D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-868L => Topic started by: ksx2015 on May 25, 2015, 03:09:35 PM
-
Hello everyone,
The configuration of my router (DIR-868L) has some LAN ports exposed to the internet.
This is working just fine and I can access the home server over the internet.
I also have enabled the Guest Zone, so I have 2 additional guest zones (2.4 and 5 GHz).
I have disabled the "Enable Routing Between Zones", so guest zone clients can't access the LAN resources.
However, the guest zone clients can't access the public LAN ports either.
To me this seems as an issue in the routing logic of the device as I would expect that the guest zone clients should be able to access the public resources without limitation.
example config:
router public ip: 62.21.12.12
LAN server: 192.168.1.5
virtual server: 12345 ->192.168.1.5:12345
guest zone client: 192.168.1.160
Expected results:
guest zone clients should NOT be able to connect to: 192.168.1.5:12345
guest zone clients SHOULD be able to connect to: 62.21.12.12:12345
Actual results:
guest zone clients can't access neither 192.168.1.5:12345 or 62.21.12.12:12345
I hope it is clear what I want to achieve. If needed I can explain further.
Is there some additional configuration that I have missed?
Should I do this in another way?
Please help!
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)
- What Hardware version is your router? Look at sticker under the router case.
- Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on the routers web page under status.
- What region are you located?
Internet Service Provider and Modem Configurations
- What ISP Service do you have? Cable or DSL?
- What ISP Modem Mfr. and model # do you have?
If your trying to configure Virtual Server with Guest Zone clients, I don't believe that is a supported configuration. Guest Zone connections are handled similarly like DMZ, allows connected clients unlimited resource to the WAN side only. There should be no configuration of any LAN side settings for Guest Zone devices. The only feature would be to enable or disable the "Enable Routing Between Zones" if needed or not. Virtual Server handles connections from the WAN side to LAN side sources only. Does not include the Guest Zone.
What application or WAN side resources does this one client use? Please explain more about what the client can't get to...
-
Hardware version: A1
Firmware version: 1.09
Region: Europe
Cable modem: Cisco EPC3208
As for the supported configuration or not:
Since some LAN ports are configured in the virtual server section, I would consider them as part of the internet.
If the guest client can't access them, then in effect they can't access part of the internet.
So, I would ask:
Why are the guest clients restricted from accessing some part (which just so happens resides on my LAN) of the internet?
So, even if it doesn't work at the moment, I can't see no justification that it must remain as is.
Instead, it seems to me that it should be changed.
As for the type of service that is exposed:
It is just a small thing I wrote related to WOL.
CHEERS !
-
Seems like your trying to configure something that is not supported on D-Link routers. Some routers don't handle WoL due to lookback support not featured on some model routers.
You can review this and see if any of it helps for WoL and your Virtual Server settings:
http://forums.dlink.com/index.php?topic=37018.0 (http://forums.dlink.com/index.php?topic=37018.0)
http://forums.dlink.com/index.php?topic=13539.0 (http://forums.dlink.com/index.php?topic=13539.0)
Guest zone only handles connected devices to the WAN side unless "Enable Routing Between Zones" is enabled then I presume that only allows network access to network folder shares and PCs on the LAN side when enabled, not any virtual server configurations or WoL. I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please. Good Luck.
-
Thank you for the reply.
However, I feel more input is needed from my side.
The configuration has several exposed servers and the WOL is just an example.
I would like to access anything available on the internet from my guest zone (even if it happens to reside on my LAN).
At the moment no virtual server can be accessed from guest zone.
The WOL setup is working just fine if I invoke it from other network (for example from my phone 4G).
I want to attach the scheme of my working WOL setup. But ... how?
CHEERS ! :)
-
All resources should be accessible on the WAN side from the GZ. You'd have to enable Routing Between Zones to see if this effects any change. Can you access network shares and folders and PC if this is enabled?
Adding Screenshots In A Post (http://forums.dlink.com/index.php?topic=58120.0)
-
Thank you
Here it is:
(http://s30.postimg.org/s0fr55lwh/Untitled.png)
-
Can you enable Routing Between Zones to see if this effects any change. Can you access network shares and folders and PC if this is enabled from the GZ?
-
I keep my guest zone open (no password) so that anyone that needs internet access can use it for free.
For that reason, I would hesitate to just leave this checkbox selected.
Anyway, I just checked and in that case the guest clients can access the servers.
But, as explained above, this doesn't really fit my picture because in that case the guest clients can access the whole LAN.
And that is a huge NO.
CHEERS !
-
Ok, just making sure that routing between zone works. I presume it would for this quick test. I presume that there is no routing or access for GZ to Virtual Server configured ports when it's disabled or enabled and I presume this is how it's designed or do to the lack of loopback routing. I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. Ask for level 2 or higher support. We find that phone contact has better immediate results over using email.
Let us know how it goes please.
-
Thank you ... will keep you posted !
-
;)
-
Any status on this? ???
I keep my guest zone open (no password) so that anyone that needs internet access can use it for free.
For that reason, I would hesitate to just leave this checkbox selected.
Anyway, I just checked and in that case the guest clients can access the servers.
But, as explained above, this doesn't really fit my picture because in that case the guest clients can access the whole LAN.
And that is a huge NO.
CHEERS !
-
I just got the reply from dlink:
Disable routing between zones is implemented by Linux iptable. 62.21.12.12:12345 actually belongs to LAN.
Therefore, iptable blocks traffic from guest zone to 62.21.12.12:12345.
In other words it is by-design and they don't want to change it.
-
Another reply:
Please allow me to explain for this case again.
Based on Vendor's description, if user disable routering between zones, and then guest zone users will not be able to access LAN IP address, but guest zone user still can access WAN IP address.
If you find Vendor's topology, and you can see he set a virtual for LAN server (192.168.1.5:12345), and that means when user try to connect WAN IP with port 12345 and DIR-868L will redirect the WAN (62.21.12.12:12345) to LAN (192.168.1.5:12345). That is why Vendor explain WAN (62.21.12.12:12345) belongs to LAN IP.
If user enable routering between zones, and there will be not problem if guest zone clinet try to access WAN (62.21.12.12:12345).
-
Sounds like you have the information that D-Link provided to you.
Thank you for sharing this information.
-
The above two responses from DLINK sound to me like:
- We made it work like this and no matter how wrong it is, it is going to stay like that because that is how we made it.
Now, let me explain to you my misunderstanding of the topic.
-
Some light at the end of the tunnel:
I think you are asking about changing current design on DIR-868L, and we cannot make decision for that.
If you want to change the current design, and I would recommend you to contact to our PP XXXXXXXX
-
Thanks for the feed back.
-
What do you think of the next reply:
That’s strange request and the behavior of guest zone is implemented for many years. Do you think that’s a wrong behavior? And need to satisfy one people to change it? As I know, if don’t enable “routing between zones”, user can’t access LAN server through WAN port, but it still can access internet normally. For this NAT loopback, user set up “disable routing between zone” that is for privacy and security, if guest can access LAN devices through WAN that will be a bug and have security concern. Please let me know what application the customer do for guest access WAN. And also confirm the remote management is enabled.
-
Hi,
I've exactly the same issue : We now are at last two ! :-*
I've meany webservers and other services like cloud sharing reachable from internet (using virtual server feature).
I'm only using mac computers at home, connected to a server with shared folders only available thru afp protocol. Other protocols like smb or CIFS are disabled (I hope that's actual).
My daughter got from his highschool a free notebook pc. I don't manage it. She has all the rights (admin) on her system. She can connect her pc to my server from her highschool via https protocol.
When she's at home, she connects her pc to the internet via the GZ. I disabled routing between both lans (192.168.7.0 and 192.168.1.0) to prevent any ransomware that could encrypt the content of my local server.
Everything runs fine but accessing to the server via the https protocol with the pc. It's possible from the highschool and not at home !
I tried to create a rule in the iptable that redirects all traffic from the GZ (192.168.7.0/24 lan) to the wan side (to my wan ip number) but I perhaps set up a wrong rule and I completly blocked the router. I've to reset it to factory defaults and restore my configuration to get it working again.
I opened a ticket on dlink's support website but I only got the user manual as answer.
If someone has the solution, it would be great !!
Thanks a lot.
-
If this PC is tin the Guest Zone and it want to connect to a local server on the LAN side, then the PC should be connected to the LAN side part of the network with this server on it. Not in the Guest Zone as the GZ doesn't allow for LAN side access while in the GZ.
FYI, this router is EOL so to much if any support will be given by D-Link anymore for this router.
-
This PC is on the GZ because I don't want it access to other ressources on the LAN, only the one what are reachable from the internet.
-
Might see if there is a featured called Local LAN Isolation or Local LAN accessibility from the Guest Zone side. I remember some routers had this feature. I don't remember if the 868L did or not.