Skip to Content

Solution to the DSL-500T Router problem

whirlpool's picture

Solution to the DSL-500T Router problem

The only DLink ADSL router in the market, as of January 2005, in Cairo is the model DSL-500T. It is sold at around 340 EGP from a DLink distributer at a new computer mall in Heliopolis named Souq El 3asr (brands).

Before buying this model, I heard that there might be some issues with ssh connections. However, I knew that T models of DLink routers run GNU/Linux, so I didn't bother since Linux is an open platform, we are familiar with, we can hack and troubleshoot up to compiling a new kernel.

I also wanted a model that has an easy to configure firewall.

The problem

After configuring the connection and setting everything up and testing web and other services I decided to set my main PC to IP address 192.168.1.2 and leave the rest as DHCP. I also decided to port forward ssh and bittorent ports to 192.168.1.2

The web and all other services were working flawlessly. Except for outgoing ssh and outgoing ftp (didn't test incoming ftp).

I decided to fiddle with the router web interface. Removing the port forwarding that I configured earlier. Nothing changed. I can not ssh or ftp to any machine.

There was no problem when using connecting through ssh via putty on a another windows box in my network.

Solving the problem

After googling for a while I found several people with the same problem. I also found that users of the DSL-300T had also a very similar issue. But it was resolved with a single line of iptables command to be placed on your Linux box and not in the router. Trying this line did solve the outgoing ftp problem for me.

But still I can not ssh to any box. Even the login prompt doesn't appear when I try ssh.

Alaa, told me that he will help me solve the thing.

He telneted to the box and checked the active iptables rules. One of them explicitly dropped all outgoing ssh connections from 192.168.1.2!

DROP     tcp  --     192.168.1.2      anywhere       tcp dpt:ssh

We tried to change the ip for his machine from 192.168.1.2 to 192.168.1.4; ssh worked.

He returned back his ip to 192.168.1.2 and then deleted this rule.

ssh worked !

The problem now is to know how the router makes this rule and find a way to avoid it. Alaa told me it was my homework.

So I decided to change my PC's ip address and thats it. So I opened the web interface. Created a new ip to forward ssh and bittorrent to. I saved the configuration, and restarted the router. All this while I was spying on the iptables rules on the router. After the changes the annoying rule was deleted.

I decided to bring things back to 192.168.1.2. So I deleted the 192.168.1.3 using the router's interface. Configured the port forwarding back to 192.168.1.2. Restarted the router, check iptables. The rule has gone forever.

ssh worked.

Conclusion

The Dlink DSL-500T/EU V.A1 router modem has a bug in its cgi web interface that produces wrong iptables firewall rules. And suffers from the same problem that DSL-300T suffers regarding ftp packets, more info about it here. Thanks to the choice of using Linux, we were able to point out the problem and circumvent it.

DLink has no firmware updates nor any answer to this problem.

The solution in brief

Fixing the ftp

On your linux box as root type this

iptables --table mangle --append OUTPUT --jump DSCP --set-dscp 0x0

Fixing the ssh

  • Open the web interface.
  • Click ADVANCED -> Port Forwarding
  • Created a new ip and delete the old one (192.168.1.2)
  • Now forward ssh and bittorrent. (If you wish)
  • Save the configuration
  • Restart the router.

Do the above while telnetting and checking the iptables rules on the router.

$telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1 (192.168.1.1).
Escape character is '^]'.
login: root
password: your-web-interface-password
  1. iptables -L

After the above steps the annoying rule should be gone.

Links

http://www.magwag.plus.com/jim/tips-300t.html

Comments

Alaa's picture

now we need a guru

now we need a network guru to tell us what one looses by setting TOS value for ftp packets to 0??

the ftp solution is not a solution its a hack, there is a bug somewhere responsible for this.

whirlpool, I suggest you try to give other tcp traffix TOS 10 and see if you'll face similar problems.

this was a case study in how statistics and corelation are not enough to diagnose problems, whirlpool originaly thought that ssh connections from putty worked fine (correct but it turned out it was because of the IP).

cheers,
Alaa


http://www.manalaa.net "i`m feeling for the 2nd time like alice in wonderland reading el wafd"

ezabi's picture

Interesting

I'm no guru, but I tried researching a little bit into this TOS thingie and it's quiet interesting.
First of all here we're not dealing anymore with ToS, it's dscp, it performs the same function but provides greater flexibility and dscp enabled devices are of course backward compatible with ToS enabled ones.

Now the fact that we set the dscp value of the FTP traffic to 0x0 is somehow irrelevant because FTP traffic usually has the lower priority, so explicitly specifying that it has the lowest has no indication.
It would be interesting to see the effect of increasing not other tcp traffic but FTP traffic to 10(0xa) and see what happens would the peer accept that or not.

Alaa's picture

shorewall TOS rules

I did not research tOS at all, but shorewall has a tos file here is what it says


TOS
Type of service. Must be one of the following:
  • Minimize-Delay (16)
  • Maximize-Throughput (8)
  • Maximize-Reliability (4)
  • Minimize-Cost (2)
  • Normal-Service (0)

cheers,
Alaa


http://www.manalaa.net "i`m feeling for the 2nd time like alice in wonderland reading el wafd"

whirlpool's picture

yes we do need one

now we need a network guru... whirlpool, I suggest you ...

ahem, sorry I don't classify as one.


http://whirlpool.foolab.org

Alaa's picture

but you can do an experiment

I know you're not a network guru, what I'm saying is give say the HTTP packaets TOS or DSCP or whatever value 10 and see if you'll fail to connect to websites or not.

I'm trying to find out if the DSL-500T barfs on TOS 10 or if it is another more specific thing.

cheers,
Alaa


http://www.manalaa.net "i`m feeling for the 2nd time like alice in wonderland reading el wafd"

There is an update for DSL-50

There is an update for DSL-500T on the Dlink' Russian site. ftp://ftp.dlink.ru/pub/ADSL/DSL-500T/Firmware/ it is dated 24/12/2004

Problem with login

i did update for my 500T Firmware for the first time to it and to me, and i upload one of the files but don't remember which one exactly.. after rebooting and successful upgrade the router config page logged off and waiting for the password, whenever i enter the password as admin and user admin it inform that it's invalid, and it's the same to my old password, may anybody help me whith what i shall do??

whirlpool's picture

warning

The russian firmware is unofficial. And there is nothing describing what it fixes in English. I think it is safer to fix the router the way it is described abovein the original post.


Mostafa Hussein

re: problem with login

I guess that when u updated the firmware, your password were reset to defaults: "admin:admin" not ur : "admin-custom password" try that if not, u can reset your modem to defaults with the old firmware and get back to the old days!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Dr. Radut | book