• March 28, 2024, 10:10:14 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Schedules and Access Control not working as expected ??  (Read 15875 times)

amawat

  • Level 1 Member
  • *
  • Posts: 4
Schedules and Access Control not working as expected ??
« on: December 26, 2013, 12:41:55 PM »

Hello,

I am trying to set up schedules for managing kids access at night (like most people would do I guess).

I previously owned a DIR-635 where schedules worked perfectly but unfortunately the device suddenly stopped working so I bought a DIR-850L to replace it.

However, on the DIR-850L, I came to the conclusion that access control works perfectly whatever the setting (Log Web Access Only, Block All Access) when the schedule is set as “Always” (which is not really what I want), but as soon as I begin using any kind of real schedule, the behavior of the device becomes erratic. Even though I have been doing a lot of testing, I really can’t figure out any logic, sometimes it allows access whereas it shouldn’t, at some times he logs web accesses and at other times he doesn’t…I’m really clueless about it.

I already checked on the forums
http://forums.dlink.com/index.php?topic=55467.0
http://forums.dlink.com/index.php?topic=45959.0
but this didn’t help.

The router is configured as followed :

Tools/Schedules :
Lu Ve 00-09   MON,TUE,WED,THU,FRI      0:00 ~ 9:00
Lu Ve 09-17   MON,TUE,WED,THU,FRI      9:00 ~ 17:00
Lu Ve 17-21   MON,TUE,WED,THU,FRI      17:00 ~ 21:00
Lu Ve 21-24   MON,TUE,WED,THU,FRI      21:00 ~ 23:59
…and of course it was rebooted (a lot of times !) after programming the schedules,

Schedules are split on 12AM. At one point in time I suspected a bug around 0:00 so I reprogrammed the schedules to start at 1AM but this didn’t really help.

Advanced/Access Control :
Enable    Policy       Machine                                                              Filtering       Logged       Schedule
1   Lu Ve 00-09   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Block All Access      No      Lu Ve 00-09
2   Lu Ve 09-17   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Block All Access      No      Lu Ve 09-17
3   Lu Ve 09-17 OK   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Log Web Access Only   Yes      Lu Ve 09-17
4   Lu Ve 17-21   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Block All Access      No      Lu Ve 17-21
5   Lu Ve 17-21 OK   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Log Web Access Only   Yes      Lu Ve 17-21
6   Lu Ve 21-24   10.5.21.102, 10.5.21.103, 10.5.21.104, 10.5.21.105   Block All Access      No      Lu Ve 21-24

On a Thursday at 19:30,
- if I enable only policies 4 and 6, internet access is correctly stopped by the router.
- if I enable only policies 5 and 6, internet access is correctly granted by the router.
- If I enable only policies 1 and 4, access is (incorrectly) granted, and the router does not log anything !
- If I enable only policies 2 and 4, access is (incorrectly) granted, and the router does not log anything !
- if I enable only policies 3 and 4, access is (incorrectly) granted, and the router does not log anything !

On the same day at 21:30,
- If I enable only policy 6, internet access is correctly stopped by the router,
- if I enable only policies 5 and 6, access is (incorrectly) granted, and the router does not log anything !

Each time after playing with the settings I rebooted the device, waited two minutes to allow it to reboot, then disconnected the PC from the wireless network and reconnected. Not working better.
DHCP is static based on MAC address of devices. NTP is configured on GMT+1 to ntp1.dlink.com.
The device was shipped with firmware 1.07, I upgraded it to 1.09 but in both cases it doesn’t help.

Does anybody have a clue, or experience the same problems ? Thank you !
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #1 on: December 26, 2013, 12:55:29 PM »

Link>Welcome!

  • What Hardware version is your router? Look at sticker under router.
  • Link>What Firmware version is currently loaded? Found on the routers web page under status.
  • What region are you located?

Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?
  • What ISP Modem service link speeds UP and Down do you have?

Router and Wired Configurations
Some things to try: - Log into the routers web page at 192.168.0.1. Use IE, Opera or FF to manage the router.
  • Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options, Advanced/QoS or Gamefuel.
  • Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual or under Setup/PARENTAL CONTROL/Set to>None: Static IP or Obtain Automatically From ISP.
  • Enable Use Unicasting (compatibility for some ISP DHCP Servers) under Setup/Internet/Manual.
  • Turn on DNS Relay under Setup/Networking. Link>Finding Faster DNS Addresses using Name Bench
  • Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
  • Ensure devices are set to auto obtain an IP address.
  • If IPv6 is an option on the router, select Local Connection Only or Disable IPv6 options under Setup/IPv6.
  • Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall. Enable or Disable SPI to test.
  • Enable uPnP and Multi-cast Streaming under Advanced/Networking. Disable uPnP for testing Port Forwarding rules. Enable IPv6 Multi-cast Streaming for routers that have a Media Server option. Disable IPv6 Multi-cast Streaming if IPv6 or Media Server is not being used.
  • Turn off WISH, and WPS under Advanced.
  • WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
  • Set current Time Zone, Date and Time. Use an NTP Server feature. Tools/Time.

Also:
http://forums.dlink.com/index.php?topic=56478.0

and http://forums.dlink.com/index.php?topic=56479.0
« Last Edit: December 26, 2013, 01:01:46 PM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

amawat

  • Level 1 Member
  • *
  • Posts: 4
Re: Schedules and Access Control not working as expected ??
« Reply #2 on: December 26, 2013, 01:44:45 PM »

Thank you for the quick reply, answers below, unfortunately no solution till now - Best regards,
---------------------------------------------------------------------------------------------

    What Hardware version is your router? Look at sticker under router.
            H/W Ver A.1
    Link>What Firmware version is currently loaded? Found on the routers web page under status.
            Shipped with FW 1.07, Upgraded to 1.09 but same result.
    What region are you located?
             Europe/Belgium

Internet Service Provider and Modem Configurations

    What ISP Service do you have? Cable or DSL?
             ADSL
    What ISP Modem Mfr. and model # do you have?
             Alcatel SpeedTouch Home
    What ISP Modem service link speeds UP and Down do you have?
             Down : 3 Mbps ; Up : 0.3 Mbps

Router and Wired Configurations

    Turn off ALL QoS or Disable Traffic Shaping (DIR only) GameFuel (DGL only and if ON.) options, Advanced/QoS or Gamefuel.
            I already configured QoS OFF during my tests
    Turn off Advanced DNS Services if you have this option under Setup/Internet/Manual or under Setup/PARENTAL CONTROL/Set to>None: Static IP or Obtain Automatically From ISP.
            DNS Mode : Receive from ISP
    Enable Use Unicasting (compatibility for some ISP DHCP Servers) under Setup/Internet/Manual.
             Option not found on the DIR-850L ?
    Turn on DNS Relay under Setup/Networking. Link>Finding Faster DNS Addresses using Name Bench
             Enable DNS Relay was already ON (default setting)
    Setup DHCP reserved IP addresses for all devices ON the router. Setup/Networking. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting.
             All PCs were already configured with static DHCP (IP addresses ON the router). I also tried Access Control both with (fixed) IP addresses, and with MAC addresses, but none works with Schedules as explained above.
    Ensure devices are set to auto obtain an IP address.
              All PCs are in DHCP mode
    If IPv6 is an option on the router, select Local Connection Only or Disable IPv6 options under Setup/IPv6.
              IPv6 was already on "Local Connectivity Only"
    Set Firewall settings to Endpoint Independent for TCP and UDP under Advanced/Firewall. Enable or Disable SPI to test.
              I checked both settings and all give the same results
    Enable uPnP and Multi-cast Streaming under Advanced/Networking. Disable uPnP for testing Port Forwarding rules. Enable IPv6 Multi-cast Streaming for routers that have a Media Server option. Disable IPv6 Multi-cast Streaming if IPv6 or Media Server is not being used.
               uPnP was already ON. I tried both settings with multi-cast, same results
    Turn off WISH, and WPS under Advanced.
               WPS was ON (default setting). I set it to OFF but got the same results.
    WAN Port Speed set to Auto or specific speed? Some newer ISP modems support 1000Mb so manually setting to Gb speeds can be supported by the router. Advanced/Advanced Networking/WAN Port Speed
                WAN Port Speed is set to Auto
    Set current Time Zone, Date and Time. Use an NTP Server feature. Tools/Time.
                 Time is correct, TimeZone is GMT+1, [X] Automatically synchronize with ntp1.dlink.com
« Last Edit: December 26, 2013, 01:47:36 PM by amawat »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #3 on: December 26, 2013, 01:56:56 PM »

Thank you for the quick reply, answers below, unfortunately no solution till now - Best regards"

So does this mean it works now?  ???
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

amawat

  • Level 1 Member
  • *
  • Posts: 4
Re: Schedules and Access Control not working as expected ??
« Reply #4 on: December 26, 2013, 01:59:11 PM »

No, the behaviour of the router concerning Schedules is still the one indicated above -- it gives internet access when it should not, he does not log anything when he should, etc.
It works as expected with one single policy (6), but as soon as more policies are in effect it does not work as expected... :'(
« Last Edit: December 26, 2013, 02:13:36 PM by amawat »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #5 on: December 26, 2013, 02:50:34 PM »

You might try updating FW:
http://forums.dlink.com/index.php?topic=55592.0

Please follow this if you do:
FW Update Process

No, the behaviour of the router concerning Schedules is still the one indicated above -- it gives internet access when it should not, he does not log anything when he should, etc.
It works as expected with one single policy (6), but as soon as more policies are in effect it does not work as expected... :'(
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

utomo

  • Level 2 Member
  • **
  • Posts: 28
Re: Schedules and Access Control not working as expected ??
« Reply #6 on: December 26, 2013, 09:42:00 PM »

he already upgrade.

look at : Upgraded to 1.09 but same result.

so the problems still same
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #7 on: December 26, 2013, 09:46:53 PM »

I recommend that you phone contact D-Link support and talk to someone at Level 2 or higher and see if there is a problem with this configuration...
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

amawat

  • Level 1 Member
  • *
  • Posts: 4
Re: Schedules and Access Control not working as expected ??
« Reply #8 on: December 27, 2013, 10:57:31 AM »

Hello,
As suggested, I have logged a call to local DLink support but I don’t have received an answer yet.

In the meantime, I made a lot of additional tests and I think I finally found some logic in the way the router handles the policies (although this definitely seems to me as a buggy algorithm).

I did create the following :
a) Under Advanced/Web site filter, I select “ALLOW computers access to ONLY these sites” and I leave the list empty (the purpose is to be able to do some logging by using a “Block Some Access” policy instead of a “Block All Access” policy that always defaults to “No logging”).
b) Under Advanced/Access Control, I create the three following policies :
Enable         Policy          Machine            Filtering                                                            Logged            Schedule
1                 Bugged        10.5.21.102      Log Web Access Only                                          Yes                   Lu Ve 09-17
2                 Blocked       10.5.21.102      Block Some Access ([X] Apply Web Filter)                Yes                   Lu-Ve 17-21
3                 Open            10.5.21.102       Log Web Access Only                                        Yes                    Lu-Ve 17-21
c) I test at 19:30, so schedule “Lu-Ve 17-21” is  active, and schedule “Lu-Ve 09-17” is inactive.
d) If I enable only policy 2, internet access is correctly blocked, and I find back log entries in the router with the URLs asked.
e) If I enable only policy 3, internet access is correctly granted, and I find back log entries in the router with the URLs asked.
This proves that the router configuration is correct, IP is indeed detected and matches the one or the other policy, and logging is effective as well.
f) BUT if I then enable both policies 1 and 2, internet access is incorrectly granted ! … and I do not have any log entry in the router !!!

Conclusion : I understand that the router evaluates the policies one after each other,
In case d), when only policy 2 is active, it matches the IP-address in policy 2,then  checks the schedule (which is indeed active) and applies correctly the required denial of access and loggings.
In case e), when only policy 3 is active, it matches the IP-address in policy 3, then checks the schedule (which is indeed active) and applies correctly the required grants of access and loggings.
BUT in case f), when both policies 1 and 2 are active, he first matches the IP address in policy 1, then checks the schedule (which is indeed inactive), as a consequence he does not apply the policy… but then defaults in merely giving access (without logging), and he never continues to re-evaluate further active policies like policy 2 that would cause him to block access and start logging.

In other words, schedules are evaluated as a yes/no condition to apply the current evaluated policy based on IP, but NOT as a test to select the right policy based on IP AND on schedule.
Of course, as such, the algorithm applied is totally useless for the purpose of protection scheduling, as only ONE single combination of schedule/policy can be applied for a given machine. I think it would definitely require a fix to be useable.

Hope this helps,
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #9 on: December 27, 2013, 11:40:54 AM »

Thank you for this information. Ive forwarded this on to DLink for review. Please be patient while we wait for information response.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

JoMois

  • Level 1 Member
  • *
  • Posts: 1
Re: Schedules and Access Control not working as expected ??
« Reply #10 on: August 30, 2015, 08:06:21 AM »

Maybe it won't work for you as the problem seems bigger than mine, but on an HW B1 FW 2.06, if I put a space in the name of the schedule, the router just don't want to use that schedule, at the moment I've removed the space everything seems alright, may be worth a test if nothing else helps
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Schedules and Access Control not working as expected ??
« Reply #11 on: August 30, 2015, 10:49:19 AM »

Thanks for posting the info. Hope it will help any future users.  ;)


Maybe it won't work for you as the problem seems bigger than mine, but on an HW B1 FW 2.06, if I put a space in the name of the schedule, the router just don't want to use that schedule, at the moment I've removed the space everything seems alright, may be worth a test if nothing else helps
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.