Solution to the DSL-500T Router problem
The only DLink ADSL router in the market, as of January 2005, in Cairo is the model DSL-500T. It is sold at around 340 EGP from a DLink distributer at a new computer mall in Heliopolis named Souq El 3asr (brands).
Before buying this model, I heard that there might be some issues with ssh connections. However, I knew that T models of DLink routers run GNU/Linux, so I didn't bother since Linux is an open platform, we are familiar with, we can hack and troubleshoot up to compiling a new kernel.
I also wanted a model that has an easy to configure firewall.
After configuring the connection and setting everything up and testing web and other services I decided to set my main PC to IP address 192.168.1.2 and leave the rest as DHCP. I also decided to port forward ssh and bittorent ports to 192.168.1.2
The web and all other services were working flawlessly. Except for outgoing ssh and outgoing ftp (didn't test incoming ftp).
I decided to fiddle with the router web interface. Removing the port forwarding that I configured earlier. Nothing changed. I can not ssh or ftp to any machine.
There was no problem when using connecting through ssh via putty on a another windows box in my network.
Solving the problem
After googling for a while I found several people with the same problem. I also found that users of the DSL-300T had also a very similar issue. But it was resolved with a single line of iptables command to be placed on your Linux box and not in the router. Trying this line did solve the outgoing ftp problem for me.
But still I can not ssh to any box. Even the login prompt doesn't appear when I try ssh.
Alaa, told me that he will help me solve the thing.
He telneted to the box and checked the active iptables rules. One of them explicitly dropped all outgoing ssh connections from 192.168.1.2!
DROP tcp -- 192.168.1.2 anywhere tcp dpt:ssh
We tried to change the ip for his machine from 192.168.1.2 to 192.168.1.4; ssh worked.
He returned back his ip to 192.168.1.2 and then deleted this rule.
ssh worked !
The problem now is to know how the router makes this rule and find a way to avoid it. Alaa told me it was my homework.
So I decided to change my PC's ip address and thats it. So I opened the web interface. Created a new ip to forward ssh and bittorrent to. I saved the configuration, and restarted the router. All this while I was spying on the iptables rules on the router. After the changes the annoying rule was deleted.
I decided to bring things back to 192.168.1.2. So I deleted the 192.168.1.3 using the router's interface. Configured the port forwarding back to 192.168.1.2. Restarted the router, check iptables. The rule has gone forever.
The Dlink DSL-500T/EU V.A1 router modem has a bug in its cgi web interface that produces wrong iptables firewall rules. And suffers from the same problem that DSL-300T suffers regarding ftp packets, more info about it here. Thanks to the choice of using Linux, we were able to point out the problem and circumvent it.
DLink has no firmware updates nor any answer to this problem.
The solution in brief
Fixing the ftp
On your linux box as root type this
iptables --table mangle --append OUTPUT --jump DSCP --set-dscp 0x0
Fixing the ssh
- Open the web interface.
- Click ADVANCED -> Port Forwarding
- Created a new ip and delete the old one (192.168.1.2)
- Now forward ssh and bittorrent. (If you wish)
- Save the configuration
- Restart the router.
Do the above while telnetting and checking the iptables rules on the router.
$telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1 (192.168.1.1). Escape character is '^]'. login: root password: your-web-interface-password
- iptables -L
After the above steps the annoying rule should be gone.