Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Bluey]

Ok, over the past two weeks or so, I have noticed problems with my internet.
Speeds are fine when its working, but most of the time, there are drops or cut-outs where pages wont load for a couple minutes.
When streaming Netflix, I see more interruptions where the stream just stops, until I refresh the page and reload it.

I called the cable company to see if it was anything on their end, and was told my line is fine.
So I started going thru my router setup. Everything seems to be the way I had it before when everything was fine.

However, I now always see, from a couple, to 150-200 outgoing (mostly TCP, sometimes UDP) internet sessions, to random IP addresses. Also, its like someones running a scan of the ports, as the ports always seem to be between 47000 and 52000, and sequential. The cable company said its likely I have a virus or malware on my computer.
Well, over the past couple of weeks, I had wiped Windows 7 and have done 3 or 4 fresh installs, and I still have the same problem.
I also got one of my old computers working, and with a fresh install of XP SP3 on it, I have the same issue.

So if its not my computers, or my ISP, all thats left is my DIR-615 E3.
I know what most of the basic settings do, but have no idea how to setup the advanced features on this router, especially port forwarding and the firewall. The documentation sux for the layman, as it assumes you're already an IT Specialist.

So my question is, does anyone have any idea why I have all these outgoing internet sessions, and more importantly how to stop them and secure my router fully.

[FurryNutz]

What Hardware version is your router? Look at sticker under router.
What Firmware version is currently loaded? Found on routers web page under status.
What region are you located?
Are you wired or wireless connected to the router?

What ISP Service do you have? Cable or DSL?
What ISP Modem do you have? Stand Alone or built in router?
What ISP Modem make and model do you have?
If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.

Some things to try:
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options. Advanced/QoS or Gamefuel.
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Turn on DNS Relay under Setup/Networking.
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking
Ensure devices are set to auto obtain an IP address.
Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Enable uPnP and Multi-cast Streaming under Advanced/Networking.

What wireless modes are you using? Under Setup/Wireless/Manual.
Try single mode G or mixed G and N?
Channel Width set for Auto 20/40Mhz or try 20Mhz only.
What security mode are you using? Preferred security is WPA-Personal. WPA2/AES Only. Some WiFi adapters don't support AES, so you might want to try TPIK only or Auto.
What wireless devices do you have connected?
Any cordless house phones?
Any other WiFi routers in the area? Use InSSIDer to find out.
Turn off Short GI and Extra Wireless Protection if you have it. Under Advanced/Advanced Wireless.

Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic.
Turn off all devices accept for one wired PC while testing.

Check cable between Modem and Router, swap out to be sure. Cat6 is recommended.

[Bluey]

What Hardware version is your router? Look at sticker under router.
E3
What Firmware version is currently loaded? Found on routers web page under status.
It had E3 5.10NA, I recently reflashed it, same issue.
What region are you located?
US
Are you wired or wireless connected to the router?
Tried both, same issue.

What ISP Service do you have? Cable or DSL?
Cable
What ISP Modem do you have? Stand Alone or built in router?
ISP provided Arris TM602G, which the cable company assures me has NO security or router functions installed.
What ISP Modem make and model do you have?
If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
Nope, its just a basic modem, no router or wireless functionality.
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
It shows my ISP provided IP here, NOT 198.168.0.#.

Some things to try:
Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options.
Advanced/QoS or Gamefuel.
OK, its OFF, still have LOTS of outgoing connections
Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual.
Have previously tried turning this on and off to see if it helped, its now OFF, still same issue
Turn on DNS Relay under Setup/Networking.
Have also tried switching this on and off before, its now ON, still same issue
Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking
Since getting this router, I've always set this up for each device, and use non-default address ranges. Still have same issue
Ensure devices are set to auto obtain an IP address.
I've never been sure how to set this. They DO show they are DHCP enabled...??

Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall.
Hmm...OK..I've always had these set as Port & Address Restricted.Now set to Endpoint, still same issue
Enable uPnP and Multi-cast Streaming under Advanced/Networking.
Also tried both these on and off before, and had the same issue. Both now set to ON, same issue

What wireless modes are you using? Under Setup/Wireless/Manual.
Try single mode G or mixed G and N?
I only have the laptop using wireless, and its N, so I have always had this set to N only. Same issue
Channel Width set for Auto 20/40Mhz or try 20Mhz only.
I've always had this set to Auto 20/40, but switched it to 20 only.Still same issue
What security mode are you using? Preferred security is WPA-Personal. WPA2/AES Only. Some WiFi adapters don't support AES, so you might want to try TPIK only or Auto.
Always used WPA-2, and tried both TPIK, and AES, independently, and together. Now set to AES only. Same issue.
What wireless devices do you have connected?
Just one laptop, and occasionally connect the older XP SP3 computer using Ethernet.
Any cordless house phones?
Yes. Unfortunately, we only have the one active cable coming into the house, and have digital phone which also uses the modem, so I'm limited on how far away I can move the phone base. I've moved it about 20ft away in a different room, but didnt notice any significant difference in WiFI signal. Also, the laptop is never used more than 15-20ft away from the router, and I get -40dB signal at worst, up to -18dB when I use it at the same desk the router is on.
Any other WiFi routers in the area? Use InSSIDer to find out.
Yes, there 6 or 7 I pick up from the neighbors, all at -85dB or worse, and I've moved off channel from them. They are all using Chan 1, 5, or 6, so I use 11. Still same issue
Turn off Short GI and Extra Wireless Protection if you have it. Under Advanced/Advanced Wireless.
Short GI was always on, so I left it on. Now switched OFF, same issue. I didnt see anything for Extra Wireless Protection? By the way, I also have always had WPS/WCN off, as I dont have any devices that need it.
Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic.
Hmmm... I've always used ZoneAlarm and Avast, since I used to run DSL thru Ethernet off the modem (No router). When I got the DLink, the Firewall section was too confusing for me to setup, so I always thought the router firewall was open by default. Again, I dont feel comfortable NOT running a software firewall/virus protection, until I know for SURE that the router firewall is setup properly and actually working. Are there any layman's tutorials out there specifically for setting up firewall on the DIR-615?
Turn off all devices accept for one wired PC while testing.
Yup...Been doing this everytime I mess with the router.

Check cable between Modem and Router, swap out to be sure. Cat6 is recommended.
Yup...Also tried 3 different cables, although they are all only Cat-5.

I just noticed today that the outgoing sessions have moved up in my port range, into the 54000's...Also have been occasionally getting an IGMP session here and there. Also, all the sessions are going to random IPs at ports 80 and 443.

I've played with my ZoneAlarm settings, and even tried installing ZoneAlarm Pro, as well as Comodo, and nothing seems to stop these sessions. I're tried fresh installs of Win7 4 times now, and even pulled my laptop HDD and hooked it to the old computer to wipe and rewrite the HDD completely, thinking maybe I had a rootkit or something that wouldnt go away with the Win7 fresh install from the Acer recovery discs.
Nothing seems to be be blocking these outgoing sessions.

[FurryNutz]

Ok, can you turn off the Wifi radio and ALL wireless devices and wired devices accept for ONE pc and see if you see the same thing? I'm curious if there is someone else on your network or another PC or device causing this?

Can you post a sample picture of the sessions? Use Photobucket to get a IMG url link and post it here.

[Bluey]

Yeah, thats what I thought too...Maybe someone is jacking my wireless. Incidentally, I DID see someone parked in the parking lot across the street from my house late one night using a laptop. There are two unsecured neighbors' networks in the area, so I'm thinking they were using one of those, if anything.
But no, I tried removing EVERYTHING except the laptop and router from the network, with the wireless OFF, and wired to the router...still the same issue.

I've never seen any other wireless activity, as I only ever show up on the Status->Wireless info.
I change my wireless SSID, and use a 63 character random password, which I change every month or so, and have always had it set to Invisible.
I also use MAC filtering on the router. I know there are work arounds for it, but I live in a small rural village, and I don't really think there is anyone who is even as computer knowledgable as I am to be able to get around the MAC filtering, AND my AES key.

Here's a couple of snapshots, a couple minutes apart:

[Bluey]

Here's another shot I just took:



Working its way up my port range...... I actually had about 100 open sessions here, but my screen cap wouldnt scroll to get them all...lol

[FurryNutz]

Are the Internet Addresses your ISP address on the modem or something else? If not belonging to your address pool, I would use Domaintools.com and input some of those addresses and see where they belong to. I presume the blacked out address is your PCs address? do you see any other addresses there besides yours?

Do you have any programs running in the back ground besides the security stuff.

What happens if you restart the PC in SafeMode with Networking and look at the Sessions again?

[Bluey]

Are the Internet Addresses your ISP address on the modem or something else? If not belonging to your address pool, I would use Domaintools.com and input some of those addresses and see where they belong to.
I'm pretty sure those are all NOT my modems IP address. So far I came up with 67 unique IP addresses that show up. Ran quite a few across Domaintools, and most seem to belong to Google, Amazon, Facebook, RoadRunner (which DOES happen to be my ISP), Level 3 Communications, and a few other odds & ends.

 I presume the blacked out address is your PCs address? do you see any other addresses there besides yours?
Yeah, thats my comps DHCP address to the router, no, no other addresses on that side.(I currently only have the laptop wired to the router, so none of my other LAN side addresses should show.)
Do you have any programs running in the back ground besides the security stuff.
Just these: (the ones that are enabled "Yes")




What happens if you restart the PC in SafeMode with Networking and look at the Sessions again?

Same thing....STILL get the random sessions showing. 

After looking up a bunch of the IPs and seeing who they belong to, I got to wondering if maybe they arent from some kind of tracking cookies or something. The thing is, I still get some of them showing if I use a fresh install of Chrome. (ie I have no history, bookmarks, passwords or anything setup in it).
It IS odd that I get some unique IPs when I use Chrome, that I dont get in Firefox, and vice versa, with only two or three that seem to be common whether I use Chrome OR Firefox.

Now i wish there was an interface OTHER than a web-interface for accessing the UI on the router directly.....So I could check it direct with NO browser open at all... 
I guess I'll have to look into some apps I can use for that, to see if these sessions are still running with no browser open.

I have to wonder though....There are checkboxes in ZoneAlarm where you can block all incoming and outgoing TCP and UDP ports, for BOTH the Internet and Trusted Zones. I've always run these all checked, with port ranges of 0-65535. So now I have to wonder also if my firewall is NOT truly working as it should, or if these sessions can somehow be started direct from in the router itself.

When I first got this router, I had thought about running DD-WRT on it, but it wasnt supported on the E3 version.  I just looked again, and it seems its now supported for the E3....I may have to give that a look. I just dread having to spend hours researching and learning all about DD-WRT, though...lol

[FurryNutz]

I would test with out any 3rd party FW and windows FW disabled as a test.

Only other way I think you can track down those IP addresses and what program is doing this would be to try WireShark. Take a sample, say a minute or 2. Then scan the log file for those IP addresses and Wireshark should give you the process or program where it's coming from.