Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall not working on D-Link Router 1

Status
Not open for further replies.
tonymcp

tonymcp

IS-IT--Management
Mar 5, 2006
20
0
0
CY
Hey guys,

Has anybody out there worked with D-Link routers? I have a really strange problem with my firewall.

I recently set up a wireless network so that I can share my internet connection with my neighbour so we can share the cost.

I run my computer business/workshop form home so I obviously have valuable and confidential information on my NAS which I cannot allow access to.

I created a rule to deny access from my neighbours ip which is 192.168.0.201 (its always the same - I configured static DHCP) to my NAS ip (also static DHCP) which is 192.168.0.100 but it is not working.

I also tried denying access to certain ranges of ip's e.t.c e.t.c but nothing. It is as if my firewall is transparent. Has anybody ever experienced this or a similar situation? The router is a D-Link Di-624.

Tony
AP CompuServices
MCP,A+
 
Sort by date Sort by votes
You and your neighbor are both connecting to your network on the LAN side, doesn't matter if wireless or wired. Same subnet too. The d-link doesn't route that subnet locally, so the access list won't get hit. The machines find each other with a simple ARP broadcast and are reachable at Layer2 (this is why you say it appears to be transparent--it is, in a sense).

You have to put your NAS behind a firewall on your LAN side to block and then renumber or use use whatever host security (if any) supported on your NAS and be careful about IP address assignments (like allow your IP address, and deny all others).

Also trust is crucial, that your neighbor or his kid won't try to hack into your NAS because you have no real control if they want to spoof your allowed IP address(s). This is a poor security design as it is, sorry.



--jeff
 
Upvote 0 Downvote
Thanks Jeff. I get the point now although in the router's firewall the rules you create give you an option to alow/deny from either the LAN or the WAN or both. In what case do you think that could be used for? I mean, from what I know these routers will route from WAN to LAN but I don't think you can route between two LANs can you? Or have two subnets on the same router? Although I have plenty of experience on Microsoft Networks, routing is not yet one of my strong points so please, do you think you can enlight me some more? [neutral]


Tony
AP CompuServices
MCP,A+
 
Upvote 0 Downvote
Ok, this gets long, sorry but we need to clear up the confusion.

Yes, correct about the LAN/WAN and firewall, however, please understand that in order for the firewall rules to be used, packets must traverse LAN->WAN or WAN->LAN. LAN->LAN does not traverse the firewall. This is by design for TCP/IP networks.

For example, a host with an IP address 192.168.0.201 mask 255.255.255.0, wants to communicate with a host with IP address 192.168.0.100 mask 255.255.255.0, the first host notices that the IP address is in the same subnet. Therefore it sends an ARP broadcast on the subnet broadcast address (192.168.0.255 in this case) which all hosts in the subnet listen to. The host with the IP address requested in the ARP request responds with its MAC (ethernet) address so the TCP/IP stack encapsulates the packet with the MAC address of the host it wants to talk to. Therefore, the router/firewall portion of the D-link is not involved. The ethernet (802.3 wired and 802.11 wireless) LAN switch is the only portion of the D-link involved.

What gets packets through the firewall (LAN->WAN) is noticing that the destination IP address is not in the same subnet as the local host, thus it forwards the packet to the default gateway (192.168.0.1 for example) which is the D-link routers LAN ip address. Then the router can inspect the packet and compare against any firewall rules it may have regarding the IP address or TCP/IP port and the allow or deny forwarding.

You can solve this problem with another cheap router (another D-link, or a linksys) but I would disable the wireless interface or restrict by MAC address, along with other security measures (disable SSID broadcast, enable WEP, preferably 802.1x+WPA/LEAP). Also make sure your subnets do not overlap (another d-link would have to change default subnet since it's the same 192.168.0.0/24) but linksys default is 192.168.1.0/24. You would be double NAT-ing, but lot's of apps work well enough these days with NAT for this not to be a problem. For example the WAN port of the linksys would be in 192.168.0.x 255.255.255.0 but the LAN side in 192.168.1.x 255.255.255.0. This would effectively block your neighbor from accessing your company private network with NAS protected.

You can separate LAN->LAN using VLAN but the d-link doesn't support it and you have to be in different subnets anyway and route (thus the router/firewall can filter) between the subnets. You can do this with DD-WRT in theory but I have not tried it. The solution I suggested with the linksys is probably the simplest for you to implement.


--jeff
 
Upvote 0 Downvote
Thanks again Jeff. I was not sure if routing between two cheap routers would be possible. But I will try it soon enough and will let you know of the results (maybe failed results lol). Don't worry about long posts. The longer they are the better. [2thumbsup]

I have been really happy with my D-Link products so far. I 've sold hundreds of D-Link devices (routers, switches, Ethernet, WLAN, e.t.c) but this NAS I got (D-Link DNS-323) is sooooo stupid. D-Link has really let me down on this.

Listen to this: I can assign permissions to Users and groups but I cannot assign for example read-only to everyone and write access to admins only on the same folder. What kind of permission assignment is this? If pemissions are not accumulative how am I supposed to work things out? Damn nuisance... Plus they removed the disk checking and defragmenting utility in the new firmware version because they decided they were unnecessary. These guys must be kidding...

Sorry if I went a bit out of line here...



Tony
AP CompuServices
MCP,A+
 
Upvote 0 Downvote
Heh, I agree on the D-link routers, they're great. I stopped recommending linksys because they would forget their settings (although could be user not owning up to hitting reset) or the WAN port was too sensitive to power hits/EMP and would blow out connected to a DSL or cable modem or fixed wireless SA, eventhough said modem port would be uneffected. To be fair, I usually found inside wiring issues that caused this as well as questionable grounding but the linksys wan port was always the weakest link in the chain.

Thanks for the heads-up on the D-link NAS lameness. Haven't had to feel that pain yet, now I've been forewarned.

And it's your thread...not out of line.

Best,

--jeff
 
Upvote 0 Downvote
Hey Man ! Thanks again ! I got it working today.
This is what I did: I connected my first Di-624 wireless router (router A) to my ADSL connection through the wan port and the second one (router B) (same model) from it's wan port to one of router A's lan ports. I assigned a static dhcp ip address to the router B from router A and then I enabled the wireless on both. Router A's wireless works on channel 5 and Router B's on channel 6. Both wireless networks are configured with wap security. Finally I configured the firewall on the router B to block outgoing traffic that wishes to pass to any of the ip's on router A (which is my workshop subnet) except the addresses of the routers themselves (so I can access both router's config page). My neighbours have the password of router B's wireless only so the only thing they can do is access the internet and the router config page which is no issue because the config page is passworded and none of them has the knowledge or intention to harm anything anyway.

Everything is like I wanted it now because on my subnet (router A) in my workshop I can access my NAS freely now with r/w permissions on any computer that sits on my workshop lan and gets an IP from router A. Which is what makes my life so easy... :)

My only last question is: This firewall business. Wasn't I supposed to do it the other way round? I mean instead of blocking traffic that goes out from Router B intending to go to some hosts to Router A(thus adding rules on router B's firewall), would it not be more correct if I could block the same traffic vice versa by adding rules to router A's firewall? After all it is router A that needs to be protected. Why should it rely on Router B's firewall to do so? Yet, it wouldn't work the other way round! I don't know if I was doing something wrong but when I tried this way and it worked I thought to myself: It's working. I might as well leave it alone for now! [peace]



Tony
AP CompuServices
MCP,A+
 
Upvote 0 Downvote
p.s Life would be so much easier if I had IP filtering on my NAS... [mad]

Tony
AP CompuServices
MCP,A+
 
Upvote 0 Downvote
Tony,
I'm glad things are working for you now. As far as the Router A/B issue, yes, I usually recommend disabling wireless access to high sensitivity network resources, like if for example your NAS had customer credit card numbers, etc... And I would only have wireless access in the "zone" between your internet gateway and company firewall. Then, if I was roaming the house with my laptop wirelessly I'd vpn to the private network, otherwise plug into a switch port connected directly.

But that all really depends on your "security policy" which everyone has, whether it's written and implemented consciously or not, and what you're protecting, and how likely someone would try to crack into it.

But as you're certainly aware, everything is a trade-off. The way you have it now, makes it simpler to open ports for remote access from the public internet if you were away from the office for example, so there is a benefit to the way you're running now, you can still do it the other way but only you can decide if its necessary and worth the extra effort.

Oh, one last thing, you should try to separate your cannels further. Best practice for frequency coordination for multiple APs in an area is to choose non-overlapping channels. For 802.11b/g, typically channels 1/6/11 for three APs, or 1/4/7/11 for 4 APs in close proximity. Look for nearby APs (I think the D-link shows them, or your laptop's adapter utility) and choose your channels 3-to-4 channels away from them, including your own, if possible. Avoid other AP(s) most that you detect with the strongest signal level(s) if you can't. BTW, this doesn't affect security, only performance.


--jeff
 
Upvote 0 Downvote
Thanks for all the tips Jeff. [2thumbsup]

I will perform the channel seperation today to see how it will affect performance. In the meantime, I'm looking around on the net for a better NAS...

Tony
AP CompuServices
MCP,A+
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
344
maybeimaleo
maybeimaleo
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
270
sbcsu
sbcsu
Vitor Fernandes-Neto
  • Locked
  • Question
Ldap authentication in classic asp, retrieving givenname, displayname etc
Replies
0
Views
296
Vitor Fernandes-Neto
Vitor Fernandes-Neto
03Explorer
  • Locked
  • Question
Linux monitoring my own ASUS router (MRTG)
Replies
0
Views
122
03Explorer
03Explorer
daniloreiss
  • Locked
  • Question
snmpset notWritable (That object does not support modification)
Replies
0
Views
141
daniloreiss
daniloreiss

Part and Inventory Search

Sponsor

Back
Top