D-Link Forums

D-Link Wireless Routers for Home and Small Business => COVR-3902-US => Topic started by: 02ebz06 on September 13, 2017, 08:42:44 AM

Title: Beefing up Wireless security
Post by: 02ebz06 on September 13, 2017, 08:42:44 AM
I'd like to add as much security as I can to my wireless network.
I have not found any way to do the following:

1) Disable SSID broadcast
2) Limit network access to a list of MAC addresses.

Did I miss something, or are those features non-existent in the COVR ?

TIA
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 13, 2017, 10:03:06 AM
D-Link took out SSID hiding a while ago in previous models as its not very secure and can be seen by scanners.

Have you set up parental controls for your devices that need control?
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 07:40:35 AM
Never thought about setting Parental Control, since our kids have flown the coop.
Isn't that for outbound connections though, I want to block inbound connections?
I will look at it.

Being able to only allow certain MAC address on the local network would be ideal.
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 08:07:21 AM
What are you trying to limit on the your network?
The Mac Filter was also a older generation feature.  ::)

Are you trying to keep others from the outside coming in?
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 09:11:58 AM
Dang, just lost everything I was adding.
I was playing with a IPV4 firewall, but lost outgoing connection when I saved the rule, and everything I had typed in.

Yes, want to block WAN to LAN access.

For the rule, I selected this -->  "Turn IPV4 Filtering ON and DENY rules listed"
The manual isn't 100% clear at to what this means (at least to me).
From the manual: "To begin, use the drop-down menu to select whether you want to ALLOW or DENY the rules you create"
Denying the Rule seems a strange way to word it, so I assume that it means it will deny the access listed in the rule.

Had an issue with setting a WAN rule range.
Can't use 0.0.0.0-255.255.255.255
Lowest you can set is 1.0.0.0  and  highest is 223.255.255.255

So I created this rule"

"Turn IPV4 Filtering ON and DENY rules listed"
Name:         Block WAN Access
Source:       WAN   1.0.0.0-223.255.255.255
Destination:  LAN  192.168.0.0-192.168.255.255
Port Range:   Any
Schedule:     Always Enable


So once I Saved it, I lost outbound network connection.
Obviously that was not what I wanted to happen.
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 09:29:39 AM
Thats because your blocking the entire internet range with in .1 thru .255. You can't do that.

I believe that that filter is meant for a specific IP address from the WAN to block so if you have a WAN IP address thats trying gain access to something on the LAN side, you would just use that one IP address that is attempting to gain access. Don't use the full IP address range or you block the entire internet.


Dang, just lost everything I was adding.
I was playing with a IPV4 firewall, but lost outgoing connection when I saved the rule, and everything I had typed in.

Yes, want to block WAN to LAN access.

For the rule, I selected this -->  "Turn IPV4 Filtering ON and DENY rules listed"
The manual isn't 100% clear at to what this means (at least to me).
From the manual: "To begin, use the drop-down menu to select whether you want to ALLOW or DENY the rules you create"
Denying the Rule seems a strange way to word it, so I assume that it means it will deny the access listed in the rule.

Had an issue with setting a WAN rule range.
Can't use 0.0.0.0-255.255.255.255
Lowest you can set is 1.0.0.0  and  highest is 223.255.255.255

So I created this rule"

"Turn IPV4 Filtering ON and DENY rules listed"
Name:         Block WAN Access
Source:       WAN   1.0.0.0-223.255.255.255
Destination:  LAN  192.168.0.0-192.168.255.255
Port Range:   Any
Schedule:     Always Enable


So once I Saved it, I lost outbound network connection.
Obviously that was not what I wanted to happen.
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 09:47:56 AM
I guess I misunderstood it's function then.
I though it would block any outside IP from trying to access my network.
Don't understand why it blocked outgoing traffic.
So you are saying I need to allow unsolicited WAN devices to access my network?

So no way to block unknown unauthorized IP's from accessing my network?
 
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 09:50:19 AM
I believe thats whats it's for, WAN Side.

You would have to figure out what WAN side IP address are attempting to gain access to block. I believe also that this is a pin hole kind of process as well so if you do want WAN side addresses to have access to the LAN side sources, this is used in this regard, like if you have a server on the LAN side which you want remote WAN side users to have access, then you would allow access from there specific IP addresses thru the firewall.
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 10:19:03 AM
No user community, just me and my local servers for my use only, and other LAN connected devices.

Any idea why it blocked outgoing connections?
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 10:25:21 AM
Your range was all inclusive in the configuration so everything got blocked.  ::)



Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 10:41:59 AM
Right, but that was WAN to LAN, not LAN to WAN.
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 10:47:10 AM
Correct. You blocked all incoming traffic. Your traffic from your network went out but was not let back in since it is blocked. Since you cannot connect to the internet, the filtering is working :)
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 10:51:16 AM
Yeah, the light came on after I posted that. it is the WAN sending the page to me, not me retrieving it.

So, no way to block intruders unless you know who they are.
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 11:09:25 AM
Well the router does that already. Most incoming traffic (that was not requested by your local network or you hosting a server) is automatically blocked by default. If I have your WAN IP address I cannot just enter your network (unless I was a skilled hacker that knew an exploit).



Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 11:12:11 AM
OK, thanks.
Just because I'm paranoid, it doesn't mean they aren't out to get me.   ;D
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 11:23:41 AM
You could if you wanted too. Set the systemlog to email you on any notifications to see if any WAN IP addresses show up. IF the logs show attempted WAN side IP addresses, maybe then you can set a rule to block that IP address then.

I've never seen or had any issues from the WAN side on any of my D-Link routers. Been safe and secure using router default settings and configuring SSID and PWs. I do keep FW up to date unless I'm testing something out.  ::)
Title: Re: Beefing up Wireless security
Post by: Gattsu on September 14, 2017, 11:56:23 AM
Any inbound traffic from the WAN side are blocked by default. The only way in is through remote management if enabled, but that is protected with a password.

The other way they can get in, is through the LAN ports but that secured in your house. Just make sure the doors and windows are locked. =)

The third way is wireless but it is already hidden and protected with WPA2 Authentication.

So far no known vulnerabilities with COVR system.
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 12:14:15 PM
You could if you wanted too. Set the systemlog to email you on any notifications to see if any WAN IP addresses show up. IF the logs show attempted WAN side IP addresses, maybe then you can set a rule to block that IP address then.

I've never seen or had any issues from the WAN side on any of my D-Link routers. Been safe and secure using router default settings and configuring SSID and PWs. I do keep FW up to date unless I'm testing something out.  ::)

Right now, I have it going to my Syslog server.  Guess I could write a script to scan it.

Speaking of firmware...

Router says
Current Firmware Version:    1.00, Fri 02 Jun 2017
Current Firmware Date:      2017-06-02 05:20:00

Web site (and in another thread here, says latest is 1.00B19 / 1.00B11 for Ext) with a date of Aug 17, 2017
Since firmware dates are different, I told the router to check for new firmware.
Said I was running the latest.

So, is it newer or not is the question...

=====================================================================================================================================================================

Any inbound traffic from the WAN side are blocked by default. The only way in is through remote management if enabled, but that is protected with a password.

The other way they can get in, is through the LAN ports but that secured in your house. Just make sure the doors and windows are locked. =)

The third way is wireless but it is already hidden and protected with WPA2 Authentication.

So far no known vulnerabilities with COVR system.

Good to know, thanks
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 14, 2017, 12:35:56 PM
You can manually download the latest from the web site in case it hasn't been posted to the update server...
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 12:36:25 PM
It should be the same firmware (shipping). 

You can see the exact version on the router - 192.168.0.1/version.txt or dlinkrouter.local./version.txt

Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 12:43:42 PM
I get "Authetication Fail!" when I try that.
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 12:44:52 PM
Oh really? They might have removed that. Let me find out quick.
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 12:58:52 PM
Looks like you have to log in first. Log in normal and they just do the covr.local./version.txt or ip as in the previous message.
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 01:07:22 PM
covr.local./version.txt    gave me the Authentication fail message but http://192.168.0.1/version.txt  worked.
Doesn't show the EXT version though. Guess you would have to log in there and do same.

Version
Firmware External Version : V1.00
Firmware Internal Version : V1.00b19
Date : 02, Jun, 2017


Thanks, good info to have handy.
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 01:14:04 PM
The firmware on the support site is the same. The date on the website is when it was posted on the website.
Title: Re: Beefing up Wireless security
Post by: 02ebz06 on September 14, 2017, 02:55:56 PM
support.d-link.com shows the August date.

(https://i.imgur.com/wTpxpNc.jpg)
Title: Re: Beefing up Wireless security
Post by: GreenBay42 on September 14, 2017, 03:00:24 PM
correct. That is when it got posted to the support site.  If you look at the release notes it usually has the firmware date.
Title: Re: Beefing up Wireless security
Post by: FurryNutz on September 18, 2017, 01:43:22 PM
http://forums.dlink.com/index.php?topic=72533.0 (http://forums.dlink.com/index.php?topic=72533.0)