Secure your Router - DIR-868L

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
Notice :
1. Pls update to 1.09SHC Avoid 1.07SHC
2. Starhub updated their MTU to 1500. Do not use 1398 anymore !!!

It has been sometime I would like to share my router settings with fellow Starhub fibre subscribers using the DLINK DIR-868L router issued by Starhub.

1. Parental Control - OpenDNS FamilyShield
- my experience is when I use this option, my internet surfing improve a lot.I no longer experience any lag spike. Even on 21-Oct when the DDoS attack on Starhub DNS Server, I am totally not aware. My surfing is not interrupted at all.

4pxml3.png


Note : **FamilyShield block pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.

For more information about OpenDNS Familyshield, do visit : https://www.opendns.com/about/press...ols-the-easiest-way-to-keep-kids-safe-online/


2. Firewall - Enable SPI & Anti-Spoof
-these 2 settings are disable by default. I really don't understand what DLink is thinking. So many years in the networking industry and yet they disable these 2 very important settings.

SPI is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. In simple terms, it blocks UNSOLICITED packets (not originating from your LAN.

Anti-Spoof is self-explainatory. Pls google if you want to know more details.
2u4829g.png



3. WPS - Wifi Protected Setup
- This setting is enabled by default (for the dumb and lazy)
- Another well known vulernable setting, yet Dlink enable it by default. Working against all these years of experience in the networking industry.
- Disable it by untick the box beside.
29ckkmv.png


Why WPS is INSECURE ?
PIN is Mandatory
While push-button-connect is arguably secure, the PIN authentication method is the mandatory, baseline method that all certified WPS devices must support. That’s right — the WPS specification mandates that devices must implement the most insecure method of authentication.

Router manufacturers can’t fix this security problem because the WPS specification calls for the insecure method of checking PINs. Any device implementing Wi-FI Protected Setup in compliance with the specification will be vulnerable. The specification itself is no good.

For more info, refer to here : http://www.howtogeek.com/176124/wi-...-is-insecure-heres-why-you-should-disable-it/

4. Disable UPnP IGD
- This settings is ENABLED BY default. Untick the check box to prevent UPnP hacking.
- Some interesting reading on UPnP Hacking
fvxxl3.png


- Even Asus AIProtection is checking this settings
da66b800-41ce-4272-afdf-bd7ca7f93f75.gif



5. Passwords
- Last but now least , for goodness sake, put a STRONG Password for your router.
29da7tv.png



6. Firmware
- Update your latest firmware here : [B]http://www.dlink.com.sg/starhub/[/B]
**please do a factory reset after the upgrade. Take note that all configuration will be lost after factory reset
**After reset, find the password at the bottom of the router. Dlink finally put in a password instead of leaving it blank. Also all wifi SSID & security are pre-configured. You will need to go to the router page to configure all the wireless settings.
**Thanks to Phumba for locating this link.


Missing
1. DHCP Query Frequency - One of the suspected reason for Starhub intermitten connection
- that's why when connect direct ONT, you don't face this issue.
- somehow change to another Dir-868l and problem self-resolved. Looks like a router issue.

2. Wifi Schedule
- This feature was in the router manual however it is missing

3. clone mac address
- Enable this feature and performance will drop 50%
- happens to both my dlink router for the 1st & 2nd contract.
- Disabled and performance is back to Starhub typical broadband speed.


7. MTU Setting
Try run the MTU test. You can get it from here : http://www.softpedia.com/get/Network...MTU-Test.shtml
Set it on your router and do the speed test again.

Explaination
The MTU setting controls the maximum ethernet packet size your PC will send (you did know the Internet works in packets, didn't you?). Why a limit? Because although larger packets can be constructed and sent, your ISP and Internet backbone routers and equipment will chop up (fragment) any packets larger than their limit. These parts are then reassembled by the target equipment before reading. This fragmentation and reassembly is not optimal.

1398 is the optimum MTU Setting (For Starhub Users Only)
DO NOT round up to 1400, your packet will be fragmented
2r4ij4h.png

**Note : You add 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.
+------------------------+
| 12 bytes control flags | \
| 4 byte from address | |
| 4 byte to address | |- IP and ICMP header: 28 bytes
|------------------------ | |
| 8 byte ICMP header | /
|------------------------ |
| 1370 byte payload |
| |
| |
| |
+------------------------+

Alternatively manual method to determine MTU Setting can done.
Refer to this clear and concise faq from TP-Link :http://www.tp-link.com/us/FAQ-190.html

Confugre MTU on PC
Start -> Run -> PowerShell (Must Run as Administrator)
netsh int ipv4 show subinterface
netsh int ipv4 set subinterface "Local Area Connection" mtu=1398 store=persistent
 
Last edited:

happily1986

Senior Member
Joined
Nov 27, 2007
Messages
980
Reaction score
22
Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?
 

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
It depends on what are you looking for. If you just want speed up browsing experience, go for Google DNS.

If you want security that comes with website filtering, go for OpenDNS Familyshield.

Does Google Public DNS offer the ability to block or filter out unwanted sites?

No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats. But we believe that blocking functionality is usually best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.

Use Google dns, no worries.
 

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.

Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?
 

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
So far daily connection is rock stable and personally do not feel any slow down or lag.
 

hk7310

Senior Member
Joined
Jun 16, 2006
Messages
979
Reaction score
53
I am running firmware 1.10B04.ww. It is stable and the speed is quite constant. Satisfy its performance. The only thing that I don't like is there has no time schedule to switch off the wireless network.
 

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
From the manual, my version A seems to have but when I access the router, it is not there.
Looks like someone remove it.
aexlyv.jpg
 
Last edited:

happily1986

Senior Member
Joined
Nov 27, 2007
Messages
980
Reaction score
22
Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.

Thanks. I will try it out and feedback here regarding the outcome.
 

tungsten2

Master Member
Joined
May 30, 2000
Messages
4,150
Reaction score
0
DO NOT update to firmware SHC1.07
As per RMA Centre, this version is buggy.

Good Luck and Merry Christmas
 
Last edited:

Kiwi8

Honorary Member
Deluxe Member
Joined
May 3, 2001
Messages
128,402
Reaction score
10,115
There is a new firmware relseased : Firmware Version : 1.07SHC
Though you cannot find it in dlink Singapore websites, however if you go to your router page, under Tools -> Firmware, click on the "Check Now" button and you be able to download it.

Good Luck and Merry Christmas

I thought the latest firmware is 1.10 liao, and it was released April 2015 already.
 

Ah-Pin-Kor

Great Supremacy Member
Joined
Apr 2, 2008
Messages
54,433
Reaction score
1,334
1.10 is the standard D-Link version.
those with SHC suffix are the ones that come with Starhub-provided routers.
 

Phumba

Member
Joined
Jul 30, 2016
Messages
271
Reaction score
0
There is a new firmware relseased : Firmware Version : 1.07SHC
Though you cannot find it in dlink Singapore websites, however if you go to your router page, under Tools -> Firmware, click on the "Check Now" button and you be able to download it.

Good Luck and Merry Christmas

Thank you for your kind heads up.

Whats the news on the new firmware version? Any report on improvements/benefits?

DLink Singapore should really learn how to provide release notes.
 

Phumba

Member
Joined
Jul 30, 2016
Messages
271
Reaction score
0
Dlink have yet to post the release note

I ran a random google search and it came up with this....
http://www.dlink.com.sg/starhub/

I didn't even know there was a dedicated Dlink Starhub page.

In the ZIP download, there is a release note, which states;

Release Note FW 1.07

Enahanced Security on on admin login: WIFI default password as Router WEB GUI admin login password after factory reset


For FW 1.03 upgrade to FW 1.07, please do a factory reset after the upgrade. Take note that all configuration will be lost after factory reset
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top