DLink DI-604 router firewall rule disables that config screen

[*Vanguard*]

Didn't find a more appropriate newsgroup to post this. I've got a DLink
DI-604 NAT router. This is in a home environment. I'm not responsible
nor want to manage the PCs used by other family members. I just want to
manage my PC. As such, I wanted to isolate it on the router from the
other hosts connected to it so I wouldn't have to be concerned about
virus, trojans, or spyware installed on those other PCs. I defined a
rule in the router that isolates my host from any other host connected
to that router but the side effect was that now I cannot edit or delete
any of the firewall rules in the router (without having to reset the
router and lose all of the configuration).

The DLink router provides its own DHCP server used to assign the hosts
connected to it with dynamically assigned IP addresses. The range its
DHCP server can assign IP addresses is 192.168.0.x, where x = 100 to
199. The DLink DI-604 (after updating to its most recent firmware
version) also allows assignment of static IP address assignment to hosts
connected to it by their MAC address. This allows firewall rules to be
defined within the router for specific hosts without worrying that later
they may get a different IP address. Right now, mine is the only host
assigned a static IP address of 192.168.0.100. So the IP addresses
currently used are:

router = 192.168.0.1 (fixed)
my PC = 192.168.0.100 (fixed)
other PCs = 192.168.0.101-199 (dynamic)

Normally I should be able to click on the edit icon to select it and
display its settings in the edit fields where I can change them, or I
can click on the delete icon to delete that rule, or click on the
up/down arrows to change its position in the rules list. However, after
defining the following firewall rule in the router, the page for the
firewall rules becomes unusable and I cannot edit, delete, or re-sort
the rules.

Mode = Enabled
Name = "Isolate Lee's host" (my name is Lee, not the hostname)
Source: LAN, IPaddr = 192.168.0.101 to 192.168.0.199, all ports
Target: LAN, IPaddr = 192.168.0.100, TCP & UDP, all ports
Access: Deny
When active: Always

My static IP address is x.x.x.100. All other hosts will be x.x.x.101 to
x.x.x.199 which covers the rest of the range for the router's DHCP
server. The router itself is at x.x.x.1 so it is NOT within the blocked
IP address range. So this firewall rule should prevent any host
connected to the router (but not the router itself) from communicating
to my host. This is what I see occur on my intranetwork. I can still
open the browser to the router and perform all other configurations.
It's just the firewall rules screen that locks up.

So if I now or later want to add more rules, I have to record every
customized setting in the router, reset the router, make the additional
change plus restore all my other settings, and lastly define this
firewall rule to isolate my host on that router from other hosts
connected to that router. A real pain. I don't see that what I am
defining in a firewall rule should disable just the firewall rules
screen in the router. I can still modify the settings in any other
screen for the router. Maybe another set of eyeballs might notice
something stupid that I'm doing. Or maybe its just some bug in the
Dlink router (I'm still waiting for a response from Dlink).

 

[Shenan Stanley]

Didn't find a more appropriate newsgroup to post this. I've got a
DLink DI-604 NAT router. This is in a home environment. I'm not
responsible nor want to manage the PCs used by other family members.
I just want to manage my PC. As such, I wanted to isolate it on the
router from the other hosts connected to it so I wouldn't have to be
concerned about virus, trojans, or spyware installed on those other
PCs. I defined a rule in the router that isolates my host from any
other host connected to that router but the side effect was that now
I cannot edit or delete any of the firewall rules in the router
(without having to reset the router and lose all of the
configuration).

The DLink router provides its own DHCP server used to assign the hosts
connected to it with dynamically assigned IP addresses. The range its
DHCP server can assign IP addresses is 192.168.0.x, where x = 100 to
199. The DLink DI-604 (after updating to its most recent firmware
version) also allows assignment of static IP address assignment to
hosts connected to it by their MAC address. This allows firewall
rules to be defined within the router for specific hosts without
worrying that later they may get a different IP address. Right now,
mine is the only host assigned a static IP address of 192.168.0.100.
So the IP addresses currently used are:

router = 192.168.0.1 (fixed)
my PC = 192.168.0.100 (fixed)
other PCs = 192.168.0.101-199 (dynamic)

Normally I should be able to click on the edit icon to select it and
display its settings in the edit fields where I can change them, or I
can click on the delete icon to delete that rule, or click on the
up/down arrows to change its position in the rules list. However,
after defining the following firewall rule in the router, the page
for the firewall rules becomes unusable and I cannot edit, delete, or
re-sort the rules.

Mode = Enabled
Name = "Isolate Lee's host" (my name is Lee, not the hostname)
Source: LAN, IPaddr = 192.168.0.101 to 192.168.0.199, all ports
Target: LAN, IPaddr = 192.168.0.100, TCP & UDP, all ports
Access: Deny
When active: Always

My static IP address is x.x.x.100. All other hosts will be x.x.x.101
to x.x.x.199 which covers the rest of the range for the router's DHCP
server. The router itself is at x.x.x.1 so it is NOT within the
blocked IP address range. So this firewall rule should prevent any
host connected to the router (but not the router itself) from
communicating to my host. This is what I see occur on my
intranetwork. I can still open the browser to the router and perform
all other configurations. It's just the firewall rules screen that
locks up.

So if I now or later want to add more rules, I have to record every
customized setting in the router, reset the router, make the
additional change plus restore all my other settings, and lastly
define this firewall rule to isolate my host on that router from
other hosts connected to that router. A real pain. I don't see that
what I am defining in a firewall rule should disable just the
firewall rules screen in the router. I can still modify the settings
in any other screen for the router. Maybe another set of eyeballs
might notice something stupid that I'm doing. Or maybe its just some
bug in the Dlink router (I'm still waiting for a response from Dlink).

Excuse the lack of an answer here, but I have one question..

Why not just turn on the Windows XP firewall on your machine - thereby
making it all but impossible for your family members (most of them anyway -
and if they can get around that, they could get around the DLink protection
as well) to access the machine?

 

[*Vanguard*]

"Shenan Stanley" said in news:[email protected]:

Why not just turn on the Windows XP firewall on your machine - thereby
making it all but impossible for your family members (most of them
anyway - and if they can get around that, they could get around the
DLink protection as well) to access the machine?

I'm the only one that has the username and password for the DLink
router. That's because I'm the one that bought the router (and willing
to share it simply because we couldn't get separate cable drops). Yes,
they could walk into my room to reset the router but then they won't
know the password and the next time I access the DLink then I'll know
something is wrong. There will be punishment for tampering.

I already have a software firewall. What you don't realize is that
every connection requires resources on your host even if that connect
gets refused. So why have my host attacked when the hardware already
exists at the router to isolate my host? Why plug the end of the pipe
when you can turn off the valve at the other end and not waste filling
up the pipe with standing water? The router is a switch. Why consume
my bandwidth to the router with traffic from other hosts that I'm going
to deny, anyway? Deflect or block the unwanted traffic as far upstream
as possible, not at the endpoint.

It was because I have a software firewall running on my host that I
could interrogate its logs to discover the unauthorized access attempts.
These weren't just the typical workgroup communications for polling for
resources, UPNP, or the like. A couple times it was a deliberate scan
across all my ports and another was a zombie trying to use the NetBIOS
ports (typical of the NT Messenger Service popup nuisances).

It's not my job to train or punish other adults that don't know how to
keep their computers clean, well, at least, not at home. I don't use
their stuff and they don't use mine. I actually tried to get the cable
company to drop another cable to the house but they won't do that. One
cable per residence and everyone shares it. So we're forced to share
one cable drop. I tried getting DSL but I'm too far away from the CO
(central office), plus the farther you're away the less reliable and the
lower the bandwidth (capacity). The router is my property and I'm being
nice to share it but I'm not so stupid as to waste time with unwanted
traffic from these other mostly unregulated, unmaintained, and often
polluted hosts. I'm neat. Some folks are slobs. To each their own as
long as they don't tread on each other's space.

Let them pollute their own virtual path through the switch (router).
Keep them off my segment. I should be able to do that with the router.
I actually can do that with the router. The firewall rule works. It's
just that after defining it then that particular configuration screen in
the router becomes disabled. Maybe I defined something wrong. Maybe
it's a defect in the router.

 

[Testy]

I think you need to move out and live by yourself.

Testy

 

[Bruce Phillips]

There's a D-Link forum at BroadbandReports.com you might want to check out.

http://www.broadbandreports.com/forum/dlink

Bruce

 

[Charles May]

Have you checked out the forums in www.broadbandreports.com ? There is a
wealth of knowledge there pertaining to your question, they even have a
DLink forum.

Hope this helps
CM

 

[Charles May]

Oops, sorry Bruce, didn't see your post until I had posted.

CM

 

[*Vanguard*]

"Testy" said in news:[email protected]:

I think you need to move out and live by yourself.

Yeah, more income fixes a lot of headaches.

 

[*Vanguard*]

"Bruce Phillips" said in news:[email protected]:

There's a D-Link forum at BroadbandReports.com you might want to
check out.

http://www.broadbandreports.com/forum/dlink

Thanks for the link. I posted over there, too. Got a canned e-mail
back from DLink saying, "We're too dumb to answer via e-mail. Call our
techs." Well, at least it's an 800 number.

 

[no_one]

how about just not turning on file and print sharing on your machine?

 

[Jason Tsang]

Did you try upgrading the firmware of the router? It might contain a fix
for an issue like this.

 

[*Vanguard*]

"Jason Tsang" said in news:[email protected]:

Did you try upgrading the firmware of the router? It might contain a
fix for an issue like this.

The last available update is version 2.20 dated way back to August 2003.
I've had the router for about 5 months and checked DLink's web site the
same day as when I bought the router. I downloaded and installed the
v2.20 firmware update. That's why I now can assign static IP addresses
to a particular host according to that host's MAC address. Static IP
address assignment was not available in the prior version. If I didn't
have static IP assignment then I couldn't define stable rules exercised
against a specific host.

There is no newer firmware update than v2.20 from August 2003.

 

[CapFusion]

Vanguard,

You can some option like - add another switch cheapo switch between your
router and the cable / dsl modem gateway. If your gateway modem have only
one LAN port. If it have multiport, then you can separate your LAN and
their. Or have another router for them.

This way, you have two LAN. LAN 1 for you LAN 2 for them. You do not have to
worry.
LAN 1
Modem Gateway > Router > LAN
LAN 2 [straight]
Modem Gateway > LAN
or
LAN 2 [w/router]
Modem Gateway > Router > LAN

Whatever happen to LAN 2, it will not goto LAN 1 since your router is
protecting it end.
Do you get the idea?

CapFusion,..

 

[*Vanguard*]

"CapFusion" said in news:[email protected]:

Vanguard,

You can some option like - add another switch cheapo switch between
your router and the cable / dsl modem gateway. If your gateway modem
have only one LAN port. If it have multiport, then you can separate
your LAN and their. Or have another router for them.

Do you get the idea?

Well, if I get you straight (was a bit tough to figure out what you were
trying to say), you are suggesting putting a switch upstream of the
router. The switch would be between the router and the cable/DSL modem.
Then all other local hosts would get blocked by the router since they
would appear external to the intranet on the LAN side of the router.
Yeah, that would work and I do have switch laying around except then
none of the other local hosts get the protection afforded by the
firewall within the router. In effect, all local hosts connected to the
switch would by in a DMZ segment that would be open to attack on the WAN
side of the router.

I did figure a fix for the freeze up of the firewall screen in the
DLink. It is a workaround since obviously it should not be required. I
define all the other firewall rules. Then I define a firewall rule that
lets my host (using its static IP address) always be allowed a
connection to the router (using its IP address in the firewall rule).
Only *after* defining that rule do I then define a firewall rule that
blocks all LAN-side hosts with IP addresses from the router's DHCP
server (other than my own) from connecting to my host. So I end up
with:

Name: Allow me to router
Status: Enabled
Mode: Allow
Source: LAN, IP = 192.168.0.100 (me)
Target: LAN, IP = 192.168.0.1 (router)
When: Always

After the above gets defined, then I define:

Name: Isolate me from others
Status: Enabled
Mode: Deny
Source: LAN, IP = 192.168.0.101 to 192.168.0.199 (DHCP range of router)
Target: LAN, IP = 192.168.0.100 (me)
When: Always

So I still have the same rule that I had before where all other hosts
that can get an IP address from the router's DHCP server will be blocked
from my host which gets a static IP address (so it remains fixed since
there is no other way to identify me in the router's firewall rules).
However, now I have the firewall rule that lets me and the router to
always connect without restraint - but that should been the situation
before. Since the Deny rule specifies only those hosts by the IP
address that the router can possibly assign its IP addresses (from 101
to 199, with me as 100), the router's IP address would have never been
included in the firewall rule. Go figure.