Solved

DLINK NetDefend DFL-800 is Blocking Websites

Posted on 2008-06-24
17
2,007 Views
Last Modified: 2013-11-16
Hi, i have a DFL-800 running as my primary gateway for internet access and vpn router, the problem i have is that is blocking some websites, i cant find anything in logs and i havent setup any ALG rules to block websites. it seem that is some kind of web content filtering but i cant find where to setup that. Help
0
Comment
Question by:DoradoITTeam
  • 8
  • 8
17 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21868543
Have you configured "Content Filtering" under Firewall; what are the settings for:
"Active content handling:"

Can you disable all the checkboxes and see if that allows you to view the websites.

Please check and uipdate.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21868605
im sorry but can u tell me where is that option?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21868678
After logging in the router:
Click Firewalll->On left bottom you would have Content Filtering button; when you click that do you see the options I listed.

I am actually logging on to an emulator on d-link website as I do not have DFL-800 but looking at DFL-700 emulator.

Please let me know if you see the options.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21868888
DFL-700 Emulator is very different from DFL-800 web ui, below there is a link for DFL-800 Firmware 2.12; 2.20 is very similar, but with new features.

   http://security.dlink.com.tw/demo/2_12_00_Normal/index.html

I don't see any options of content filtering besides the ALG rules, but i haven't enabled them.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21868964
Thank you for the correct emulator link; yes it is far better than 700.

So you have the default rule all_tcpudp allowing trafic out or have you created a custom rule.

I read that you have not enabled ALG; what about Zone defense ; anything under exclude list or block. Also, do you have IDP enabled; by default IPS_HTTPS is enabled I think; can you set it to ignoe and check if that helps anything.

Please check and udpate.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21869109
Hi,

Yes i have the default rule all_tcpudp allow, and i havent setup Zone Defense at all. I have some IDP Rules

These are the IDP Rules in order

    Name                   Action               Port
 allow_msn_IDP        Audit               1863
 allow_email_IDP       Audit               25,110,143
 allow_aol_IDP          Audit               5190-5193
 deny_p2p_IDP         Protect             All services

for all of them the IDP signature is  FROM_INT_P2P, i tried adding one rule for port 80 and did not work, i also disable all of them and got same result.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21871682
can you do a test, from command prompt issue command:
nslookup <website-name.com> <your-DNS-server-ip>

Here, the website name should get resolved, and you should get the output something like below:
Non-authoritative answer:
Name:    <website-name>
Address:  <ip-address-of-website>
Aliases:  <if-any>

Once this is successful, proceed to command below [please remember if above does not give results then do not proceed as we have DNS problem on our hands]:

ping -f -l 1500 <website-name.com>

Here, website-name.com is one of the website you have difficult accessing. Can be the website used above. You might get an output like:
Packet needs to be fragmented but DF set.

If you get above output, decrease size (value for l) by 100 till you get replies; now play around a bit (increase/decrease) the value and try out the optimum (maximum) value when you replies.

The value you find above is the MTU we should set on the machine or router.

Please update about the results, and we can then work on it based on results.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21875763
Hi,
   
Nslookup results:
 
C:\Documents and Settings\josue.haros>nslookup
Default Server:  dc-sfnet.sfnet
Address:  10.0.1.2

> www.fonatur.gob.mx
Server:  dc-sfnet.sfnet
Address:  10.0.1.2

Non-authoritative answer:
Name:    www.fonatur.gob.mx
Address:  200.78.217.13

Ping results:

C:\Documents and Settings\josue.haros>ping -f -l 1500 www.fonatur.gob.mx

Pinging www.fonatur.gob.mx [200.78.217.13] with 1500 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 200.78.217.13:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

i changed to 1500 to 100, but got request timed out.

Thank you.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Expert Comment

by:dpk_wal
ID: 21875967
I meant decrementing 1500 by 100 each so like:
1400 and then 1300 and then 1200; when you start getting replies, increment the value to get to the optimum value.

Please let know the results.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21876265
I made the test for 1400,1300,1200 and all i have is request timed out, it seems that the webserver is blocking icmp. I have and alternate gateway (small dsl router, with this i can see the websites) i pinged using this gateway and same results.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21876729
Please use www.yahoo.com instead; we want to see if this is MTU issue.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21877041
Ok, i tried with yahoo these are the results:

1500:
C:\Documents and Settings\josue.haros>ping -f -l 1500 www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [209.131.36.158] with 1500 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 209.131.36.158:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

1400:
C:\Documents and Settings\josue.haros>ping -f -l 1400 www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [209.131.36.158] with 1400 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 209.131.36.158:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

1300:

C:\Documents and Settings\josue.haros>ping -f -l 1300 www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [209.131.36.158] with 1300 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 209.131.36.158:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

1200:

C:\Documents and Settings\josue.haros>ping -f -l 1200 www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [209.131.36.158] with 1200 bytes of data:

Reply from 209.131.36.158: bytes=1200 time=47ms TTL=49
Reply from 209.131.36.158: bytes=1200 time=47ms TTL=49
Reply from 209.131.36.158: bytes=1200 time=47ms TTL=49
Reply from 209.131.36.158: bytes=1200 time=65ms TTL=49

Ping statistics for 209.131.36.158:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 47ms, Maximum = 65ms, Average = 51ms

i tried also with 1250 is same result as 1200.

Thank you
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21882506
Please find the optimum value; try for values between 1300 and 1250 [the maximum you get better] after than in router configuration page go to:
Interfaces->Ethernet->wlan1->Advanced->MTU settings; put the value you find.
In above select wlan1 or wlan2 as the case is.

Now check if you access the website you had problems accessing.

Please check and update.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 21917366
Sorry for the time, i tried from 1250,1260,1270,1280,1290,1300 none of those worked. Could it be a problem of firmware?
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 21918425
I dont think I made myself clear; first you need to find the maximum value for which you are getting replies when using the ping command.
Once you the maximum value you then change the value in router and test if this solves the issue.

Upgrading firmware is always advised to have the latest.

Thank you.
0
 

Author Comment

by:DoradoITTeam
ID: 22040320
im sorry for late answer but i called dlink tech support and I upgraded the firmware and move TCP Idle Lifetime from 462,000 to 300 and now is working.

Thank you for all your help, i really appreciate the time you took to help me.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now