• November 21, 2019, 06:04:56 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DIR 626L Shareport Guide  (Read 10799 times)

network1027

  • Level 2 Member
  • **
  • Posts: 27
DIR 626L Shareport Guide
« on: June 18, 2014, 02:15:03 AM »

This article will explore  the Dlink DIR 626L Shareport function, and the related issues : DLNA, network topologies, security. The DIR-626L is a neat 40 $/€ featurefull Router, with complete IPv6 capabilities.

(Network Picture N1a.gif )

Tested with DIR-626L rev A

The DIR 626L Firmware tested here is : FW v1.03

The SharePort Mobile App version is : June 12 2014

 
1. The USB Shareport


The USB SharePort™ supports FAT32 and NTFS, with a 500GB limit.


There are two menu categories related to the Shareport functions :


    . Media Server
    . Shareport

 

2. The Media Server


There are only two options here :


. Enable / Disable
. Media Server name

All medias added on the USB Shareport ( USB dongle or USB-HDD ) will be published by the DNLA Server.
The DLNA catalogue is re-indexed with the DIR-626L reboot. You need to reboot to have new added medias instantly indexed. ( Waiting a little time seems to do the reindexing automatically too )


The Media Server is independent from network share permissions (Shareport Menu ). Everything is read-allowed. There is no restriction.

The Media server can't be accessed from WAN / there is no option for this.

The DLNA access is very intuitive :

Under Windows ( Windows7+ ) go to network places.
Ubuntu / Gnome3 has no native tools yet.  Still VLC is a good DLNA client.


Do note that DNLA only streams media files ( video, audio and pictures ), documents ( .doc, .rtf, .txt, .pdf ) are not supported. Furthermore, some media formats are not supported ( ex : .gif are not supported here )

The DIR-626L is certified DLNA version 1.5

Understanding DNLA

DLNA is short for Digital Living Network Alliance. It is an access API, for system and vendor independence, but the files are downloaded, as with a regular http access ( mp3, ... ), it is not a netcast.
DLNA aim is to offer simplified media sharing/interoperability

DLNA is derived from UPnP. It is more restrictive than UPnP (less media formats supported ) and adds some features (like copy protection, DRM, ...).

It defines a standard for moving movies, photos, music and other media from device to device. One of its aim is being zeroconf.


More finely, DLNA defines three concepts/roles : Server, Renderer, and Controller :

Server : content storage

renderer : Displaying the movie, playing the music, ...

Controller : Remote Control ( may be part of the renderer, or be a separate entity : Tablet, Smartphone, ... )

 

Theorically, DNLA messages have a TTL of 4, thus supporting a few hops. In practice, I haven't seen any multi-hops  ( ie Cross-Router ) implementation or success.

Finally, here are the supported medias ( source www.dlna.org ) :

( DLNA Chart 1: N1i.gif )
( DLNA Chart 2: N1j.gif )
 

 

3. The Shareport Menu

The Shareport menu is where we can do all the management : ports used, users, permissions, shares, wan access, ...

 

The first section is to allow shareport, setup http and https ports, and allow/disallow remote access :


Web file Access : Enable / Disable ( basic switch for the http/https access )
HTTP port
HTTPS port
Allow Remote Access : Enable / Disable ( allows Wan access )

The default port for HTTP is 8181 and for HTTPS is 4433.

 

User management section :


beside the default accounts :
. admin account ( read/write on all folders )
. guest account ( read access on (no folder yet ) )
We can create additional users with passwords, modify passwords, or delete users.

Passwords are 15 characters long maximum, and support special characters ( except for the SharePort Mobile App, see below ).


Shares and permissions section :

If the guest account or new users are to be used, shares permissions are to be created, to give permissions ( read, read/write, ..) and scope ( folders accessed ) .

 
Do note a little tricky aspect : After creating/modifying a user, you have to hite the 'SAVE' button on the top of the page, or the changes will be discarded. Same for share-points permissions.
So you have to Add/Edit/Modify/Delete+SAVE
 

4. Enhanced Security: using custom ports

For a better security, it is wise to change from the defaults ports used.

First, a few notes about ports selection :

 

quote : " The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future. "
see http://www.iana.org/assignments/port-numbers


We won't use well known ports (  0-1023 ), nor registered ports ( Ports 1024-49151 ). Let's change the default settings to use private ports. We pick them randomly in the 49152-65535 range.
I use an OpenCalc Spreadsheet for easy and fast random draws. The OpenCalc formula for private ports used here is : =ENT(ALEA()*16384+49152)

Hold F9 to roll the dices :
( OpenCalc Picture : calcb.gif )

( Do note that this formula is simplistic, as it is not even time-seeded. Use seeded formulas for better entropy ).

 

 

5. Practical Example : Lan Access

Let's check the Local ( Lan ) functionning, using a PC and a Tablet as clients :

 

 
( Network Picture 1 : N1a.gif )

Using a web browser, the Web File storage is accessed using ( with 192.168.2.1 as the DIR-626L LAN IP, keeping default ports ) :

Using these addresses for IPv4 :

http://192.168.2.1:8181
https://192.168.2.1::4433

Using these addresses for IPv6 :

http://[2001:db8:0:2::1]:8181

https://[2001:db8:0:2::1]:4433

 

 

the https is functionning ok, and IPv6 is supported.

Still, two issues quickly arises :

Uploading files

Using a browser access, or the D-Link Shareport Mobile, only allows to upload one file at a time.
DNLA gives no write access.

What are the options to upload multiple files at once ( like a music album ) ?

One solution is to turn-off the router, take-out the usb-dongle and plug it in a computer.

Another solution, that is quite worrisome to me, is through smb :
You just manually access or map the drive using :

\\192.168.2.1\                                  ( for Windows )

smb:\\192.168.2.1\                          ( for Linux or Mac )


There is no login, and it gives all read/write access over the whole storage space.
It doesn't seem to leak to the WAN side still.

 

The DLink SharePort Mobile App

Beside the Web GUI, DLink provides for an IPhone/Android App. There are a numbers of limitations to the SharePort Mobile App :


1. The https port doesn't seem supported ( thus no crypto !! )
2. It doesn't seem to support IPv6
3. It doesn't work with passwords using special characters ( only numbers+ letters upper/lower cases ). Maximum length : 15.

The positive aspects :
1. It does use credentials

 

 

6. Practical Example : Local Wan Access

Let's check the Local Wan functionning, staying inside the Home Network, using a Tablet as client :

 

 
( Network Picture 2 : N1b.gif )

Nothing much changes here, we just have to allow WAN access in the Shareport Menu.

One funny interesting and very logical TIP to note :

using the DIR 626L WAN IP in our brower/app settings, allows the Tablet to freely roam through both subnets, as :

. When on the Wan side of the DIR 626L, the tablet accesses the Wan IP

. When on the Lan side, the tablet just crosses the router to reach its Wan side

Thus no reconfiguration is needed.

 

 

7. Practical Example : Remote (Internet) Wan Access

Let's check the Global Wan functionning, accessing from the Internet using a Tablet as client :
( Network Picture 3 : N1c.gif )

Nothing changes from the In-Network Wan access, except that we need some port forwarding for IPv4. As for IPv6, we only need to take care of our Internet Gateway's firewall.

As a quick reminder, here is the port forwarding topology. Notice we did choose random, private ports, for the Intenet Gateway to forward :

 
( Network Picture 4 : N1d.gif )

Everything works OK, and as expected.

Using these addresses for IPv4 :

http://203.0.113.27:53546
https://203.0.113.27:54505

Using these addresses for IPv6 :

http://[2001:db8:0:1::254]:53546

https://[2001:db8:0:1::254]:54505

 

The SharePort Mobile App still doesn't support the https port, neither IPv6.

 

 

8. Security Issues

 

We finish our tour with security issues, in the Wan Internet Access scenario. This for the three types of access ( Web HTTP, Web HTTPS, SharePort Mobile App ).

As a reminder, here is what is to be expected from HTTP and HTTPS :

HTTP Web Access :

          login : cleartext

          password : cleartext

          data confidentiality : no

          data integrity : no

 

HTTPS Web Access :

          login : encrypted

          password : encrypted

          data confidentiality : yes

          data integrity : yes

 

The SharePort Mobile App using only the HTTP port, it is tied to its fundamental insecurity.

 

 

9 Final Thoughts

 

The DIR 626L is a great little piece of hardware for a first step in network storage technologies world, being fitted with a full IPv6 capability, and an intuitive and easy to use firewall.

My only concerns comes from the SharePort Mobile App and the SMB access :

While really cool and funny to use, the SharePort Mobile App doesn't support IPv6. It doesn't support special characters in passwords. Worse, it isn't able to use the https port. For all these reasons, I deem it as totally insecure, and unfit for any Wan use. As for using it inside your personnal Lan, it's your choice ( and the amount of trust you have in your Lan security). Waiting for an update of this app.

As for the Open SMB access, it defeats any Lan-side user-management. As much as it may be a welcomed solution to the 'uploading multiple files at once' problem, it creates a real Lan insecurity, as any Lan host may write and delete any files and folder. You have again to be trusting your Lan.

So I'm waiting for an update to the App and to the DIR-626L Firmware, to perfect this great piece of hardare.

 

 

 
« Last Edit: September 10, 2014, 02:14:24 PM by FurryNutz »
Logged