www.hardwarezone.com.sg (/)
-   Internet Bandwidth & Networking Clinic (https://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/)
-   -   Secure your Router - DIR-868L (https://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/secure-your-router-dir-868l-5499216.html)

tungsten2 08-11-2016 11:06 AM

Secure your Router - DIR-868L
Notice :
1. Pls update to 1.09SHC Avoid 1.07SHC
2. Starhub updated their MTU to 1500. Do not use 1398 anymore !!!

It has been sometime I would like to share my router settings with fellow Starhub fibre subscribers using the DLINK DIR-868L router issued by Starhub.

1. Parental Control - OpenDNS FamilyShield
- my experience is when I use this option, my internet surfing improve a lot.I no longer experience any lag spike. Even on 21-Oct when the DDoS attack on Starhub DNS Server, I am totally not aware. My surfing is not interrupted at all.


Note : **FamilyShield block pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.

For more information about OpenDNS Familyshield, do visit : https://www.opendns.com/about/press-...s-safe-online/

2. Firewall - Enable SPI & Anti-Spoof
-these 2 settings are disable by default. I really don't understand what DLink is thinking. So many years in the networking industry and yet they disable these 2 very important settings.

SPI is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. In simple terms, it blocks UNSOLICITED packets (not originating from your LAN.

Anti-Spoof is self-explainatory. Pls google if you want to know more details.

3. WPS - Wifi Protected Setup
- This setting is enabled by default (for the dumb and lazy)
- Another well known vulernable setting, yet Dlink enable it by default. Working against all these years of experience in the networking industry.
- Disable it by untick the box beside.

PIN is Mandatory
While push-button-connect is arguably secure, the PIN authentication method is the mandatory, baseline method that all certified WPS devices must support. That’s right — the WPS specification mandates that devices must implement the most insecure method of authentication.

Router manufacturers can’t fix this security problem because the WPS specification calls for the insecure method of checking PINs. Any device implementing Wi-FI Protected Setup in compliance with the specification will be vulnerable. The specification itself is no good.

For more info, refer to here : http://www.howtogeek.com/176124/wi-f...ld-disable-it/

4. Disable UPnP IGD
- This settings is ENABLED BY default. Untick the check box to prevent UPnP hacking.
- Some interesting reading on UPnP Hacking

- Even Asus AIProtection is checking this settings

5. Passwords
- Last but now least , for goodness sake, put a STRONG Password for your router.

6. Firmware
- Update your latest firmware here : http://www.dlink.com.sg/starhub/
**please do a factory reset after the upgrade. Take note that all configuration will be lost after factory reset
**After reset, find the password at the bottom of the router. Dlink finally put in a password instead of leaving it blank. Also all wifi SSID & security are pre-configured. You will need to go to the router page to configure all the wireless settings.
**Thanks to Phumba for locating this link.

1. DHCP Query Frequency - One of the suspected reason for Starhub intermitten connection
- that's why when connect direct ONT, you don't face this issue.
- somehow change to another Dir-868l and problem self-resolved. Looks like a router issue.

2. Wifi Schedule
- This feature was in the router manual however it is missing

3. clone mac address
- Enable this feature and performance will drop 50%
- happens to both my dlink router for the 1st & 2nd contract.
- Disabled and performance is back to Starhub typical broadband speed.

7. MTU Setting
Try run the MTU test. You can get it from here : http://www.softpedia.com/get/Network...MTU-Test.shtml
Set it on your router and do the speed test again.

The MTU setting controls the maximum ethernet packet size your PC will send (you did know the Internet works in packets, didn't you?). Why a limit? Because although larger packets can be constructed and sent, your ISP and Internet backbone routers and equipment will chop up (fragment) any packets larger than their limit. These parts are then reassembled by the target equipment before reading. This fragmentation and reassembly is not optimal.

1398 is the optimum MTU Setting (For Starhub Users Only)
DO NOT round up to 1400, your packet will be fragmented
**Note : You add 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.
| 12 bytes control flags | \
| 4 byte from address | |
| 4 byte to address | |- IP and ICMP header: 28 bytes
|------------------------ | |
| 8 byte ICMP header | /
|------------------------ |
| 1370 byte payload |
| |
| |
| |

Alternatively manual method to determine MTU Setting can done.
Refer to this clear and concise faq from TP-Link :http://www.tp-link.com/us/FAQ-190.html

Confugre MTU on PC
Start -> Run -> PowerShell (Must Run as Administrator)
netsh int ipv4 show subinterface
netsh int ipv4 set subinterface "Local Area Connection" mtu=1398 store=persistent

happily1986 30-11-2016 02:04 AM

Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?

tungsten2 30-11-2016 07:20 AM

Let me check tonight

cpuer 30-11-2016 07:34 AM

Nice and useful info :D

chesterqw 30-11-2016 07:37 AM

Use Google dns, no worries.

tungsten2 30-11-2016 03:57 PM

It depends on what are you looking for. If you just want speed up browsing experience, go for Google DNS.

If you want security that comes with website filtering, go for OpenDNS Familyshield.

Does Google Public DNS offer the ability to block or filter out unwanted sites?

No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats. But we believe that blocking functionality is usually best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.


Originally Posted by chesterqw (Post 104997845)
Use Google dns, no worries.

jury_pack 30-11-2016 04:28 PM


Originally Posted by chesterqw (Post 104997845)
Use Google dns, no worries.

Google dns can be easily hijacked.

tungsten2 30-11-2016 08:39 PM

Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.


Originally Posted by happily1986 (Post 104996982)
Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?

popimac 05-12-2016 09:34 AM

Bookmarked. thanks TS

Sent from OnePlus ONE A2003 using GAGT

Phumba 05-12-2016 09:16 PM


Originally Posted by tungsten2 (Post 104618441)

Can confirm if this will not slow down the connection? Just wondering.

tungsten2 06-12-2016 07:03 AM

So far daily connection is rock stable and personally do not feel any slow down or lag.

hk7310 06-12-2016 12:42 PM

I am running firmware 1.10B04.ww. It is stable and the speed is quite constant. Satisfy its performance. The only thing that I don't like is there has no time schedule to switch off the wireless network.

tungsten2 06-12-2016 07:05 PM

From the manual, my version A seems to have but when I access the router, it is not there.
Looks like someone remove it.

happily1986 08-12-2016 05:46 PM


Originally Posted by tungsten2 (Post 105010490)
Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.

Thanks. I will try it out and feedback here regarding the outcome.

tungsten2 25-12-2016 05:23 PM

DO NOT update to firmware SHC1.07
As per RMA Centre, this version is buggy.

Good Luck and Merry Christmas

All times are GMT +8. The time now is 04:45 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright © SPH Magazines Pte Ltd. All rights reserved.