D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-850L => Topic started by: GreenBay42 on September 20, 2017, 06:39:01 AM

Title: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: GreenBay42 on September 20, 2017, 06:39:01 AM
New firmware has been released for both revision A and B. This fixes several security exploits.

The ZIP file will contain 2 firmware files. Please read the instructions before upgrading the firmware. You must upgrade the 2 files in order and then reset the router back to factory default settings so make note of your settings before upgrading.

Rev A

Firmware -> ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-850L/REVA/DIR-850L_REVA_FIRMWARE_PATCH_v1.20B03.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-850L/REVA/DIR-850L_REVA_FIRMWARE_PATCH_v1.20B03.zip)

Rev B

Firmware --> ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-850L/REVB/DIR-850L_REVB_FIRMWARE_PATCH_v2.20B03.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-850L/REVB/DIR-850L_REVB_FIRMWARE_PATCH_v2.20B03.zip)


Release Notes:

Problems Resolved:
1. Fixed the security issues reported by Pierre Kim on Sept. 8th, 2017.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 13, 2017, 05:34:51 PM
"You must upgrade the 2 files in order and then reset the router back to factory default settings so make note of your settings before upgrading."

"so make note of your settings before upgrading."... Does this mean you can't use the routers save config feature?
"and then reset the router back to factory default"... Does this mean the reset must be done manually?
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 13, 2017, 09:37:46 PM
Please factory reset the router before sending the 1st update file. Then send the 2nd file. Factory reset once more after the 2nd file was processed by the router then set up from scratch. After router is set up, save the router config to a new file.

There is differences between your current version and this new one which the old config file may be incompatible and cause problems. So set up from scratch and then save a new file. Take notes or screen captures of your current router settings before starting the FW update process.

Use IE11 or FF browsers. Do not use Chrome!

"You must upgrade the 2 files in order and then reset the router back to factory default settings so make note of your settings before upgrading."

"so make note of your settings before upgrading."... Does this mean you can't use the routers save config feature?
"and then reset the router back to factory default"... Does this mean the reset must be done manually?
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 29, 2017, 04:02:27 PM
Immediately after installing this 1.20 / 2.20 HW B security fix (both files according to instructions) the 850L lost internet connection momentarily and again once every 5 minutes. It would reconnect then lose its connection exactly 5 minutes later and so on and so on. Any stream occurring would halt and would have to be restarted again manually from the app or streaming device. I am connected to a DSL modem via a 'DHCP dynamic ip' connection. Before the 1.20 / 2.20 security firmware the router worked perfectly. Careful screen shots were taken prior to the update to reconfigure.

I have since set up the router using the currently assigned IP address as a 'Static' address. Doing this has completely solved the "5 minute disconnect" thing. This is all well and good except when my ISP provider changes my dynamic IP address (which happens irregularly about 2wice a month) the router will lose its connection and the newly  assigned address will have to be reconfigured as a static address in the 850L router again.

Has any one else experienced this? Is this some thing D-link is aware of?
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 29, 2017, 04:13:46 PM
Was a factory reset performed after the last file was process then set up from scratch and don't load a saved configuration from file?

What is the Mfr and model of the ISP modem?


Also set the WAN port speed from Auto to 100Mb and test...


Immediately after installing this 1.20 / 2.20 HW B security fix (both files according to instructions) the 850L lost internet connection momentarily and again once every 5 minutes. It would reconnect then lose its connection exactly 5 minutes later and so on and so on. Any stream occurring would halt and would have to be restarted again manually from the app or streaming device. I am connected to a DSL modem via a 'DHCP dynamic ip' connection. Before the 1.20 / 2.20 security firmware the router worked perfectly. Careful screen shots were taken prior to the update to reconfigure.

I have since set up the router using the currently assigned IP address as a 'Static' address. Doing this has completely solved the "5 minute disconnect" thing. This is all well and good except when my ISP provider changes my dynamic IP address (which happens irregularly about 2wice a month) the router will lose its connection and the newly  assigned address will have to be reconfigured as a static address in the 850L router again.

Has any one else experienced this? Is this some thing D-link is aware of?
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 30, 2017, 12:24:52 PM
---"Was a factory Reset preformed..."
Yes. A reset prior to update and then a reset again after both files installed.
The 850L was re-configured by the screenshots taken before update (when the router was 100%). The router's 'Configuration Save and Load' feature was not used. It was reconfigured manually page by page.

---"What is the Mfr..."
Modem / Router is Netgear 7550 set up for use with Frontier ISP. It is and was configured in DMZ mode pointing to the 850L IP address.

---"ensure that 'Always ON' option is enabled"
There is NO setting for "Always ON" when the 850L's internet connection is set to "Dynamic IP (DHCP)". The DSL/PPPoE settings are made in the Netgear modem. The "Always ON" is selected in the Netgear Modem's 'Broadband Connection' page.

---"If the ISP modem has a built in router..."
The 850L router connects to the Netgear modem/router as it did before the 1.20/2.20 update. The Netgear modem/router was and is in DMZ mode using the 850L address. It is not in 'Bridge' mode. Before the 1.20/2.20 update the Netgear modem/router was in DMZ mode. The 850L was 100% before the update.

---"Also check the routers DHCP IP address maybe conflicting"
The 850L IP address is 192.168.0.1. The Netgear modem address is 192.168.254.254. These are LAN addresses. Do you mean something different when you suggest "DHCP IP address maybe conflicting"?

Thank you very much for your help.
Les

Was a factory reset performed after the last file was process then set up from scratch and don't load a saved configuration from file?

What is the Mfr and model of the ISP modem?
  • For DSL/PPPoE connections on the router, ensure that "Always ON" option is enabled.
  • If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT (http://www.practicallynetworked.com/networking/fixing_double_nat.htm) and How NAT Works (http://computer.howstuffworks.com/nat.htm). Call the ISP and ask to see if the ISP modem can be bridged. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged. If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ (http://www.dslreports.com/shownews/Networking-101-The-DMZ-137550). Also check the routers DHCP IP address maybe conflicting with the ISP modems IP address of 192.168.0.1. Check to see if this is the same on the ISP modem, and if modem can't be bridged, change the DIR router to 192.168.1.1 or .0.254.
    Example of a D-Link router configured for PPPoE with ISP Modem bridged: PPPoE Configuration on a Router (http://forums.dlink.com/index.php?topic=56344.msg219023#msg219023)

Also set the WAN port speed from Auto to 100Mb and test...
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 30, 2017, 12:34:02 PM
Ok, just checking to be sure of your ISP modem settings.

Can you test a quick test with the WAN port speed set to 100Mb from Auto? They try 1000Mb.

I presume that if the 850 has been working till v1.20 appeared, there maybe some issues in this FW version. I'll have D-Link review this.

I recommend you go back to last working version of FW and wait for results. I know that D-Link is working on the WPA2 security issue at hand now and the 850L is effected so let see if we can get them to look at this issue as well before they post the security patch for WPA2.  ::)
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: Gattsu on October 30, 2017, 01:13:36 PM
lescarlson,

It looks like you have two routers in double NAT setup? Which router is receiving a public IP from ISP? Please verify with a network topology?





Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 30, 2017, 01:27:26 PM
The NG 7550 is a model and router combo. It's been running double NAT. The 850L is in the DMZ on the NG modem. Which has been working and should work ok. Has been working until he applied the v1.20 FW update. The 850L should only receive a private IP address while in the DMZ on the modem unless they can pass thru the public which I presume they are not.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: Gattsu on October 30, 2017, 02:28:33 PM
So is the DMZ network reserving an IP for 850's WAN interface? Double check the MAC address on the WAN, make sure it matches the DHCP reservation bind.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 30, 2017, 08:59:26 PM
---"Can you test a quick test with the WAN port speed set to 100Mb from Auto?"
Neither WAN port speed makes any difference.
Since my earlier post the WAN IP address has changed when the Netgear modem was rebooted. The 850L will not receive any internet when it is set to  "Dynamic IP (DHCP)" since the Netgear modem WAN IP address change. A "Static" connection with the new IP address plugged in will allow the 850L to connect to the internet again. My last working 850L firmware was 2.07 which is no longer available on the Dlink site. But there is a 2.09 firmware. I will try 2.09 until another update is released.

---"Double check the MAC address on the WAN, make sure it matches the DHCP reservation bind."
Is the "MAC address on the WAN" the same as the MAC address of the Netgear modem?
Also where would I locate the "DHCP reservation bind."?

Ok, just checking to be sure of your ISP modem settings.

Can you test a quick test with the WAN port speed set to 100Mb from Auto? They try 1000Mb.

I presume that if the 850 has been working till v1.20 appeared, there maybe some issues in this FW version. I'll have D-Link review this.

I recommend you go back to last working version of FW and wait for results. I know that D-Link is working on the WPA2 security issue at hand now and the 850L is effected so let see if we can get them to look at this issue as well before they post the security patch for WPA2.  ::)
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: Gattsu on October 31, 2017, 08:54:27 AM
On the 850L, is the WAN port receiving a private or public IP for internet?

So if the IP is not within these range then its is a public IP.
192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

---"Can you test a quick test with the WAN port speed set to 100Mb from Auto?"
Neither WAN port speed makes any difference.
Since my earlier post the WAN IP address has changed when the Netgear modem was rebooted. The 850L will not receive any internet when it is set to  "Dynamic IP (DHCP)" since the Netgear modem WAN IP address change. A "Static" connection with the new IP address plugged in will allow the 850L to connect to the internet again. My last working 850L firmware was 2.07 which is no longer available on the Dlink site. But there is a 2.09 firmware. I will try 2.09 until another update is released.

---"Double check the MAC address on the WAN, make sure it matches the DHCP reservation bind."
Is the "MAC address on the WAN" the same as the MAC address of the Netgear modem?
Also where would I locate the "DHCP reservation bind."?

Ok, just checking to be sure of your ISP modem settings.

Can you test a quick test with the WAN port speed set to 100Mb from Auto? They try 1000Mb.

I presume that if the 850 has been working till v1.20 appeared, there maybe some issues in this FW version. I'll have D-Link review this.

I recommend you go back to last working version of FW and wait for results. I know that D-Link is working on the WPA2 security issue at hand now and the 850L is effected so let see if we can get them to look at this issue as well before they post the security patch for WPA2.  ::)
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 31, 2017, 09:41:28 AM
Yes I do know that those are public IP addresses. Normally routers have a public ##.##.###.### however on occasion in a double NAT condition, one can put a router behind another router using the main routers DMZ which virtually passes all traffic however on most occasions, I only see the WAN port of the 2nd router getting a private IP address. All services work in this capacity though in this configuration.

Yes, I recommend a single NAT configuration when possible. In this case it has been working until this version of FW was applied... :o

Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: Gattsu on October 31, 2017, 10:13:45 AM
lescarlson, mentioned that it works when he applies a static IP, instead of DHCP, but which router was this applied to?

I have since set up the router using the currently assigned IP address as a 'Static' address. Doing this has completely solved the "5 minute disconnect" thing. This is all well and good except when my ISP provider changes my dynamic IP address (which happens irregularly about 2wice a month) the router will lose its connection and the newly  assigned address will have to be reconfigured as a static address in the 850L router again.

It is true that ISP will change the Public IP on your router, whenever they want but only on the modem Netgear and this should not affect the 850L at all. If you say that modem is acting as a router and not bridged, then the 850L should be receiving a private IP address of 192.168.254.0/24 range. So the 850L should be receiving a DHCP IP from Netgear not ISP.

On the Netgear, check for DHCP reservation list and create one for the 850L.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 31, 2017, 10:18:24 AM
He'll have to confirm.

I know for when I'm testing in a double NAT condition, I can set a reservation on the 1st router and leave the 2nd router as DHCP and all works...However I don't have this particular model router nor the ISP modem.

Setting up a reservation on the 1st router would be good...
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 31, 2017, 03:27:40 PM
Gattsu:
---"it works when he applies a static IP, instead of DHCP, but which router was this applied to?"

The static WAN IP address and WAN gateway address are entered into the "Static" setting in the 850L.
The Netgear modem passes (DMZ) the ISP assigned WAN IP address (Dynamic address) to the 850L. (The Netgear modem/router has a DMZ feature which points to the 850L LAN address 192.168.0.1) When the 850L security update was applied, the 850L lost it's connection to the internet. The only way I could get internet to the 850L was to change the "Dynamic IP (DHCP)" setting to "Static". The 'static' address I used was the public WAN address and Gateway address given to the Netgear modem from the ISP. Once I plugged in those two public addresses in the "Static" setting of the 850L the internet connection was restored to the 850L and all the devices it serves.

The Netgear modem/router has both public and private DHCP Servers which are DISABLED and its wiresess radio is turned off. All our LAN connections are through the 850L. Prior to the 850L security update the 850L received the internet connection with the "Dynamic IP (DHCP)" setting and the internet connection was just there all the time:

1- NetgearWAN >>> DMZ >>> 850L "Dynamic IP (DHCP)" setting >>> Working system
2- NetgearWAN >>> DMZ >>> 850L [security update] "Dynamic IP (DHCP)" setting >>> No internet to LAN
3- NetgearWAN >>> DMZ >>> 850L [security update] "Static" setting with WAN address plugged in >>> Working system

Although the 3rd system currently works, it will fail when my ISP changes that dynamic WAN address.

---"On the Netgear, check for DHCP reservation list and create one for the 850L."
The Netgear has both a Private and Public DHCP server. I have both of them and the wireless radio disabled. The Netgear passes the internet to the 850L via DMZ. I thought I was doing the right thing by only having the 850L serve. All connections from our LAN are made through the 850L. The Netgear only serves to get the internet (via DMZ) into the 850L. Prior to the 850L security update all was working 100%
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 31, 2017, 03:31:53 PM
"The Netgear modem passes (DMZ) the ISP assigned WAN IP address (Dynamic address) to the 850L. (The Netgear modem/router has a DMZ feature which points to the 850L LAN address 192.168.0.1) "

I believe the LAN address for the DMZ is incorrect. If the NG modem/ROUTER is using 192.168.1.1 for it's LAN then the IP address the 850L gets on it's WAN port should be a 192.168.1.### address. <This is the address that should be in the Modem/ROUTER DMZ, not 192.168.0.1...
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 31, 2017, 04:41:06 PM
---"I believe the LAN address for the DMZ is incorrect"
I stated the DMZ pointed to the 850L LAN address. I was wrong. The "DMZ Host", as it is called in the Netgear, points to a MAC number. That MAC number is the 850L's MAC number as shown on the Home page of the 850L's administration pages. My term "points to" is probably not a suitable term. the DMZ Host is currently enabled for the 850L's MAC number. Apparently the 850L's LAN address has nothing to do with the DMZ. It just goes where ever the ethernet cable goes as long as the MAC number matches.

So if the internet connection is always there at the internet port on the 850L, why does the "Dynamic IP (DHCP)" setting in the 850L fail to see it?
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 31, 2017, 04:54:16 PM
Can you use the IP address the WAN port gets from the NG modem/router instead of the MAC address? Should be 192.168.1.something. Look at the WAN IP address on the 850L Status back. What is it getting from the NG modem/router?

Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on October 31, 2017, 08:57:54 PM
One other thing to try as well. Disable uPnP on the modem/router as well. See it in some cases having two uPnP features running at the same time can cause problems as well.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 31, 2017, 09:20:08 PM
---"Can you use the IP address the WAN port gets from the NG modem/router instead of the MAC address? Should be 192.168.1.something. Look at the WAN IP address on the 850L Status back. What is it getting from the NG modem/router?"
---"The IP address the WAN port gets from the NG modem/router" is the same as the Netgear gets from the ISP. The MAC number was selected in the DMZ Host page while enabling the DMZ in the Netgear. At that time the 850L was the only device connected to the Netgear. The Netgear DMZ Host asks which device (from a menu of attached devices) should share the WAN address. The 850L was chosen, the 850L's internet connection was set to  "Dynamic IP (DHCP)" and the LAN connected to the 850L worked reliably until the security update.


Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on October 31, 2017, 09:23:22 PM
---One other thing to try as well. Disable uPnP on the modem/router as well. See it in some cases having two uPnP features running at the same time can cause problems as well."

Thanks. I'll try that...........No cigar. UPnP was enabled but disabling it did not make any difference.
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: Gattsu on November 01, 2017, 07:43:33 AM
So basically your network should look like this:

Internet <------->Netgear (LAN) <----------> (WAN)850L (LAN) <----->All other devices

What else is the Netgear connected to? If Netgear is not doing anything else other than passing traffic only to 850L, then I recommend setting that to bridge mode. This is the proper way to setup a home network; 1 modem, 1 router, and everything else connects to the router. Two routers complicate things and D-Link does not support such setup.

If you look at the release notes in the beginning, it will have four WAN security fixes. This tells us that the WAN port is more sensitive to internet traffic. I'm not sure what is breaking the connection between the NG and D-Link but it might have something to do with your double NAT setup.


Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on November 01, 2017, 09:49:34 AM
I agree, bridging the ISP Modem should work for best results...
https://www.dslreports.com/forum/r28137734-Bridging-7550 (https://www.dslreports.com/forum/r28137734-Bridging-7550)
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: lescarlson on November 01, 2017, 08:56:39 PM
FurryNutz,  Gattsu,

You two have been most generous with your time and expertise. That you share your knowledge and suggestions so willingly is deeply appreciated by myself and probably the many others you have helped. I will try to do likewise for another when a situation arrises.
Thanks,
LesCarlson
Title: Re: Firmware 1.20B03/2.20B03 Released - Security Fixes
Post by: FurryNutz on November 02, 2017, 08:11:01 AM
Good Luck in your endeavours.