HWZ Forums

Login Register FAQ Mark Forums Read

Secure your Router - DIR-868L

Like Tree67Likes
Reply
 
LinkBack Thread Tools
Old 08-11-2016, 11:06 AM   #1
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
Secure your Router - DIR-868L

Notice :
1. Pls update to 1.09SHC Avoid 1.07SHC
2. Starhub updated their MTU to 1500. Do not use 1398 anymore !!!

It has been sometime I would like to share my router settings with fellow Starhub fibre subscribers using the DLINK DIR-868L router issued by Starhub.

1. Parental Control - OpenDNS FamilyShield
- my experience is when I use this option, my internet surfing improve a lot.I no longer experience any lag spike. Even on 21-Oct when the DDoS attack on Starhub DNS Server, I am totally not aware. My surfing is not interrupted at all.



Note : **FamilyShield block pornographic content, including our “Pornography,” “Tasteless,” and “Sexuality” categories, in addition to proxies and anonymizers (which can render filtering useless). It also blocks phishing and some malware.

For more information about OpenDNS Familyshield, do visit : https://www.opendns.com/about/press-...s-safe-online/


2. Firewall - Enable SPI & Anti-Spoof
-these 2 settings are disable by default. I really don't understand what DLink is thinking. So many years in the networking industry and yet they disable these 2 very important settings.

SPI is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall. In simple terms, it blocks UNSOLICITED packets (not originating from your LAN.

Anti-Spoof is self-explainatory. Pls google if you want to know more details.



3. WPS - Wifi Protected Setup
- This setting is enabled by default (for the dumb and lazy)
- Another well known vulernable setting, yet Dlink enable it by default. Working against all these years of experience in the networking industry.
- Disable it by untick the box beside.


Why WPS is INSECURE ?
PIN is Mandatory
While push-button-connect is arguably secure, the PIN authentication method is the mandatory, baseline method that all certified WPS devices must support. That’s right — the WPS specification mandates that devices must implement the most insecure method of authentication.

Router manufacturers can’t fix this security problem because the WPS specification calls for the insecure method of checking PINs. Any device implementing Wi-FI Protected Setup in compliance with the specification will be vulnerable. The specification itself is no good.

For more info, refer to here : http://www.howtogeek.com/176124/wi-f...ld-disable-it/

4. Disable UPnP IGD
- This settings is ENABLED BY default. Untick the check box to prevent UPnP hacking.
- Some interesting reading on UPnP Hacking


- Even Asus AIProtection is checking this settings



5. Passwords
- Last but now least , for goodness sake, put a STRONG Password for your router.



6. Firmware
- Update your latest firmware here : http://www.dlink.com.sg/starhub/
**please do a factory reset after the upgrade. Take note that all configuration will be lost after factory reset
**After reset, find the password at the bottom of the router. Dlink finally put in a password instead of leaving it blank. Also all wifi SSID & security are pre-configured. You will need to go to the router page to configure all the wireless settings.
**Thanks to Phumba for locating this link.


Missing
1. DHCP Query Frequency - One of the suspected reason for Starhub intermitten connection
- that's why when connect direct ONT, you don't face this issue.
- somehow change to another Dir-868l and problem self-resolved. Looks like a router issue.

2. Wifi Schedule
- This feature was in the router manual however it is missing

3. clone mac address
- Enable this feature and performance will drop 50%
- happens to both my dlink router for the 1st & 2nd contract.
- Disabled and performance is back to Starhub typical broadband speed.


7. MTU Setting
Try run the MTU test. You can get it from here : http://www.softpedia.com/get/Network...MTU-Test.shtml
Set it on your router and do the speed test again.

Explaination
The MTU setting controls the maximum ethernet packet size your PC will send (you did know the Internet works in packets, didn't you?). Why a limit? Because although larger packets can be constructed and sent, your ISP and Internet backbone routers and equipment will chop up (fragment) any packets larger than their limit. These parts are then reassembled by the target equipment before reading. This fragmentation and reassembly is not optimal.

1398 is the optimum MTU Setting (For Starhub Users Only)
DO NOT round up to 1400, your packet will be fragmented

**Note : You add 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header.
+------------------------+
| 12 bytes control flags | \
| 4 byte from address | |
| 4 byte to address | |- IP and ICMP header: 28 bytes
|------------------------ | |
| 8 byte ICMP header | /
|------------------------ |
| 1370 byte payload |
| |
| |
| |
+------------------------+

Alternatively manual method to determine MTU Setting can done.
Refer to this clear and concise faq from TP-Link :http://www.tp-link.com/us/FAQ-190.html

Confugre MTU on PC
Start -> Run -> PowerShell (Must Run as Administrator)
netsh int ipv4 show subinterface
netsh int ipv4 set subinterface "Local Area Connection" mtu=1398 store=persistent
samsung28 and theking_smen like this.

Last edited by tungsten2; 16-07-2017 at 09:24 AM..
tungsten2 is offline   Reply With Quote
Old 30-11-2016, 02:04 AM   #2
Senior Member
 
Join Date: Nov 2007
Posts: 760
Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?
happily1986 is offline   Reply With Quote
Old 30-11-2016, 07:20 AM   #3
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
Let me check tonight
tungsten2 is offline   Reply With Quote
Old 30-11-2016, 07:34 AM   #4
Arch-Supremacy Member
 
cpuer's Avatar
 
Join Date: Jan 2003
Posts: 12,554
Nice and useful info
__________________
[IMG]http://img196.imageshack.us/img196/1928/dscf5541avatar.jpg[/IMG]
cpuer is offline   Reply With Quote
Old 30-11-2016, 07:37 AM   #5
Great Supremacy Member
 
chesterqw's Avatar
 
Join Date: Dec 2006
Posts: 56,159
Use Google dns, no worries.
chesterqw is offline   Reply With Quote
Old 30-11-2016, 03:57 PM   #6
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
It depends on what are you looking for. If you just want speed up browsing experience, go for Google DNS.

If you want security that comes with website filtering, go for OpenDNS Familyshield.

Does Google Public DNS offer the ability to block or filter out unwanted sites?

No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats. But we believe that blocking functionality is usually best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.

Use Google dns, no worries.
__________________
http://www.speedtest.net/result/7448631681.png
tungsten2 is offline   Reply With Quote
Old 30-11-2016, 04:28 PM   #7
Master Member
 
Join Date: Apr 2014
Posts: 3,087
Use Google dns, no worries.
Google dns can be easily hijacked.
jury_pack is offline   Reply With Quote
Old 30-11-2016, 08:39 PM   #8
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.

Hey there, do you know whether the firmware provided by DLINK allows one to throttle bandwidth for specified ip clients?
__________________
http://www.speedtest.net/result/7448631681.png
tungsten2 is offline   Reply With Quote
Old 05-12-2016, 09:34 AM   #9
Senior Member
 
popimac's Avatar
 
Join Date: Sep 2011
Posts: 1,936
Bookmarked. thanks TS

popimac is offline   Reply With Quote
Old 05-12-2016, 09:16 PM   #10
Member
 
Join Date: Jul 2016
Posts: 213

Can confirm if this will not slow down the connection? Just wondering.
Phumba is offline   Reply With Quote
Old 06-12-2016, 07:03 AM   #11
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
So far daily connection is rock stable and personally do not feel any slow down or lag.
tungsten2 is offline   Reply With Quote
Old 06-12-2016, 12:42 PM   #12
Senior Member
 
Join Date: Jun 2006
Posts: 612
I am running firmware 1.10B04.ww. It is stable and the speed is quite constant. Satisfy its performance. The only thing that I don't like is there has no time schedule to switch off the wireless network.
hk7310 is offline   Reply With Quote
Old 06-12-2016, 07:05 PM   #13
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
From the manual, my version A seems to have but when I access the router, it is not there.
Looks like someone remove it.
__________________
http://www.speedtest.net/result/7448631681.png

Last edited by tungsten2; 06-12-2016 at 07:17 PM..
tungsten2 is offline   Reply With Quote
Old 08-12-2016, 05:46 PM   #14
Senior Member
 
Join Date: Nov 2007
Posts: 760
Yes, the firmware do allow to throttle bandwidth of the PC/device IP address in the Local IP Range under the "Advance" -> "QOS Engine" Section.

However I do not use that, hence unable to advice how to use that correctly.
Thanks. I will try it out and feedback here regarding the outcome.
happily1986 is offline   Reply With Quote
Old 25-12-2016, 05:23 PM   #15
Master Member
 
tungsten2's Avatar
 
Join Date: May 2000
Posts: 4,183
DO NOT update to firmware SHC1.07
As per RMA Centre, this version is buggy.

Good Luck and Merry Christmas
__________________
http://www.speedtest.net/result/7448631681.png

Last edited by tungsten2; 14-01-2017 at 08:22 AM..
tungsten2 is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Samsung
Play & Win