D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-880L => Topic started by: GewGaw on January 05, 2015, 09:46:56 AM

Title: Inbound Filters?
Post by: GewGaw on January 05, 2015, 09:46:56 AM
I know last year I attempted to move away from my DIR-655 but was hit with the loss of some DNS and INBOUND FILTERS with the newer firmwares. I made the jump to the DIR-880 to replace all our DIR-655's and was surprised that this feature was not present. We have spent time with DLINK support and they were not able to help. They indicated that they will attempt to find a solution within their LABS and get back to us.

The issue I have is this:

1) I would like all LAN traffic to access all LAN resource and full access to the internet (WAN)
2) Would like to set inbound rules allow only certain IPs to access internal resources for example WAN IP: 123.123.123.1 and 321.321.321.1 to access an internal IP or 192.168.0.10 on port 443 TCP. This was simple with the earlier versions as INBOUND FILTERS accomplished this beautifully.

along with DLINK support we tried enabling firewall rules to explicitly denied traffic and write rules to all and then the reverse. But you still need to set a port forward or virtual server rules to allow traffic and once you do they override the firewall rules. along with the lack of ability to set order to the firewall rules.

any ideas on how we can accomplish this?
Title: Re: Inbound Filters?
Post by: FurryNutz on January 05, 2015, 09:57:03 AM
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)



Internet Service Provider and Modem Configurations
Title: Re: Inbound Filters?
Post by: GewGaw on January 05, 2015, 10:35:33 AM
HW:A1
FW:1.02
REGION: NA
Title: Re: Inbound Filters?
Post by: FurryNutz on January 05, 2015, 11:09:55 AM
Let us know your ISP services, modem Mfr and model please.

Have you attempted to set up any forwarding or use the Virtual Server in our configurations?
Title: Re: Inbound Filters?
Post by: GewGaw on January 05, 2015, 11:26:07 AM
Currently Using Bell Fibe Internet (Canada)

We are running the ISP supplied modem/router in "bridged" mode which operates like a modem and not a router. The DIR-880 is using the PPOE credentials to authenticate to the ISP just fine.

We currently have a |Virtual server rule to allow OpenVPN connections in to a VPN server without issue. If we create a virtual server or port forwarding rule for HTTP or HTTPS for example it works perfectly. What we wish to do is restrict what IPs are allowed through the DIR-880 from the WAN to the HTTPS server for example. I would suspect a firewall rule would work but it doesn't seem to be doing the trick. Any Port forwarding or virtual server rule seems to override the firewall rules (which seems odd to me).

This indicates that the connectivity and configuration is correct of the modem, router, etc. This mirrors how we had a DIR-655 setup.

Title: Re: Inbound Filters?
Post by: FurryNutz on January 05, 2015, 11:50:12 AM
Thank you for the feed back.

Ya, unfortunately for this model router, Inbound Filter was probably removed due to most home users didn't user it. Most avgerage home users just want easy setup and configurations. So I presume D-Link removed it to make room for other features on this model router. I presume gong forward if D-Link uses this UI, I'm not sure if they will be adding it back in. You may need to find a different model router that has the inbound filter feature. The DIR-868L Rev A does I believe. I don't have mine anymore however looking at the manual, it has Inbound Filtering. Maybe this model would better fit your needs. Its similar to WiFi features however the only big differences are 2.4ghz only does 450Mb where the 880L does 600Mb. The 5ghz radios are the same, 1750Mb. The cases are different.
Title: Re: Inbound Filters?
Post by: GewGaw on January 05, 2015, 11:55:24 AM
I tried that style housing in the DIR-826L

I would be really hesitant because of coverage issues we had with that previous "Beer Can" style.

Any feedback on the wireless coverage with the Dir-868L?
Title: Re: Inbound Filters?
Post by: FurryNutz on January 05, 2015, 12:01:36 PM
Love it and has great coverage. The just up't the 5Ghz radio too. I gave mine away to a family member for xmas. I'm gonna miss it. I'll try to get another Rev A. Be aware that they released a Rev B modem which has the new UI like the 880L so if you want Inbound Filters, Get a Rev A model. The 868L is one the best routers D-Link has. Wireless and performance is great. We did some beta testing early one to see performance and catch some issues. Router has been great since I got it. I highly recommend it. Ya, the cylinder style is kind of odd, however works well for signal and range, especially if placed well. I hope to get another.
Title: Re: Inbound Filters?
Post by: GewGaw on January 05, 2015, 12:04:16 PM
I just noticed it would have to be a REVA reading through the manuals as well.

Did the Dir-826L have coverage issues? has the design internally changed to improve the coverage?
Title: Re: Inbound Filters?
Post by: FurryNutz on January 05, 2015, 12:24:21 PM
Id would say the range may not be as good as the 868L however I have the 826L as well and it works for it's small size. I'd say for a small house? The 826L/836L would be just fine.

I don't know if anything has changed internally for either router. Just the FW was updated recently for some FB features and output on the 5Ghz radio for the 868L.
Title: Re: Inbound Filters?
Post by: GewGaw on January 07, 2015, 04:34:17 PM
We have heard back from level 3 support and their suggestion was the following:
1)Use a port forward or virtual server rule (IE to allow HTTPS IN to 192.168.0.11)
2) enble IPv4 firewall in  "Turn ON IPv4 Firewall and ALLOW rules listed"
3) set up a rule with the following:
SOURCE WAN 123.123.123.123 (IP TO ALLOW IN)
DEST LAN 192.168.0.11 (IP WITHIN NETWORK)
PORT RANGE 1-65335
TYPE ANY

then a rule to allow internal traffic out:
SOURCE LAN 192.168.0.1-192.168.0.254
DEST WAN 1.1.1.1-254.254.254.254
PORT 1-65535
TYPE ANY


Upon testing this was not effective. For the reason that port forwarding and virtual server rules apply "before" the firewall rules when the firewall is in the "ALLOW LISTED" mode. Which results in all IPs being allowed to the internal server (based on the port forwarding or virtual server rule. I am guessing this is a choice made to protect people from accidentally killing their port forward rules with bad firewall rules.

However, this changes if we change the firewall filtering to "DENY LISTED" mode. When in this mode the expliced rules set will over ride the port forwarding rules. However, this is much more complicated to set up as you need to specify a whole bunch of rules to explictedly deny WAN traffic. For example:
-You need to create a rule to block 1.1.1.1-123.123.123.122
-then another 123.123.123.124-254.254.254.254
-and you can imagine if there was a group of IPs to allow in it would be very complicated and maybe a dozen rules

I am wiating to hear back from them so I can provide the results of our testing. I would imagine they need to change how the IMPLICITED rules are applied when setting the "ALLOW LISTED" mode or bring the INBOUND FILTER back.

I'll post more results after speaking with them.

GewGaw
Title: Re: Inbound Filters?
Post by: FurryNutz on January 07, 2015, 05:03:27 PM
Thank you for the feed back. Keep us posted on how it goes.

Title: Re: Inbound Filters?
Post by: FurryNutz on January 12, 2015, 10:48:15 AM
I'm wondering if a D-Link DFL model firewall appliance would be something that you should review...  ???
Title: Re: Inbound Filters?
Post by: GewGaw on January 12, 2015, 11:00:49 AM
I am more concerned about the new GUI as a whole. It would appear some features have not  been vetted and confirmed working. Such as:
-firewall keeping ports open even when rules in place to close them.
-email setting unable to send email
-unable to review logs of the router or set logging levels.

While I see the attempt they are making to simplify thevinterdace, but some slightly more advanced features will help set the dlink routers apart from the pack.

I love the range and speed and price of the 880l. I hope I can help work through the issues with dlink to correct it.

I spoke with them again and they are running some more tests to confirm my findings and have asked another group if it is by design or a bug.

Marcus
Title: Re: Inbound Filters?
Post by: FurryNutz on January 12, 2015, 11:11:43 AM
Please keep us posted on how it goes...

I'll have a look see with mine....
Title: Re: Inbound Filters?
Post by: GewGaw on January 12, 2015, 12:04:55 PM
I just got a confirmation phone call that they have been able to reproduce the problem and are reviewing it.
Title: Re: Inbound Filters?
Post by: FurryNutz on January 12, 2015, 12:16:35 PM
Awesome, I presume next FW release should have something:
http://forums.dlink.com/index.php?topic=59562.0 (http://forums.dlink.com/index.php?topic=59562.0)
Title: Re: Inbound Filters?
Post by: GewGaw on February 13, 2015, 08:09:36 AM
They just sent me a beta firmware which addresses the security/flaw in the firewall rules. I am running tests on all of our new DIR-880L's and will inform them of the results. I suspect it will be rolled up into a public beta shortly.
Title: Re: Inbound Filters?
Post by: FurryNutz on February 17, 2015, 07:50:58 AM
Please let us know how the beta works.

Thank you.

They just sent me a beta firmware which addresses the security/flaw in the firewall rules. I am running tests on all of our new DIR-880L's and will inform them of the results. I suspect it will be rolled up into a public beta shortly.
Title: Re: Inbound Filters?
Post by: GewGaw on February 19, 2015, 07:35:12 AM
The new firmware seems to have addressed the issue. Had a few hiccups but just may be a fluke. Will continue to run it for a while and try to make sure it is working as intended.

The firewall rule set i used is something like this:
-Port forwards and virtual server rules as you would normally do
-Create the following IPv4 rule set:
-Allow all LAN subnets out 192.168.0.1-192.168.0.254 on all ports 1-65535 UDP and TCP to all WAN IPs 1.1.1.1-254.254.254.254 (this will allow traffic to flow out when the firewall is enabled)
-Allow specific WAN IP (such as 8.8.8.8) in on desired port (such as 80 TCP) to specific internal IP (such as 192.168.0.10). To simplify things I did a rule for my "trusted" source IPs as a blanket one so for example 8.8.8.8 WAN can access all my internal IPs 192.168.0.1-192.168.0.254 on all ports 1-65535 UDP and TCP this allows that IP to access any virtual server or port forward I have put in place
-Ensure to create rules for any "wide open" services you are running such as VPNs, websites, ftp, torrent, etc. This can be done by creating a rule such as: allow WAN IP 1.1.1.1-254.254.254.254 to LAN IP specific 192.168.0.10 and the desired port UDP 1194 (this must match your virtual server or port forwarding rules.
-Once saved then enable the firewall rule set to "BLOCK all but listed"

Sorry for the condensed and somewhat unclear example, but I wanted to provide something in case people want to secure their port forwards a little more, ONCE the firmware is released.

GewGaw
Title: Re: Inbound Filters? (RESOLVED)
Post by: FurryNutz on February 19, 2015, 08:03:16 AM
Thanks for posting your results and information. Hope this helps users. I would recommend letting D-Link know of your results and ask them to please include there fixes in future releases.

Enjoy.  ;)