Jump to content

Recommended Posts

Posted (edited)

Just thought I would point out after buying one of these, that if you have devices that run on 11b or 11g and those devices only support WEP, then this latest Netgear offering is not for you.

 

An example being. Ok you bought the latest and supposedly as close to the final N draft as possible, you also purchased the pci or pcmcia card to go with it to allow full 270mbps throughput.

 

So you select in router 270 mbps or 130 mbps. This is where you run into trouble as any device that is not WPA-PSK [TKIP] + WPA2-PSK [AES] compatible will not work. Eg my Nintendo ds's and also I think my Psp's, as these are only capable of using WEP. Whilst having 270mbps or 130 mbps selected you do not get a WEP radio button.

 

Selecting mixed b and g and therefore shutting of the high speed wireless (N) you can select WEP.

 

What a stupid way of doing things, I now have to log into router every time I want to use my Nintendo ds or psp or any other device that only uses wep and change operating mode to either b or g or mixed etc.

When I want full speed across my wireless n network i have to select 270 or 130 again.

 

I have spoken to Netgear level 2 support about this yesterday and another more serious issue about the whole Netgear DG834 range and i got an email response about it today.

 

 

 

Hi Mr. XXXX,

 

I spoke to my lead tech and she told me that they are aware of the 270 and WEP situation and there is no plans to change it. They anticipate the 270 to only work with WPA but the port issue is still escalated.

 

Thanks for choosing Netgear.

 

Nice support (not)

 

So the claim to work with all standards is not exactly true nor will it ever be.

 

 

 

Now just to point out something else to any Netgear owners I would suggest you check from an outside source such as grc.com certain ports as they are wide open unstealthed, can receive solicited packets at default when no firewall rules have been implemented to allow such ports to be opened (netgear claim to have a double firewall) in Andy Millman speak "their having a laugh"

 

 

The ports in question are 1863 (though this one seems to be closed on 2 of 3 of my 834 range, most times)

1864

4443

5190

5566

The above are open and not stealthed.

 

The ones below are closed but not stealthed

 

from 40000 to 40100 not good and its down to the reaim server running at default in the 834 range

 

 

From bambos post on whirlpool forums

 

Chain PREROUTING (policy ACCEPT 4022 packets, 477K bytes)

pkts bytes target prot opt in out source destination

4189 488K REAIM_PRE all -- * * 0.0.0.0/0 0.0.0.0/0

156 10195 DNS udp -- br0 * 0.0.0.0/0 192.168.0.1 udp dpt:53

0 0 DROP all -- ppp0 * 0.0.0.0/0 !xxx.xxx.xxx.xxx

0 0 DNAT udp -- br0 * 0.0.0.0/0 192.168.0.1 udp dpt:53 to:10.112.112.112

0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190 to:1.0.0.0:5190

 

The PREROUTING chain of the nat table generally isn't meant to be used for any filtering. Yet the output above shows that rules have been added to this chain when they should have been added to either the INPUT, FORWARD or OUTPUT chains of the filter table.

 

# iptables -t filter -nvL

Chain INPUT (policy DROP 1121 packets, 263K bytes)

pkts bytes target prot opt in out source destination

4 208 DROP tcp -- !ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02

3880 232K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

2962 645K REAIM_IN all -- * * 0.0.0.0/0 0.0.0.0/0

 

The filter table shows that only packets dropped before it hits the REAIM_IN chain is NEW TCP packets from the internal interfaces that are not SYN packets. The following part from the REAIM_IN is accepted by the router from the external interface:

 

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:40000:40099

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1864

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5566

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190

0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4443

0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:40000:41000

 

In total there's 104 TCP ports and 1001 UDP ports alone that could potentially be open depending on the state of ReAIM. You were nearly spot on in terms of the number of ports that have not been blocked.

 

I certainly wouldn't like to have a firewall like that on my router. Although there's always the opportunity for somebody to customise the firmware as the source is available.

 

 

------------------

In other words stay clear of them.

Ps their support stinks on phone for over 2 hours and non english speaking CS for more than 1 hour of it.

Edited by dontasciime
Posted

Goddamit and fuck the horse it rode in on. I decided to buy a new router just yesterday and guess what it is? . A WRN-834-B. This was to replace the DG834 I already have. Just brilliant.

 

And to add to the overall misery of this thread, anyony wishing to purchase PCMCIA wireless cards from DLink might want to buy something else as most (if not all) cards made in the last 12 months or so have a problem authenticating WPA &WPA2. DLink have admitted there's a problem with them but continue to sell them anyway. I know. I bought 2 of the bastards and neither of them work properly.

Posted (edited)

I have just killed the open ports.

 

 

This is how i did it

 

 

you need to use telnet or use putty.

 

you also need to type this in first in your browser

 

 

http://192.168.2.1/setup.cgi?todo=debug (this allows telnet to work)

 

 

If your using default then this would be 192.168.0.1/setup.cgi?todo=debug

 

 

once your conected to the busybox

 

type this below or copy it out of here and right click or , right click paste, as I had to type it out on another computer as this keyboard i am on now does not do the pipe character (the straight looking line in middle of ps aux)

 

 

 

ps -aux | grep aim

 

 

then look at start number at left hand side and then type kill + the first number you see at left

 

 

 

you will need to do this everytime you hard reboot router or it resyncs with dslam etc.

 

 

If you use icq though or aim or anything else that uses port 5190 then use 5191 or you could just reopen 5190

 

If the router lets you as it's more than likely just gonna tell you that port is already in use or rather already

 

has a rule.

Edited by dontasciime
Posted

Surely open ports are only really a problem if there's something listening on the other side?!

 

All the normal 'service' ports are closed / stealth so I don't see a massive problem here.

 

Oh and I can't believe you (or someone else) tested all the ports on grc.com! It only lets you do 64 at a time in custom mode and so doing all 65536 of them would take forever! lol

Posted
Did you mean Model WNR834B instead of WRN-834-B

 

 

Have you checked to see if any of those ports are open using shields up page on www.grc.com

 

?

That's the one. I blame the beer on that mistake. Haven't checked it yet. Haven't even plugged it in yet. I have a small amount of reluctance to use it as I have a funny feeling it won't connect to my ISP. (I can't find LLC mode). If so, that'll be absolutely fantastic. Another $200 gone swirling.

Posted (edited)

Plenty of ways to scan, mate scanned 1-65535 using port scanner.

 

Thing is open ports at default is hardly secure, when users of the netgear 834 range have been hacked thru it.

 

I like many other users that buy a hardware firewall would like to think that no ports except the ones we open can respond.

Edited by dontasciime
Posted

They said they would escalate it and also look into no wep for 270mbps or 130 mbps on dg834n range max next.

 

Then one day later got email saying they were not going to fix the no wep whilst selecting 270 or 130 but would further investigate the open ports issue ?

Posted

Is the draft n spec even supposed to support wep?

 

Maybe it's just not possible to keep it backwards compatible speed wise whilst keeping security tight.

 

Ok so it's not ideal for everyone but I think it's better if they force people to use wpa/wpa2 if they want to make use of the newer draft n spec/speeds.

 

I do hope they fix the ports issue though... last time I reported something to them it took about half a year for them to fix it.

Posted (edited)

I do not really want 270 N to support WEP, I would just like the option to have a mixed network on N so say N B G, allowing router to say ok we have a b signal in range a g or and n, and a rule to say if a b or g device tries to connect which is supplying a wep key then allow wep.

This would need to have a selection box to provide WEP.

 

So it would have to be setup, thus :- supply wep key for use when in b or g or b and g and only enable it to devices on that protocol

 

I kind of see problem they have but will be now looking to see if any other manufacturers get round it.

 

AS they way it stands the dg834n should have only been released being capable of N, that would not sell though, so they say its compatible with b and g

 

 

In other respects the RangeMax Next is much like the RangeMax 240, offering the same straightforward setup and advanced client-card connection utility, although its cost is a little higher. Only a few settings differ significantly, mostly those having to do with draft-n. For example, the RangeMax Next is the only draft-n router in this group that does not support WEP encryption when in high-speed 40-MHz channel-bonding mode, since that would result in poor performance for draft-n adapters.
Networks based on 802.11n will also slow down if one or more clients use older WEP or WPA security. Only WPA2 encryption (which began appearing in the last year or so) supports certain performance-enhancing techniques specified in the standard. Netgear says to expect about a 5 percent performance drop with WPA and an even bigger hit with WEP--issues that will persist until you retire all legacy devices lacking WPA2 support

 

 

makes sense now. Netgear do not want it to appear slow

Edited by dontasciime
Posted

Thats the firmware version I had when I had a v2 dg834, at that time though I was unaware of any open ports issue. So maybe my v2 was fine.

 

Maybe from v3 onwards the problem arose.

 

Thanks

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.