View Single Post
Old 08-11-2016, 11:06 AM   #1
Master Member
tungsten2's Avatar
Join Date: May 2000
Posts: 4,182
Secure your Router - DIR-868L

Notice :
1. Pls update to 1.09SHC Avoid 1.07SHC
2. Starhub updated their MTU to 1500. Do not use 1398 anymore !!!

It has been sometime I would like to share my router settings with fellow Starhub fibre subscribers using the DLINK DIR-868L router issued by Starhub.

1. Parental Control - OpenDNS FamilyShield
- my experience is when I use this option, my internet surfing improve a lot.I no longer experience any lag spike. Even on 21-Oct when the DDoS attack on Starhub DNS Server, I am totally not aware. My surfing is not interrupted at all.

Note : **FamilyShield block pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.

For more information about OpenDNS Familyshield, do visit :

2. Firewall - Enable SPI & Anti-Spoof
-these 2 settings are disable by default. I really don't understand what DLink is thinking. So many years in the networking industry and yet they disable these 2 very important settings.

SPI is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. In simple terms, it blocks UNSOLICITED packets (not originating from your LAN.

Anti-Spoof is self-explainatory. Pls google if you want to know more details.

3. WPS - Wifi Protected Setup
- This setting is enabled by default (for the dumb and lazy)
- Another well known vulernable setting, yet Dlink enable it by default. Working against all these years of experience in the networking industry.
- Disable it by untick the box beside.

PIN is Mandatory
While push-button-connect is arguably secure, the PIN authentication method is the mandatory, baseline method that all certified WPS devices must support. That’s right — the WPS specification mandates that devices must implement the most insecure method of authentication.

Router manufacturers can’t fix this security problem because the WPS specification calls for the insecure method of checking PINs. Any device implementing Wi-FI Protected Setup in compliance with the specification will be vulnerable. The specification itself is no good.

For more info, refer to here :

4. Disable UPnP IGD
- This settings is ENABLED BY default. Untick the check box to prevent UPnP hacking.
- Some interesting reading on UPnP Hacking

- Even Asus AIProtection is checking this settings

5. Passwords
- Last but now least , for goodness sake, put a STRONG Password for your router.

6. Firmware
- Update your latest firmware here :
**please do a factory reset after the upgrade. Take note that all configuration will be lost after factory reset
**After reset, find the password at the bottom of the router. Dlink finally put in a password instead of leaving it blank. Also all wifi SSID & security are pre-configured. You will need to go to the router page to configure all the wireless settings.
**Thanks to Phumba for locating this link.

1. DHCP Query Frequency - One of the suspected reason for Starhub intermitten connection
- that's why when connect direct ONT, you don't face this issue.
- somehow change to another Dir-868l and problem self-resolved. Looks like a router issue.

2. Wifi Schedule
- This feature was in the router manual however it is missing

3. clone mac address
- Enable this feature and performance will drop 50%
- happens to both my dlink router for the 1st & 2nd contract.
- Disabled and performance is back to Starhub typical broadband speed.

7. MTU Setting
Try run the MTU test. You can get it from here :
Set it on your router and do the speed test again.

The MTU setting controls the maximum ethernet packet size your PC will send (you did know the Internet works in packets, didn't you?). Why a limit? Because although larger packets can be constructed and sent, your ISP and Internet backbone routers and equipment will chop up (fragment) any packets larger than their limit. These parts are then reassembled by the target equipment before reading. This fragmentation and reassembly is not optimal.

1398 is the optimum MTU Setting (For Starhub Users Only)
DO NOT round up to 1400, your packet will be fragmented

**Note : You add 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.
| 12 bytes control flags | \
| 4 byte from address | |
| 4 byte to address | |- IP and ICMP header: 28 bytes
|------------------------ | |
| 8 byte ICMP header | /
|------------------------ |
| 1370 byte payload |
| |
| |
| |

Alternatively manual method to determine MTU Setting can done.
Refer to this clear and concise faq from TP-Link :

Confugre MTU on PC
Start -> Run -> PowerShell (Must Run as Administrator)
netsh int ipv4 show subinterface
netsh int ipv4 set subinterface "Local Area Connection" mtu=1398 store=persistent

Last edited by tungsten2; 16-07-2017 at 09:24 AM..
tungsten2 is offline   Reply With Quote