Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tvBilly]

Hi,

I just replaced my aging-but-wonderful DIR-655 with a DIR-868L. I'm using it as a firewall and NAT router between my TWC cable modem and my (1000Mb/s) LAN. The ONLY reason I replaced the 655 was due to the WAN-LAN throughput. My TWC internet service provides a reliable, consistent 325Mb/s connection, and the 655 couldn't quite keep up (it tops out at about 250Mb/s). I'm actually not using the WiFI radios (with either router), though I planned on testing the 868L's WiFi as compared to the Access Point I'm currently using, to use the 868L's WiFi if it turned out to work better (but I digress).

I'm having a real problem with the DIR-868L's Syslog function. Unlike my DIR-655, which sends out standard Syslog messages, the 868L sends out Syslog messages that are totally non-standard, and hence not properly handled by my Workstation Syslog daemon. (MacOSX, Snow Leopard). I used WireShark to packet capture the traffic on my LAN to try to figure out what was going on. It turns out the problem is NOT with my Syslog client, nor with the 868L's sending method, but is due to the format of the Syslog message, which totally disregards the Syslog Protocol (RFC 5424). Here is what a couple of properly formatted Syslog messages look like (sent from my DIR-655):

Code: [Select]

<110>Wed Dec 24 19:08:34 2014 Gateway System Log: Allowed configuration authentication by IP address 10.0.0.10
<110>Wed Dec 24 19:09:02 2014 Gateway System Log: Blocked incoming ICMP packet (ICMP type 8) from 203.178.148.19 to 72.229.x.x

Here is what a bunch of improperly formatted Syslog messages look like (sent from my DIR-868L):

Code: [Select]

DHCP: Server receive DISCOVER from a4:ed:4e:xx:xx:xx
DHCP: Server sending OFFER of 10.0.0.53 for static DHCP client
DHCP: Server receive REQUEST from a4:ed:4e:xx:xx:xx
DHCP: Server sending ACK to 10.0.0.53
ATT:001[SYN-ACK][10.0.0.10][LAN-1]
ATT:001[SYN-ACK][10.0.0.5][LAN-1]
ATT:001[SYN-ACK][10.0.0.10][LAN-1]

Note the lack of any Facility and Severity info at the beginning of each Syslog message from the 868L. (The "<110>" at the beginning of each Syslog message from the 655, which is called the PRI or PRImary). Note also the lack of a timestamp between the PRI and the message itself. Both the PRI and the timestamp are REQUIREMENTS, not options, in the Syslog Protocol.

Again, there is no problem with the configuration on my Workstation Syslog daemon/client, nor is there any problem with the 868L sending the Syslog message to my Workstation; the problem is the format of the Syslog message sent by the 868L. Everything (Syslog related) works just fine when I swap back the 655 in place of the 868L. D-Link phone support, both Level 1 and Level 2, could offer no help whatsoever, other than to say they'd pass on the info and get back to me at some point (they cautioned me that it wouldn't be a timely response).

Why on earth did D-Link change a perfectly working Syslog for one that doesn't follow the standard and hence doesn't work? In searching the forum before I posted this, I noted a few similar messages for other D-Link router owners, and no resolution. I'm guessing that at some point D-Link changed the Syslog code, probably when they changed the format of their Log messages. Do all the current D-Link routers suffer from this "problem"?

Which brings me to part two of my quest for help. The DIR-868L's logging facility seems to have taken a HUGE step backwards. It doesn't appear to be logging ANY dropped WAN-LAN packets whatsoever (unless I'm missing something). My TWC cable modem is bombarded by attempts to hack into my LAN. Hundreds a day, day after day. I want my network interface to document them for me. My 655 does a great job of this; my 868L ignores them. Hopefully it's just not bothering to log them, as opposed to ignoring them and letting them through! (btw, is there ANY documentation on what all the possible 868L log messages are? ATT:001[SYN-ACK] tells me a little, but not nearly as much as my 655 told me. And is there an ATT:002 and what does it mean? Why keep this stuff a secret?)

Alas, I fear that the log and syslog problems I'm having are by design rather than due to bugs, and if that turns out to be the case, I'm afraid that the DIR-868L will have to be returned. Which leads me to my final question: Is there any D-Link router that will satisfy my requirements for high WAN-LAN throughput, and also provide useful logging and syslog functions? I really like D-Link, and would prefer to stick with them. I don't need or want cloud based nannying, nor do I want to spend $300-$500 on a router, along with yearly paid updates, just to turn off all the nannying stuff. I really don't need the WiFi part, but the DIR-868L was such a good router, and has such great radios, that it seemed like a good idea whether I wound up using its WiFi or not. At a street price of ~ $130, the 868L was enough of a bargain that it didn't matter to me whether I used its WiFi or not.I guess if there's no suitable D-Link product I can go with an EdgeRouter Lite (~ $100) and spend a week learning how to configure it. (shudder...)

Thanks for any help or suggestions you can offer. If there is a Mac OSX Syslog client that speaks D-Link DIR-868L's (unique?) Syslog language, that could be an option, but I couldn't find one that spoke anything other than the standard Syslog language.

edit: In case it matters, my DIR-868L is Hardware A1, came with Firmware 1.07 which I updated to 1.09 before programming it.

[FurryNutz]

Link>Welcome!

Is this router being used in a home or business environment?

The 868L is a great router and does handle Gb WAN port speeds from what I know. I don't know the design and behavior of the syslog feature as I don't use it much unless the router is experiencing bad behavior that D-Link needs to review. I've never had much issue with this model router and is a solid router. I've actually have sacrificed mine to a family member for Christmas.  I'll be finding another. 

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. Ask for level 2 or higher support. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

[tvBilly]

Hi,

I'm using it in my home environment. I did speak with D-Link support before I posted, and they (Level 1 and Level 2) didn't have any answers, though they said they'd get back to me. (They also said not to expect a very timely answer).

Other than the Log/Syslog deficiencies, I'm pretty happy with the 868L, but logging and reporting are pretty high on my list of "requirements", so I suspect I'll be returning the 868L next week (baring any revelations). I have noticed that the 868L only holds 50 log items before it emails them and clears the log, so I've been getting 20+ emails a day, instead of one every couple of days that I got from my 655 (the emailed log from the 655 is about 475KB and the ones from the 868L are about 10K). If the 868L was logging dropped incoming probes the way the 655 does, I'd be getting 1000 emails a day. 

Do you (or others) have any suggestions for a D-Link product that can handle close to a gigabit of data flow, AND has a great firewall and logging capabilities? I really just need a router, and don't need the WiFi part. Maybe one of the D-Link "pro" line instead of the "consumer" line?

Thanks for your help, and hope you're having a nice holiday, even if it meant giving up YOUR 686L 

[FurryNutz]

Maybe the DSR series of routers however those are really meant for business class environments...

[tvBilly]

I checked out the DSR-500 (don't need the 500N) and it looks interesting. It certainly has all the logging functions I should ever need (and it's Syslog functions appear to be complete and totally standard). I guess many of my needs may be more aligned to business class routers than home class. Thanks for the pointer, though I am concerned about the DSR routing throughput.

I notice that you're a sysop/moderator in the DSR forum too, so I'll continue my questions (about the DSR) there.

[FurryNutz]

If you have business needs then ya, you'll need a business class router. Home class routers are somewhat limited on features since the average home user just needs connections and limited management features. It's just nice to install the router and have it work is one concern that home users want.

Good luck.