the modified rule and everything is working fine again!

So it appears that there is an issue with the DIR-825 if you enter MAC addresses which are not available via that pull-down 'Computer Name'.

It seems crazy to me that the router provides a field which you can type any MAC address, real or not (so long as it is a proper/legal format) yet if it is not one which is available in the pull-down the router gets majorly screwed up.

It is not practical for me to go around my house turning every single device on which might at some point be connected to the router.

Do you think that creating a DHCP reservation for every single MAC in my house and using that in the rule instead might work?

Should I report this issue to Dlink support, do they monitor these forums anyway?

[FurryNutz]

First off reason that names don't appear in the dynamic clietns is the the the host name isn't filled in on the device.

Yes, it's recommended to turn off ALL devices then add them to the reservation one at a time ON the router.

[bbear]

It is not that the names don't appear (although it is true that some they show as 'UNKNOWN') rather it is that the MAC address doesn't appear in the pull-down. If I enter a MAC address which has not been previously recognized by the router then it screws up.

I will try adding all of them to the DHCP reservations list.

thanks